On June 9, 2023 the FTC will enforce what is known as the FTC Safeguards Rule. You can read the text of the high-level information here (FTC Safeguards Rule: What Your Business Needs to Know | Federal Trade Commission) and the details of the actual rule here (eCFR :: 16 CFR Part 314 — Standards for Safeguarding Customer Information). In short, the Federal Trade Commission (FTC) Safeguard Rule is a set of regulations that require financial institutions and certain businesses to develop, implement, and maintain a comprehensive information security program to protect customer data. This regulation was enacted to protect consumers’ sensitive financial information.
Small businesses are an attractive target for cybercriminals, as they often lack the resources and expertise to protect against these threats. Small businesses are also more likely to have access to sensitive customer information, such as credit card numbers, social security numbers, and bank account information. The FTC Safeguard Rule applies to small businesses that are deemed financial institutions or that handle sensitive customer information.
The rule outlines a variety of elements that must be implemented by the prescribed deadline but also carve out a number of exceptions for those organizations that do not “maintain customer information concerning fewer than five thousand consumers”. So, the point of this post is to provide a summary of the required elements and if they apply to all “financial institutions”. However, I do need to start with the definition of “financial institutions” as with most governmental documents, it is not always clear.
Per the FTC Safeguards Rule, a financial institution is any organization that the FTC has jurisdiction over. The Safeguard Rule is really broad in this definition and the rule really focuses on the types of activities the business undertakes vs the how the business is categorized. This could include, but is not limited to, banks, credit unions, payday lenders, mortgage brokers, and check cashing businesses. However, small businesses that are not financial institutions can still be subject to the FTC Safeguard Rule if they handle sensitive customer information.
As I mentioned above there are various elements that must be implemented to be in compliance with the FTC Safeguard Rule. Here are the 9 elements that must be implemented:
- Security Program: Companies must develop and maintain a comprehensive security program to protect customer information.
- Designated Employee: Companies must designate one or more employees to oversee the security program or a service provider.
- Risk Assessment: Companies must identify and assess the risks to customer information in each relevant area of their operation.
- Safeguards: Companies must implement safeguards to control the risks identified through the risk assessment.
- Service Providers: Companies must ensure that their service providers also implement appropriate safeguards to protect customer information.
- Evaluations and Adjustments: Companies must regularly evaluate and adjust their security programs to reflect changing circumstances.
- Employee Training and Management: Companies must provide their employees with appropriate training and manage them to ensure that they follow the security program.
- Oversight: Companies must oversee their service providers and require them to implement appropriate safeguards to protect customer information.
- Response Plan: Companies must have a plan in place to respond to security incidents and to prevent further damage or unauthorized access to customer information.
The safeguards that small businesses must put in place include physical, technical, and administrative measures. These may include things like password policies, access controls, encryption, firewalls, and employee training on how to handle sensitive customer information. And while this can seem overwhelming, many of the policies you may already have in place.
The gaps in your security policy could also have significant consequences. Non-compliance with the FTC Safeguard Rule can result in significant financial penalties for small businesses, as well as damage to their reputation and customer trust. Therefore, small businesses should take the necessary steps to comply with this regulation and protect their customers’ sensitive information.
At the end of the day, having a sensible security plan in place for not only the FTC Safeguard Rule but also just as a best practice is a wise business decision. Many IT providers are versed in helping small businesses implement these plans. Here at NSN, we have developed plans to address all of these 9 elements as well as the tools needed to perform the assessments to make sure you maintain compliance with the FTC Safeguard Rule.
If you have any questions about the FTC Safeguard Rule, please reach out and schedule a time to speak with me. No high pressure sales pitch EVER!