What is FTC Safeguards Rule and What Does it Mean for Your Business?
Cyberattacks are a rapidly growing area of crime in the world. That's why businesses must be knowledgeable and continuously updated on the best ways to secure information for clients, like the Federal Trade Commission (FTC) Safeguards Rule.
If you've clicked on this article, you are most likely affected by the recent changes in this regulation. That is what we're going to talk about today. So, what is the FTC Safeguards Rule, and why is it important for your business?
At ITS, we’ve been helping hundreds of businesses strengthen their network defenses to help with regulatory compliance, such as the safeguards rule. We’ve interviewed Ed Griffin, one of ITS’ partners, to talk us through this specific regulatory standard and answer these vital questions:
- What is the FTC Safeguards Rule?
- What are the key elements of the revised FTC Safeguards Rule?
- Is the FTC Safeguards Rule mandatory?
After a complete read-through, you should clearly understand the FTC Safeguards Rule and how you can prepare your company for compliance, cybersecurity-wise.
What is the FTC Safeguards Rule?
The FTC Safeguards Rule was initially designed around the Gramm-Leach-Bliley Act (GLBA) in 1999 and was meant only to safeguard consumers and protect personal information from getting out in the world. Back then, it was considered good legislation.
Unfortunately, the last twenty years have been brutal in terms of private consumer data being leaked online. This includes social security numbers, home addresses, email addresses, and birthdays–all the stuff that an attacker or criminal might need to realize their ill intention.
Since the turn of the century, the explosion of data breaches has also affected huge incorporations and cost millions of dollars. One of the infamous incidents that took place was the Equifax Breach.
Equifax is one of the big credit reporting bureaus in the United States. In 2017, although Equifax adhered to the FTC Safeguards Rule guidelines, they still got breached, and millions of consumer information were stolen. And it is not because the hackers were so good but because Equifax, in their diligence on their IT security front, was not at its best.
This is partly because the original Safeguards Rule was designed more on an honor system, according to Griffin. The guidelines were generic, and the government trusted the businesses to do the right thing.
“Sometimes that works. A lot of times, it doesn’t. And I think the past 23 years have proven that the honor system does not work,” Griffin says.
So, it is only suitable for the Safeguards Rule to be updated for modern times.
How has the Safeguards Rule changed?
Not only is it stronger, but it also now applies to a much broader audience of businesses.
The revamped safeguards rule is strengthened in ways that make it clearer, more specific, and more prescriptive in terms of what businesses need to do to protect, handle, process and store confidential data for the consumer’s benefit.
Griffin added that by expanding the number of businesses in scope for the updated safeguard rule, they’re making sure that more of the industry is required to observe these enhanced handling procedures.
That’s on a high level.
More specifically, the revised safeguard rule that goes into effect in December of this year specifies very tangible things businesses that handle financial transactions or the expanded notion of financial institutions need to do. This will include the development and establishment of an information security program with a formalized risk assessment.
Key elements of the revised FTC Safeguards Rule
FTC released a framework for regulating the privacy and data security practices of a broad range of financial institutions, and it will require them to provide customers with information about the institutions’ privacy practices and their opt-in rights.
Here are the key elements of the revised Safeguards Rule you need to know:
1. Security Officer
You’ve got to have someone accountable or, in the Safeguards Rule terms, a qualified individual. He or she is someone who needs to maintain accountability for the security program and who will be on the hook, perhaps even from a liability perspective, if something goes awry.
2. Security Program
You have to have some sort of active information security program. You can’t just say that you do it and then forget about it. You need to demonstrate and have proof.
For example, using a domain services system, such as Active Directory, ensures that there's a single source of truth for user identities and their entitlements on the network.
3. System that logs all user activities
This is important so that you know when users log in to something, when they log out, and, even more, important when they fail the login process. It is given that some users may fail a login once or twice; that might just be a mistake. It’s cold in the morning, and their fingers are stiff, so they cannot enter their passwords correctly.
However, when they enter their incorrect password 12 times a row, you’ve got something else going on.
4. System that tracks changes in management
When introducing some change into the network, you better have that tracked and documented. So, if something terrible does happen, you can go back and see what might have triggered the attack.
For example, you updated the firewall firmware. By tracking the changes, you will know that this move exposed the network to new vulnerabilities in the new firewall firmware release.
Is the FTC Safeguards Rule compliance voluntary?
It will be a mandatory regulation for businesses that fit within the newly updated definition of financial institution. But a lot of the guidance will be relevant to any business.
“The key here, from the horizontal and broad applicability of this safeguards rule, is that the FTC has broadened the definition of financial institutions to include brokers of financial transactions between consumers and sellers,” Griffin explains.
It’s becoming clear that it’s no longer just the big banks that need to adhere to these. It’s all the smaller businesses too.
Refer to this article to learn the answers to some of the most frequently asked questions about the FTC Safeguards rule.
Need help with your FTC Safeguards Rule compliance?
Further down the line, there will be more prescriptive guidance on how companies can comply with the Safeguards Rule.
It may be daunting for a company with no security program because it's a lot of stuff to get used to, implement, and embrace. But if you try to pull back and just look at the objective landscape and how abused all consumers globally have been through the inattentive, cavalier way businesses and financial institutions handled the economic situation, this update is long past due.
Fortunately for businesses willing to start building their security programs, ITS is ready to assist. As a Managed Security Service Provider, we've been helping hundreds of clients navigate the world of compliance smoothly with our tailored security solutions. Contact us today for a free cybersecurity assessment if you want to position your business for Safeguards Rule compliance.