The updated FTC Safeguards Rules will go into effect June 9, 2023, and will impact many companies never before subject to its Rules. The updated Safeguard Rules set clear requirements to ensure that personal data protection standards are updated. These new standards provide a best-practices framework that can help any organization prepare for the scrutiny and standards that are fast becoming the norm. This blog is also available as a downloadable e-Guide.
The FTC Safeguards Rule covers businesses like mortgage lenders, mortgage brokers, motor vehicle dealers, payday lenders, finance companies, account servicers, check cashing companies, wire transferors, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors that aren’t required to register with the SEC.
The Safeguards Rule took effect in 2003, but the FTC amended it in 2021 to keep pace with current technology. These new rules go into effect on June 9, 2023, and they provide more concrete guidance for personal data protection standards. Its clear purpose is to strengthen the data security safeguards to protect customers’ personal information.
The Rule defines customer information to mean “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates. The Rule covers information about your own customers and information about customers of other financial institutions that have provided data to you.
What’s Now Required?
Your information security program must be written, and it must be appropriate to the size and complexity of your business, the nature and scope of your activities, and the sensitivity of the information. The objectives of your company’s program are:
- to ensure the security and confidentiality for personal data protection;
- to protect against anticipated threats or hazards to the security or integrity of that information; and
- to protect against unauthorized access to that information that could result in substantial harm or inconvenience to any customer.
What does a reasonable information security program look like?
The Safeguards Rule identifies nine elements that your company’s information security program must include. Let’s take those elements step by step.
1. Designate a Qualified Individual to implement and supervise your company’s information security program.
The Qualified Individual can be an employee of your company or can work for an affiliate or service provider. The person doesn’t need a particular degree or title. What matters is real-world know‑how suited to your circumstances. If your company uses a service provider for this function, the buck still stops with you. You must designate a senior employee to supervise that person. If the Qualified Individual works for an affiliate or service provider, their company must also maintain an information security program.
2. Conduct a risk assessment.
You can’t formulate an effective information security program until you know what information you have and where it’s stored. After completing an inventory, conduct an assessment to determine foreseeable risks and threats – internal and external – to the security, confidentiality, and integrity of customer information.
The risk assessment must be written and must include criteria for evaluating those risks and threats. Think through how customer information could be disclosed without authorization, misused, altered, or destroyed. The risks to information constantly morph and mutate, so the Safeguards Rule requires you to conduct periodic reassessments considering changes to your operations or the emergence of new threats.
3. Design and implement safeguards to control the risks identified through your risk assessment.
In designing your information security program, the Safeguards Rule requires your company to:
- Implement and periodically review access controls. Determine who has access to customer information and reconsider on a regular basis whether they still have a legitimate business need for it.
- Know what you have and where you have it. A fundamental step to effective security is understanding your company’s information ecosystem. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. Keep an accurate list of all systems, devices, platforms, and personnel. Design your safeguards to respond with resilience.
- Encrypt customer information on your system and when it’s in transit. If it’s not feasible to useencryption, secure it by using effective alternative controls approved by the Qualified Individual who supervises your information security program.
- Assess your apps. If your company develops its own apps to store, access, or transmit customer information – or if you use third-party apps for those purposes – implement procedures for evaluating their security.
- Implement multi-factor authentication for anyone accessing customer information on your system. For multi-factor authentication, the Rule requires at least two of these authentication factors: a knowledge factor (for example, a password); a possession factor (for example, a token), and an inherence factor (for example, biometric characteristics). The only exception would be if your Qualified Individual has approved in writing the use of another equivalent form of secure access controls.
- Dispose of customer information securely. Securely dispose of customer information no later than two years after your most recent use of it to serve the customer. The only exceptions: if you have a legitimate business need or legal requirement to hold on to it or if targeted disposal isn’t feasible because of the way the information is maintained.
- Anticipate and evaluate changes to your information system or network. Changes to a network can undermine existing security measures. For example, if your company adds a new application, has that created a new security risk? Because your systems and networks change to accommodate new business processes, your safeguards can’t be static. The Safeguards Rule requires that change management be part of your information security program.
- Maintain a log of authorized users’ activity and keep an eye out for unauthorized access.Implement procedures and controls to monitor when authorized users are accessing customer information on your system and to detect unauthorized access.
4. Regularly monitor and test the effectiveness of your safeguards.
Test your procedures for detecting actual and attempted attacks. Testing can be accomplished through continuous monitoring of your system. If you don’t implement that, you must conduct annual penetration testing, as well as vulnerability assessments, including system-wide scans every six months designed to test for publicly known security vulnerabilities. In addition, test whenever there are material changes to your operations or business arrangements and whenever there are circumstances you know or have reason to know may have a material impact on your information security program.
5. Train your staff.
A security program is only as effective as its least vigilant staff member. Employees trained to spot risks can multiply the impact of a program. Provide your people with security awareness training and schedule regular refreshers. Insist on specialized training for everyone (internal or external) with hands-on responsibility for carrying out your information security program.
6. Monitor your service providers.
Select service providers with the skills and experience to maintain appropriate safeguards. Your contracts must spell out your security expectations, build in ways to monitor your service provider’s work, and provide for periodic reassessments of their suitability for the job.
7. Keep your information security program current.
The only constant in information security is change – changes to your operations, changes based on what you learn during risk assessments, changes due to emerging threats, changes in personnel, and changes necessitated by other circumstances you know or have reason to know may have a material impact on your information security program. The best programs are flexible enough to accommodate periodic modifications.
8. Create a written incident response plan.
Every business needs a response and recovery plan in place in case it experiences what the Rule calls a “Security Event”. A Security Event is an episode resulting in unauthorized access to or misuse of information stored on your system or maintained in physical form. The Safeguards Rule specifies what your response plan must cover:
- The goals of your plan;
- The internal processes your company will activate in response to a Security Event;
- Clear roles, responsibilities, and levels of decision-making authority;
- Communications and information sharing both inside and outside your company;
- A process to fix any identified weaknesses in your systems and controls;
- Procedures for documenting and reporting Security Events and your company’s response; and
- A postmortem of what happened and a revision of your incident response plan and information security program based on what you learned.
9. Require your Qualified Individual to report to your Board of Directors.
Your Qualified Individual must report in writing regularly – and at least annually – to your Board of Directors or governing body. If your company doesn’t have a Board or its equivalent, the report must go to a senior officer responsible for your information security program.
The report must include an overall assessment of your company’s compliance with its information security program. In addition, it must cover specific topics related to the program – for example, risk assessment, risk management and control decisions, service provider arrangements, test results, security events and how management responded, and recommendations for changes in the information security program.
These upgrades provide a clear framework of best practices for how all organizations need to address information security and business continuity.
While your organization may or may not fall under the new FTC Safeguards Rules, these are best practices we implement for clients and ourselves. Taking a more structured and, in many cases, auditable approach, will help your organization address supply chain reviews, insurance questionnaires and create a competitive advantage when securing new business.
Advanced Logic has moved through these exact stages to meet audited standards such as SOC-2. We understand the operational challenges as well as the technical standards.
Navigating the increasing standards for accountable, engaged systems security is critical for business continuity. But it does not have to be overwhelming. Our leadership team can help you navigate the challenges.
If you’d like to discuss your needs or questions about data security, handling of personal data protection and risk reduction, we’re happy to set up a no-obligation call.
Contact us at (800) A TEAM4U or schedule a call today!