The Safeguards Rule, also known as the Federal Trade Commission’s Standards for Safeguarding Customer Information, is a piece of financial legislation that mandates business maintain high standards for safeguarding customer personally identifiable information (PII).
Originally introduced in 2003, the FTC has recently amended the rule to align with emerging technologies and offer clearer and more specific guidance to businesses. As of June 9th, 2023, the update law goes into effect, emphasizing the need for businesses that haven’t yet examined the new regulation to prioritize compliance.
Failure to do so may result in various consequences, including lengthy consent decrees, injunctive relief, and damage to reputation.
Who is Subject to the FTC Safeguard Rule?
The FTC Safeguard Rule is applicable to financial institutions that do not fall under the jurisdiction of regulators specified in Section 505 of the Gramm-Leach-Bliley Act. The goal is to establish data security standards for small and medium-sized institutions that have not been previously governed by federal legislation.
The Rule deliberately maintains some level of ambiguity, encompassing any business that is “significantly engaged” in offering financial products or services. This broadens the scope of regulated entities to include mortgage brokers, payday lenders, real estate appraisers—even car dealers and ATM operators that handle PII.
FTC Safeguard Rule Compliance Checklist
The objective of the regulation is to safeguard customer information, encompassing any record containing nonpublic personal information, regardless of its form (digital or paper). To achieve this, the Safeguards Rule necessitates financial institutions to establish, implement, and maintain a compliance program that incorporates safeguards in three key areas: administrative, technical, and physical.
Choose A Compliance Lead
The initial step is to determine the individuals responsible for overseeing FTC Safeguards Rule compliance within your organization. Similar to HIPAA, FINRA, or PCI-DSS, compliance with the Safeguard Rule is an ongoing process that requires continuous effort over months and years to maintain organizational compliance.
Appointing a designated person or team to lead these efforts will facilitate coordination across your organization and ensure consistent application of security controls and data protection measures. Even if you choose to engage an external provider to assist in leading compliance efforts, it is still valuable to assign an internal point of contact to interface with the vendor and maintain clear lines of communication.
Conduct Risk Assessment
A risk assessment involves a comprehensive analysis of your network technology and existing security controls. Extensive information on performing a risk assessment can be found online and in various publications.
The risk assessment helps you achieve several things. Firstly, it helps identify where customer data resides in your network, so you know which controls to deploy. It also gives you a deeper understanding of the threats to that data, allowing you to tailor your controls and enhance the protection of those resources.
Secure Network Access with Multifactor Authentication (MFA)
As we have previously discussed, multifactor authentication provides robust security and can effectively thwart 99% of password-based attacks. Consequently, the FTC has mandated the deployment of MFA, requiring the use of two out of the following three common factor types: knowledge, possession, and inherence.
Strategically Employ Data Encryption
Encryption, as stated in Safeguards Rule 314.4 (c) (3), it is imperative to safeguard customer information by employing encryption for both data in transit over external networks and data at rest.
To start, most companies should prioritize encrypting their email and file storage systems, such as Microsoft OneDrive and Google Drive, as these platforms typically store a significant amount of personally identifiable information (PII).
Next, your compliance team should conduct an audit of your line of business applications to ensure that files moving in and out of these systems are adequately protected with appropriate encryption measures, keeping sensitive information shielded from unauthorized access.
Secure Software and Line of Business Applications
As part of the audit, a thorough evaluation of all applications handling customer information should be conducted to ensure compliance with security standards. Replace any applications that do not offer 256-bit encryption for data transmission and request your IT team to scrutinize the software applications deployed on your network for known vulnerabilities and potential backdoors.
During the analysis, it is essential to identify any unregulated applications within your network, often referred to as “shadow IT.” These applications pose a significant risk of data loss as they are not subjected to regular updates, patches, or proper management like other systems.
Document Your Data Destruction Strategy
Data Destruction is a critical aspect of compliance that is often overlooked. The FTC has stringent requirements regarding the proper destruction of customer data.
To begin, review your data destruction policy and ensure its alignment with the standards in the Safeguard Rule. This includes tracking data throughout its lifecycle, assigning responsible individuals for supervising records disposal, performing due diligence when engaging third-party vendors, and securely destroying data before disposing of equipment such as computers and hard disk drives.
Develop a Written Incident Response Plan
Recognizing that absolute cybersecurity is unattainable, the Safeguard Rule mandates companies to have a clear set of instructions for detecting, responding to, and mitigating the impact of security incidents. The response should be escalated based on the severity of the event. Each plan should also incorporate a post-incident analysis, enabling the team to gain a better understanding of the attack and revise the plan accordingly for improved future responses.
Section 314.4 of the Safeguard Rule outlines the necessary requirements for an incident response plan.
Track and Update
As with any compliance standard, it is crucial to stay prepared for network changes that may impact your compliance status. This includes new or replaced hardware, modifications to line of business applications, or even minor configuration adjustments in critical security systems. Such changes can jeopardize compliance and compromise customer PII.
While the steps mentioned above may be familiar to those with regulatory compliance expertise, attention to detail is crucial. Maintain consistency and thoroughness throughout the entire process, ensuring effective coordination among internal teams and vendors, streamlining the compliance process as a unified effort.
Eric Madden is President of Astute Technology Management. For over 20 years, his team has been providing businesses in Ohio with the strategic and technical skills necessary to achieve total IT confidence. At his core, he still considers himself the nerdy kid who got a Tandy as a gift from his father and enjoys learning about all facets of technology—especially cybersecurity—to leverage and improve the lives of those around him.