Understanding the FTC Safeguards Rule and How to Comply With the New Amendment

June 07, 2023

As cybercrime continues to propagate across every industry in today’s business landscape, several measures are being taken to stop cybercriminals in their tracks. One of the most effective ways to mitigate the severity of IT risks involves establishing specific security controls for companies to follow. There are many regulatory bodies that draft such standards to help improve cybersecurity hygiene for businesses everywhere, and the Federal Trade Commission (FTC) is one among them that strongly advocates for consumer protection.

The FTC has established numerous regulations and the Standards for Safeguarding Customer Information, popularly known as the Safeguards Rule, is a critical mandate to curb cybercrime in this digital era.

Today, the very same standard is stirring up a lot of conversation among companies everywhere, and with good reason. Read more to learn what the Safeguards Rule means to a business and why it’s the talk of the town in 2023.

What is the FTC Safeguards Rule?

The FTC Safeguards Rule first came into effect in 2003 to eliminate fraudulent, deceptive and unfair business practices. It applies to all businesses deemed financial institutions according to Section 314.1(b) and stipulates that they must:

  • Enforce a set of policies that always ensure the security of their customer information.
  • Develop and implement their own safeguards to maximize cybersecurity and compliance.
  • Take precautions that ensure their service providers and partners also protect customer information.

The third point mentioned above implies that even companies that aren’t financial institutions but affiliated with one, too, must be conscious and cautious about protecting customer information.

What is the goal of the Safeguards Rule?

The goal of the Safeguards Rule is reasonably simple yet imperative. Through this standard, the FTC expresses that financial institutions under its jurisdiction are required to create and follow stringent information security programs detailing what practices and initiatives their employees, partners and collaborators should follow. The information security programs should include administrative, technical and physical safeguards to protect customer information.

The Safeguards Rule aims to strengthen the security and confidentiality of a consumer’s personal data and prevent any unauthorized access to said information.

It’s important to note that the Rule applies to financial institutions not subject to another regulatory authority’s bylaws under section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C section 6805.

What is the new FTC Safeguards Rule amendment?

Concerning the growth of technology, it would be an extreme understatement to say that much has changed since the Safeguards Rule was first established in 2003. Technology has evolved beyond expectations, allowing businesses to function better, reach broader audiences and connect with customers worldwide using multiple communication channels.

However, cybercriminals have also managed to adapt and disrupt the many security practices organizations employ, going so far as to target consumer information.

That’s why the FTC has updated the Safeguards Rule to address modern cyberthreats, extending its application to non-banking financial institutions. They are now expected to implement robust information security programs and provide customers with a whole new level of assurance concerning privacy.

Any form of non-public personal information — recorded in writing, digital or by other means — about a customer of a financial institution that an organization manages is required to adhere to the Safeguards Rule. In an attempt to avoid risks from any angle, the Rule goes so far as to include any affiliates of businesses that fall within its criteria.

To that end, Section 314.4 Elements under Title 16 of the Electronic Code of Federal Regulations (e-CFR) applies to any service provider or affiliate of organizations under the FTC’s jurisdiction. It mandates that organizations must designate qualified professionals to implement and enforce an information security program thoroughly. It also states that the information security program should be based on risk assessments that identify reasonably foreseeable internal and external risks to the security and integrity of customer information.

What is the effective date of the Safeguards Rule Amendment?

The FTC Safeguards Rule was updated on December 9, 2021, and was enacted on January 10 the following year. The original deadline for businesses to comply was December 9, 2022. However, the FTC decided to extend the deadline to June 9, 2023, for the reasons mentioned below.

The FTC pushed the deadline by another six months because it received numerous reports of how difficult and expensive companies may find implementing the rather rigorous security measures within such a tight timeframe. Mainly, a letter submitted by the Small Business Administration’s Office of Advocacy helped extend the deadline. The letter highlighted pressing issues — like the lack of qualified professionals to help design and enforce information security programs and global supply chain shortages — that created genuine pitfalls in a financial business’s ability to comply with the latest requirements.

Who does the FTC Safeguards Rule apply to?

