Due to growing cybersecurity threats, the Federal Trade Commission (FTC) announced new changes to the Safeguards Rule, designed to protect businesses from these threats and help keep customer data safe.
This new set of guidelines will take effect this year, and according to the FTC, all businesses covered by this rule must comply by June 9, 2023. What is the FTC Safeguards Rule? Is your business affected by these new regulations? And what are the penalties?
What is the FTC Safeguards Rule?
The FTC Safeguards Rule is a regulation in the United States that requires financial institutions to develop and implement a comprehensive information security program to protect customer information. The Federal Trade Commission (FTC) established the rule in 2003 under the Gramm-Leach-Bliley Act.
Over the last twenty years, a lot has changed in the business world, fueled by technological advancements that have introduced new threats. As a result, the FTC amended the original rule to suit the modern threat landscape.
According to the FTC, the Safeguards Rule requires the covered entities to develop, implement, and maintain information security programs with physical, technical, and administrative safeguards designed to protect customer data.
So, What was Updated?
The original (2003) Safeguards Rule was flexible and allowed businesses, for the most part, to “figure out” how to protect customer data. The FTC initially gave five loose guidelines:
- Perform risk assessment
- Designate a program coordinator
- Update security programs over time
- Oversee service providers
- Implement safeguards & perform audits
It was up to businesses to devise ways to protect customer data following the above guidelines.
In 2021, the FTC updated the guidelines to better reflect the current threat landscape. The original compliance deadline was extended to June 9, 2023, due to the COVID-19 crisis. Covered entities are required to assess the risks to customer information and implement measures to address those risks. Below we list some of the highlights from the updated rules.
- Train employees on the importance of information security (security awareness training) and how to identify and prevent security incidents.
- Regularly monitor and test their information security systems to ensure they remain effective.
- Maintain documentation of their information security program and make it available to the FTC upon request.
- Report incidents of unauthorized access to customer information to the FTC and, in some cases, to affected customers.
- Monitor your service providers or third-party contractors.
With the new changes, businesses are not allowed to just “figure it out.” They must comply with industry-standard techniques of data security or risk significant fines. In addition to the changes, the regulatory body expanded the list of entities that must comply with the Safeguards Rule.
What Businesses are Subject to the New Safeguards Rule?
The Safeguards Rule applies to financial institutions, which originally meant “any institution engaged in financial activities.”
⇒The FTC has expanded the definition to include any organization significantly involved in economic activities and operations incidental to such financial activities. In layman’s language, the FTC Rule covers businesses that:
- Extends lines of credit
- Handles big money
- Connects consumers with financial institutions
- Helps others access capital
So, who needs to comply?
Here’s a rundown of the types of businesses subject to the rule to help determine if your company needs to comply.
- Mortgage lenders
- Credit unions
- Community banks
- Finance companies
- Mortgage brokers
- Colleges and universities
- Real estate and property appraisers
- Investment advisors
- Tax preparers and accountants, CPA
- Collection agencies
- Wire transferors (MoneyGram, Western Union, etc.)
- Automobile dealerships
- Finders – Any business that charges a fee to connect sellers with consumers
The FTC may continue to expand this list as the need for data protection increases as more and more companies embrace digital transformation. So, even if your business doesn’t fall under the FTC’s definition of a “financial institution,” it could be included in the future.
Consequences of Non-Compliance
The new rule authorizes the FTC to take legal action against companies that don’t comply. According to the Federal Trade Commission, penalties for non-compliance with the Safeguards Rule can be “extensive and expensive.”
The agency can initiate enforcement action against any organization that fails to comply, which may include long-term “consent agreements” for the entity and the senior management. The maximum fine you can be charged is $11,000 per day for each data breach.
The most significant damages, however, will be in reputation and the costs for legal suits initiated by the customers.