Which Businesses are Subject to the New FTC Safeguards Rule?
Following the growing, fast-paced digital world, the Federal Trade Commission (FTC) announced changes to the Safeguards Rule in 2021.
This new set of guidelines will finally take effect this year, and according to FTC, all businesses that fit the updated regulation must comply by December 9, 2022.
Are you a part of this change? Does the FTC Safeguards Rule update affect your business? This article will give you everything you need to know about this modification.
At Intelligent Technical Solutions (ITS), we help hundreds of businesses stay on top of the latest cybersecurity practices and compliance standards. In this article, we’ll go over:
- What is the FTC Safeguards Rule?
- Who’s covered by the FTC Safeguards Rule?
- What are the changes in the updated FTC Safeguards Rule?
- Simple steps to position your business for compliance
After reading, it'll be clear whether you should be concerned with the changes in the FTC Safeguards Rule. If you are, you can start preparing your business for the necessary compliance requirements.
What is the FTC Safeguards Rule?
In 1999, Congress passed the Gramm-Leach-Bliley Act (GBLA) that established the 2002 Safeguards Rule, which enhanced the regulatory power of the FTC. This move led to new requirements for financial institutions; these include developing, implementing, and maintaining an information security program to prevent unauthorized access to sensitive customer information.
Who's Covered by the Safeguards Rule?
The Safeguards Rule was originally intended to regulate financial institutions, which, in the original drafting of this rule, meant any organization "significantly engaged in financial activities."
In 2022, a financial institution, according to the FTC's standards, is any organization that is significantly involved in economic activities and "activities incidental to such financial activities." Speaking generally, the FTC Safeguards Rule covers organizations that:
- Handle big money,
- Extend lines of credit or loans,
- Connect consumers with financial institutions or are
- Involved with others' ability to access capital.
What are the Changes in the Updated FTC Safeguards Rule?
In the past, the Safeguards Rule has been vague and offered flexibility in compliance. However, after public comment and further research, the FTC released the updated Safeguards Rule with amendments to keep up with technological change, respond to current cybersecurity threats, and establish more concrete cybersecurity guidelines.
Here are the five main modifications in the new Safeguards Rule:
1. The new definition of "Financial Institution"
"Financial institution" was previously just defined as any U.S. company significantly engaged in financial activities. Under the new Safeguards Rule, "financial institution" includes any organization incidental to such financial activities.
The FTC explains that this modification is intended to bring “finders”— companies that bring together buyers and sellers of a product or service — within the scope of the Safeguards Rule.
Here are some of the non-financial institutions that will need to adhere to the newly updated FTC Safeguards Rule:
2. Other new definitions and related examples
The new Safeguards Rule includes several new terms, such as authorized user, multifactor authentication or MFA, encryption, penetration testing, security event, and related examples for clarity and ease of use.
3. New requirements for Information Security Programs
The new Safeguards Rule provides more detailed requirements for developing and establishing an information security program. The new rule specifies that the risk assessment must now include, among other things:
- Criteria for evaluating risks faced by the institution
- Criteria for assessing the security of its information systems
- How the identified risks will be addressed
4. Improved accountability
The new Safeguards Rule adds requirements designed to improve the accountability of financial institutions' information security programs. The FTC explains that this requirement will provide senior management with better awareness of their financial institutions' information security programs, making it more likely for the programs to receive the required resources and be able to protect consumer information.
5. New exemptions for small businesses
The new Safeguards Rule exempts financial institutions collect information on fewer than 5,000 consumers from certain rules. These are the requirements of a written risk assessment, incident response plan, and annual reporting to the board of directors.
The Role of MFA in the New Safeguards Rule
Previous legislation established guidelines for protecting consumer information that could only be enforced on a regional level. But the Safeguards Act sets a national standard, outlining a reasonable information security program. And according to the FTC, a vital component of these programs is multifactor authentication (MFA).
MFA helps security teams control access to sensitive data. When an MFA solution is deployed, in addition to a username and password, employees with access to sensitive data will need another means of verification to make sure they are who they say they are.
5 Steps to Comply with the Safeguards Rule
If your organization is subject to the Safeguards Rule, there are five simple steps to position your business for compliance.
1. Start thinking about who will be your organization's "Qualified Individual".
Part of the FTC's amendments to the rule includes designating someone within your organization to be the "Qualified Individual." This person will oversee the development and execution of the organization's information security program and report to the company's board of directors.
The FTC says that this person does not need to have any accolades or certifications but should be well-experienced in securing an organization of your size and structure.
2. Seek out an encryption service for files, emails, and apps.
The Safeguards amendment now requires organizations to encrypt all sensitive customer data at rest and in motion. This is a general requirement, as data can move in many ways and for many reasons.
3. Control network access.
The Safeguards Rule now requires companies to be in a state of periodic reevaluation over who in the organization has access to certain information and for how long. This is to lower the risk of breaches by only giving access to data on a need-to-know basis. Restricting access to all data at all times reduces the risk of sensitive data being exposed during a hack or breach.
4. Assess your applications and partners.
The FTC urges organizations to reevaluate their in-house applications or third-party partners to ensure they follow the Safeguards Rule requirements. A breach targeted at a third party or by an unprepared in-house application can have staggering effects on the customer data it's designed to protect.
5. Make sure the security software you choose is user-friendly
Training your employees is a crucial requirement in the Safeguards Rule. Your Qualified Individual can implement as many security measures as possible, but there are still risks if your employees have no idea how to implement them properly.
Ready to be FTC Safeguards Rule Compliant?
Certain provisions, like Safeguards monitoring and separate periodic risk assessments, take effect thirty days after the Amended Rule’s publication in the Federal Register. So, financial institutions subject to the amended rule should get into compliance immediately before December comes.
At ITS, we help hundreds of businesses navigate the world of compliance as smooth as possible. Give us a call today if you want to know where your business stands in terms of cybersecurity. We can help you identify and resolve the gaps to prepare yourself for compliance.