The updated Safeguards Rule applies to organizations defined as financial institutions by Section 314.2 under Title 16. There are 13 examples; each is listed below:

  1. Retailers that extend credit using their own credit card directly to customers.
  2. Automobile dealerships that lease vehicles on a non-operational basis for over three months.
  3. Personal property or real estate appraisers.
  4. Career counselors who specialize in offering services to individuals employed by or recently displaced from a financial organization.
  5. Companies that print and sell checks.
  6. Businesses that regularly carry out wire transfers to and from customers.
  7. Businesses that cash checks.
  8. Accounting firms and other tax preparation service providers.
  9. Travel agencies that work in tandem with a financial institution.
  10. Entities that help consumers obtain real estate settlements.
  11. Investment advisory agencies and credit counseling services.
  12. Companies that act as finders, gathering one or more buyers or sellers of various products and services.
  13. Mortgage brokers.

What are the exceptions to the Safeguards Rule?

In the simplest terms, organizations that are, to some degree, involved in financial transactions but are not significantly engaged in them are exceptions to the FTC Safeguards Rule. We’ve listed a few examples of entities that are exceptions to the Rule below.

  1. A retailer that extends credit as “layaway” and deferred payment plans. They are also exempt from the Rule even if they accept payment via credit cards issued by other entities.
  2. Merchants that allow customers to “run a tab.”
  3. Grocery stores that allow customers to cash in checks for higher amounts than the sum of their purchased goods to receive cash in return.

What are the FTC Safeguards Rule requirements?

The FTC Safeguards Rule requires financial institutions to design and incorporate a strict set of cybersecurity controls into their daily IT operations so as to ensure the complete security of a client’s non-public personal information. We’ve compiled a simple yet informative breakdown of the requirements to help understand what organizations are expected to do:

  • As mentioned above, financial institutions must instate qualified professionals to implement and enforce an information security program thoroughly.
  • Design a comprehensive written risk assessment.
  • Severely scrutinize those who have access to customer information.
  • Carry out in-depth training for IT security personnel and basic best practice education for all employees in general.
  • Safeguard all customer data with high-level encryption.
  • Create effective incident response plans.
  • Assess security practices and procedures of service providers regularly.
  • Place multifactor authentication to better protect customer information.

What is the penalty for Safeguards Rule violations?

If a business fails to meet the FTC Safeguards Rule’s compliance requirements, the repercussions could spell its end. For starters, the reputational damage that follows non-compliance can lead to a loss of customers, resulting in a rapid loss of revenue. Legal ramifications are well within expectations as well. Recovery, for small businesses in particular, could be almost impossible.

Here’s the real kicker: The FTC may levy fines of up to $100,000 for every infraction. Needless to say, achieving FTC Safeguards Rule compliance ought to be the highest priority.

How do you comply with the Safeguards Rule?

There are a number of ways to ensure that a financial institution is doing all the right things to maintain compliance, but the FTC has provided a solid roadmap to follow and achieve compliance.

Following its stipulated requirements, a financial institution needs to focus on developing an effective information security program via the expertise of a qualified professional. This individual is required to ensure that the company and all its incumbents adhere to every control or policy.

The next step involves conducting thorough and regular risk assessments to understand exactly where and how customer data is stored. Gauging the organization’s cyber hygiene plays an invaluable role in addressing hidden and unknown vulnerabilities across the IT environment. Completing this step directly bleeds into the next, where security professionals design and follow controls to eliminate the chances of cyberattacks like data breaches.

Training employees, monitoring the activities of highly privileged personnel and effectuating a strong incident response plan are ideally the next stages in ensuring compliance with the FTC Safeguards Rule.

Ensure compliance with Compliance Manager GRC

Now, we understand that going over every little detail when managing FTC compliance can be an extremely daunting undertaking, especially if you’re a small and medium-size financial institution. That’s precisely why we’ve developed the complete, all-in-one compliance management platform to help you easily meet all your compliance needs.

Compliance Manager GRC empowers you to comply with the newly updated standard effortlessly owing to its built-in FTC Safeguards Rule Compliance Management Template. This feature helps you determine your level of compliance against the Rule and make enterprise-wide changes quickly.

The platform also helps track the terms of your cyber-risk insurance policy and even ensures that everyone with access to your network follows your IT policies and procedures. The platform’s automated assessments and report generation further simplify documentation and eliminate manual intervention, saving you time to focus on business-critical operations. It comes with rapid baseline assessments, a policies and procedures manual, customizable controls and even an auditor’s checklist.

Best of all, Compliance Manager GRC is affordable in every sense of the word. It’s packed with high-functioning capabilities worthy of managing compliance for the largest of organizations yet made easily accessible to even the smallest.

Request a demo of Compliance Manager GRC today and eliminate the fear of non-compliance forever.