FTC Safeguards Rule: The Basics
The Federal Trade Commission (FTC) Safeguards Rule is a set of best practices designed to ensure that companies handling personal information are taking appropriate measures to protect it from unauthorized access, use, or disclosure. It applies to a wide range of financial services firms, including mortgage brokers, auto dealerships, payday lenders, and other businesses that collect and maintain personal information about their customers. The rule went into effect on June 9, 2023, after being extended from an original deadline of December 9, 2022.
Under the Safeguards Rule, impacted businesses must develop, implement, and maintain a comprehensive information security program tailored to the size, complexity, and nature of the business, and how it uses personal information. The program must include administrative, technical, and physical safeguards designed to protect against unauthorized access to or use of personal information.
Requirements
Technical and Physical Safeguards
Administrative safeguards include the designation of a qualified individual to coordinate the information security program, the identification and assessment of risks to personal information, and the development of policies and procedures to manage those risks. Technical safeguards include the use of access controls, such as multi-factor authentication to limit access to personal information and encryption to protect it during transmission over networks. Physical safeguards include the use of locks, surveillance, and other physical security measures to prevent and detour unauthorized access of physical assets that store personal information.
Ongoing Improvement
In addition to developing and implementing an information security program, businesses covered by the Safeguards Rule are required to periodically assess and adjust their program in consideration of changes in technology, business operations, and other factors that may affect the security of personal information in its care.
Implications for Businesses
Failure to comply with the Safeguards Rule can result in substantial penalties, including fines of up to $11,000 per day per occurrence of a breach, and injunctive relief. In addition, businesses that fail to adequately protect consumers’ personal information may also face reputational harm and loss of customer trust.
Getting Compliance Ready
The FTC Safeguards Rule is an important regulatory measure in protecting consumers’ personal information and ensuring that businesses that collect and maintain that information are taking appropriate steps to safeguard it. Businesses covered by the rule should take it seriously and act now to ensure that they are in compliance with its requirements, as the rule officially went into effect in June.
Where should you begin?
For most businesses, becoming compliant with the FTC Safeguards Rule requires a major shift in how the business views and manages security. Compliance for these businesses will occur over the course of months, not weeks. This is true of compliance efforts that are consultant and self-led. Typically, the question of whether to bring in a consultant will come down to budgets and the desire to outsource security program implementation and management activities.
Secentric’s FTC Safeguards Rule policy provides a framework for compliance success. We’ve used our years of experience to distill the activities you will need to engage in to ensure you are meeting the letter and spirit of the regulation. Because no organization can do everything at once, we encourage you to adopt the activities, or controls, which you can commit to in the near term, and iteratively improve upon and expand your program as you can – month over month, quarter over quarter. The Secentric application supports such iterative improvement by allowing you to opt out of controls you are not ready for, and by allowing you to soften control language where it might be too rigid for your initial program. The application tracks these control adoption preferences and allows you to come back to revisit them at any time.
About the Author: Lisa Pontier
Lisa Pontier began her technology at a gaming startup that as later acquired by Disney. The last twelve years, she’s been immersed in learning about technology and cybersecurity and while staying on top of emerging technology trends. She has spent the last five years focused on the buildout and release of cybersecurity solutions as co-founder of Secentric.
