The Federal Trade Commission (FTC) recently updated its Standards for Safeguarding Customer Information – AKA the Safeguards Rule. The rule ensures entities covered by the rule take proper precautions to protect customer information. MicroMenders would like to bring the updated rule and its implications to your attention, as your business's IT may be impacted.
While the rule first took effect in 2003, it was amended in December of 2021 to reflect current technology and now requires companies to develop, implement and maintain an information security program. The current deadline for complying with the new standard is June 9, 2023. To comply, many companies will need to upgrade their IT security, put a system in place to manage security tools, and produce annual reports.
The Safeguards Rule applies to any ‘financial institution’ within the FTC’s jurisdiction, but their definition of a financial institution is broader than it initially sounds. An entity is a ‘financial institution’ if “its business is engaging in an activity that is financial in nature,” however, this definition is not exclusive to the financial industry. Entities under the rule include but are not limited to, mortgage and payday lenders, finance companies, mortgage brokers, travel agencies and tax preparation firms. Businesses impacted by the Safeguards Rules are those that aren’t already under the enforcement of another regulator. For a full list, refer to the Safeguards Rule.
WHAT THE RULE REQUIRES:
Entities under the rule will need to develop and maintain an information security program with defenses in place that protect customer information. The Rule defines customer information as any “nonpublic personal information.” The program needs to ensure the security and confidentiality of said information as well as protect it against security threats and unauthorized access. The program should be suited to the size and complexity of your business and the sensitivity of the customer information at hand. The Safeguards Rule outlines nine elements that are required in every security program.
The FTC will require businesses to:
- Designate a Qualified Individual to implement and supervise your company’s information security program.
- Conduct a risk assessment
- Design and implement safeguards to control the risks identified through your risk assessment
- Regularly monitor and test the effectiveness of your safeguards
- Train your staff
- Monitor your service providers
- Keep your information security program current.
- Create a written incident response plan.
- Require your Qualified Individual to report to your Board of Directors.
WHAT TO DO IF YOU THINK YOU’RE AFFECTED:
If your business falls under the ‘financial institution’ umbrella defined by the Safeguards Rule, you’ll need to put an information security program in place and determine how you’ll manage the system on an ongoing basis to ensure it’s effective.
If you’re a current MicroMenders client, please reach out to discuss if your business may be impacted by the FTC’s Safeguards Rule. If we believe you’ll be affected, MicroMenders will proactively get in touch to discuss an action plan. If you’re not currently a MicroMenders client, feel free to contact us and we can talk through what the rule will look like and how to ensure your business is compliant.
For more information, reach out to firstname.lastname@example.org.