The Federal Trade Commission (FTC) issued the FTC Safeguards Rule as a means to standardize security requirements for businesses that handle consumer data. New security measures have been added to the rule that safeguards non-public customer data collected and held by financial institutions for certain purposes.
Who is Affected by the FTC Safeguards Rule?
Don't make the mistake of thinking that this rule only applies to banks. The new FTC Safeguards Rule (Section 314.2(h)) has revised what constitutes a “financial institution” to include:
- mortgage lenders
- payday lenders
- auto dealerships
- travel agencies
- check cashers
- wire transferors
- collection agencies
- real estate appraisers
- retailers with their own credit card
- finance companies
- account servicers
- credit counselors and other financial advisors
- tax preparation firms
- non-federally insured credit unions
- investment advisors that aren’t required to register with the SEC.
It’s important to remember that this rule is applied to businesses based on what data they may collect, not by how the business might otherwise be classified.
What sort of security program does the FTC Rule require?
According to section 314.4 of the Safeguards Rule, there are nine key elements that your company’s information security program must include:
Assign a Compliance Officer (a.)
The FTC requires businesses designate a qualified individual to implement and manage your information security program. This can be an employee of your company or an outside consultant. The qualified individual doesn’t need a particular degree or title, but must have a real-world understanding of your cybersecurity circumstances. The Qualified Individual selected by a small business may have a background different from someone running a large corporation’s complex system. Even if your your company works with a managed service provider or IT consultant, you may still need to designate a senior employee within your organization to provide oversight on your behalf. Any involved affiliate or service provider must also maintain an information security program that protects both their data and your business.
Risk Assessments (b.)
You can’t formulate an effective information security program until you know what information you have and where it’s stored. Inventory your data and conduct a risk assessment to determine foreseeable risks and threats to the security, confidentiality, and integrity of protected customer information. The FTC requires that your risk assessment is written and includes criteria for evaluating both inside and outside risks and threats. The Safeguards Rule requires you to conduct periodic reassessments to keep your security program up to date.
Mitigate and Control Risks (c.)
Measures to control the risks identified through your risk assessment must be developed and put into place. Among other things, in designing your information security program, the Safeguards Rule requires your company to:
- Implement and periodically review access controls and adhere to "least privilege" policy.
- Know what data you have and where you have it at all times.
- Encrypt customer information stored on your system and when it’s in transit.
- If your company develops its own software to store, access, or transmit customer information, you must also evaluate and ensure the security of those apps.
- Implement multi-factor authentication using at least two of these authentication factors: a knowledge factor (for example, a password); a possession factor (for example, a token), and an inherence factor (for example, biometric characteristics). There can be an exception if your qualified individual has approved in writing the use of another equivalent form of secure access controls.
- Securely dispose of customer information no later than two years after your most recent use of it to serve the customer. The only exceptions: if you have a legitimate business need or legal requirement to hold on to it or if targeted disposal isn’t feasible because of the way the information is stored.
- Use change management tenets to anticipate and evaluate new threats or changes to your IT infrastructure.
- Maintain a log of authorized users’ activity.
- Monitor when customer information is accessed on your system and to detect unauthorized access.
Monitor and Test Your Safeguards (d.)
All security programs must be tested for their effectiveness in detecting and stopping attacks. This can involve 24/7 monitoring, penetration testing, and/or system scans.
Staff Training (e.)
Some of the most common cyberattacks are carried out by taking advantage of unaware or unprepared employees within the target entity. Providing your people with security awareness can reduce your overall cyber risk by up to 70%.
Use Qualified Service Providers (f.)
Work with service providers (such as MSPs or MSSPs) with the skills and experience to maintain appropriate safeguards. Make sure any partner agreements clearly define your security protocols and what measures will be used to keep you compliant.
Keep Your Information Security Program Current (g.)
Your program must be flexible enough to accommodate any number of changes, including changes in the threat landscape, changes in your use of data, changes in infrastructure, or changes in staff.
Written Response Plan (h.)
Every business needs a written incident response plan to dictate the response to what the Rule calls a security event (unauthorized access to or misuse of information stored on your system or maintained in physical form).
Section 314.4(h) of the Safeguards Rule spells out what your response plan must cover:
- The goals of your incident plan
- The internal processes your company will use in response to a security event
- Clear roles, responsibilities, and levels of decision-making authority
- Plans for communications and information sharing both inside and outside your company
- A process for addressing identified weaknesses in your systems and controls
- Procedures for documenting and reporting security events and your company’s response
- A procedure for conducting a post mortem after a security incident, as well has codifying what improvements you will make based on what was learned
Reports to Your Board of Directors (i.)
Your qualified individual must report in writing regularly (at least yearly) to your Board of Directors or governing body. If your company doesn’t have a Board or equivalent, the report must go to a senior officer responsible for your information security program. These reports should cover an overall assessment of your company’s compliance with its information security program, risk assessment, risk management and control decisions, service provider arrangements, test results, security events and response (if any), and recommendations for changes in the information security program.
Visit the FTC website for more information about the Safeguards Rule.
If your Texas business needs help navigating any government regulations related to your IT, feel free to reach out to the experts at 3i. Our team has the experience, solutions, and training needed to secure your data, protect your customers, and keep you compliant with the FTC Safeguards Rule.
