FTC Safeguard Rule Basics: What Your Business Needs to Know

Written By: Kristopher Wyatt

The Federal Trade Commission's Standards for Safeguarding Customer Information, commonly known as the FTC Safeguards Rule, is designed to ensure that entities covered by the Rule maintain safeguards to protect the security of customer information. This rule, which took effect in 2003, was amended in 2021 to keep pace with current technology. The revised rule provides more concrete guidance for businesses, reflecting core data security principles that all covered companies need to implement.

The Safeguards Rule applies to financial institutions subject to the FTC’s jurisdiction. This includes entities engaged in activities that are financial in nature or incidental to such financial activities. The rule covers a broad range of entities, including mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, collection agencies, credit counselors, and other financial advisors. The 2021 amendments to the Safeguards Rule added a new category of financial institutions – finders, companies that bring together buyers and sellers for transactions.

The rule also applies to financial institutions that maintain customer information concerning fewer than five thousand consumers. As your business evolves, it's crucial to periodically consult the definition of a financial institution to see if your business could be covered now. Learn more about the FTC compliance deadline.

The Safeguards Rule requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information. This includes any record containing nonpublic personal information about the customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.

Your information security program must be written and it must be appropriate to the size and complexity of your business, the nature and scope of your activities, and the sensitivity of the information at issue. The objectives of your company’s program are to ensure the security and confidentiality of customer information, protect against anticipated threats or hazards to the security or integrity of that information, and protect against unauthorized access to that information that could result in substantial harm or inconvenience to any customer.

A reasonable information security program under the Safeguards Rule includes several elements.

1. First, you must designate a qualified individual to implement and supervise your company’s information security program. This individual can be an employee of your company or can work for an affiliate or service provider.

2. Second, you must conduct a risk assessment to determine foreseeable risks and threats – internal and external – to the security, confidentiality, and integrity of customer information.

3. Third, you must design and implement safeguards to control the risks identified through your risk assessment. This includes implementing and periodically reviewing access controls, knowing what data you have and where it's stored, encrypting customer information on your system and when it's in transit, assessing your apps for security, implementing multi-factor authentication for anyone accessing customer information on your system, securely disposing of customer information, anticipating and evaluating changes to your information system or network, and maintaining a log of authorized users’ activity while detecting unauthorized access.

4. Fourth, you must regularly monitor and test the effectiveness of your safeguards. This can be accomplished through continuous monitoring of your system or conducting annual penetration testing and vulnerability assessments.

5. Fifth, you must train your staff. Provide your people with security awareness training and schedule regular refreshers.

6. Sixth, you must monitor your service providers. Select service providers with the skills and experience to maintain appropriate safeguards.

7. Seventh, you must keep your information security program current. The best programs are flexible enough to accommodate periodic modifications.

8. Eighth, you must create a written incident response plan. Every business needs a “What if?” response and recovery plan in place in case it experiences what the Rule calls a security event.

9. Finally, your Qualified Individual must report in writing regularly – and at least annually – to your Board of Directors or governing body.

The FTC Safeguards Rule is a critical component of any business's data security strategy. By understanding who is covered by the rule, what it requires, and how to build a reasonable information security program, businesses can better protect customer information and comply with the rule.

1. What is the FTC Safeguards Rule? The FTC Safeguards Rule is a set of standards for safeguarding customer information. It requires entities covered by the rule to maintain safeguards to protect the security of customer information.
   

2. Who is covered by the FTC Safeguards Rule? The rule applies to financial institutions subject to the FTC’s jurisdiction. This includes entities engaged in activities that are financial in nature or incidental to such financial activities.

3. What does the FTC Safeguards Rule require? The rule requires covered financial institutions to develop, implement, and maintain an information security program with safeguards designed to protect customer information.
   

4. What is a reasonable information security program under the FTC Safeguards Rule? A reasonable information security program includes several elements such as designating a qualified individual to supervise the program, conducting a risk assessment, designing and implementing safeguards, regularly monitoring and testing the safeguards, training staff, monitoring service providers, keeping the program current, creating a written incident response plan, and having the Qualified Individual report regularly to the Board of Directors or governing body.

What is a security event under the FTC Safeguards Rule? A security event, as defined by the rule, is an event resulting in unauthorized access to, or disruption or misuse of, an information system, information stored on such an information system, or customer information held in physical form.

Ozark Technology is a Business Technology Provider that helps organizations across the country rethink the value technology brings to their business. Want to partner with us? Let’s chat.