The Federal Trade Commission (FTC) has implemented a new Safeguards Rule that aims to protect sensitive customer information from falling into the wrong hands. If you’re a business owner or manager, it’s important to understand whether or not this rule applies to your organization.
The Safeguards Rule requires financial institutions to develop, implement, and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards. This program should be designed to protect customer information from unauthorized access, use, disclosure, and destruction.
Understanding the Updated FTC Safeguards Rule
Established in 2002, the FTC Safeguards Rule mandated financial institutions under the commission’s jurisdiction to create, execute, and maintain comprehensive security programs to protect customer information. In December 2021, the commission released a revised version of the rule, expanding its coverage to non-banking financial institutions such as auto dealers, mortgage brokers, accountants, travel agencies, retailers offering credit, and “finders” (firms connecting buyers and sellers to negotiate and finalize financial product or service transactions).
Firms breaching the rule may face potential fines and penalties. The updated rule took effect on January 10, 2022, with enforcement initially scheduled for December 9, 2022. However, the FTC has postponed the enforcement deadline to June 9, 2023, allowing companies additional time to assess and enhance their security measures.
Will My Business Have to Abide by the New Rules?
The Safeguards Rule’s definition of “financial institution” is broad, and includes not just banks and credit unions, but also other entities that handle customer information, such as mortgage brokers, payday lenders, and tax preparers.
To determine whether your business is subject to the Safeguards Rule, you should consider the following factors:
- The type of customer information you handle: The Safeguards Rule applies to non-public personal information (NPI), which includes any information that can be used to identify an individual, such as name, address, social security number, and financial account numbers.
- The type of business you operate: If you’re in the financial services industry, such as banking or insurance, it’s likely that the Safeguards Rule applies to you. However, even if you’re not in the financial services industry, if you handle NPI, you may still be subject to the rule.
- Your business size: The Safeguards Rule applies to businesses of all sizes, from large corporations to small sole proprietorships.
If you determine that your business is subject to the Safeguards Rule, you’ll need to develop and implement an information security program that meets the requirements of the rule.
This program should include:
- Policies and procedures for safeguarding customer information
- Employee training
- Implementing multi-factor authentication for anyone accessing customer information on business systems
- Regular monitoring and testing of your systems to ensure they remain secure
- Maintain a log of authorized users’ activity and monitor for unauthorized access.
Failure to comply with the Safeguards Rule can result in significant penalties, including fines and legal action. Therefore, it’s important to ensure that your business is in compliance with the rule to protect your customers and your organization’s reputation!
Organizations under the rule should act quickly to implement these steps, as the extended enforcement date for the revised Safeguards Rule is June 9, 2023. We encourage all affected businesses to consult their legal and IT departments for guidance.