Get myCPE Unlimited Access @ $499 $199/Annually
Data security is a prime concern for every business, especially when it comes to customers' clients details related to bank or any other financial data. So, to safeguard these details, data security programs were aligned under the FTC safeguard rule with rigorous requirements. And if any organization doesn't comply with these requirements, they may be subject to hefty fines, disruptive sanctions, and even imprisonment.
But don't panic! In this blog, we will guide you through everything about the Federal Trade Commission safeguards Rule. Along with this, you will also learn about how to comply with the new FTC safeguards rule after the extension of FTC Safeguards Rule provisions to June 2023.
FTC Safeguards Rule was established in 2003 for financial organizations to ensure data security. In addition, as part of GLBA (Gramm-Leach-Bliley), the financial modernization act of 1999 made it the first time financial institutions were required to document how they handled sensitive customer information.
Almost two decades ago, technology and information security rules were slightly different. As a result, a much-needed update has been made to the original regulation to provide better business guidance as of 2021.
The Gramm-Leach-Bliley Act: Under the act, financial institutions must explain to their customers how they share information and ensure that sensitive information is safeguarded.
Under Section 505 of the Gramm-Leach-Bliley Act, the Rule applies only to financial institutions within the FTC's jurisdiction. Financial institutions in this context aren't secluded halls with ballpoint pens on chains, tellers, and deposit slips. Instead, the FTC Safeguards Rule covers businesses like mortgage lenders, mortgage brokers, payday lenders, motor vehicle dealers, account servicers, check cashing companies, collection agencies, finance companies, wire transferors, credit counselors and other financial advisors, non-federally insured credit unions, tax preparation firms, and investment advisors that aren’t required to register with the SEC.
The FTC has extended the deadline for companies to comply with some of the data security changes it implemented to protect financial institutions' customers' personal information by six months. Accordingly, FTC Safeguards Rule extension for six months is now June 9, 2023.
As we all know that the security of data is utmost important for any individual or company. Hence, it becomes essential for any organization to strictly follow the FTC safeguard rule. And, we can’t ignore the fact that the consequences of not complying with the FTC Safeguards Rule can be serious like:
Your company will be subject to significant fines, and its reputation may be damaged.
As of June 2023, the FTC will be allowed to impose fines of up to $100,000 per violation under updated guidelines.
You may also face lawsuits from unhappy customers and employees, which could further harm your business' reputation.
Securing the FTC Safeguards Rule requires several steps from small business owners:
Following § 314.3 Standards for safeguarding customer information:
Ensure information security by developing, applying, and maintaining a comprehensive program. Administrative, technical, and physical security measures must be tailored to the size of your organization, the scope of the activities you carry out, and the sensitivity of the customer information you protect.
Assure that confidential and sensitive financial information is maintained in a secure and confidential manner
Ensure data integrity and security against anticipated threats
It is important to protect confidential details from unauthorized access or use by keeping it secure
According to 314.4, the following elements must be included in your information security program:
Identify the person responsible for overseeing, implementing, and enforcing your information security program. In-house employees, affiliates, or service providers may qualify as Qualified Individuals. In your dealings with service providers and affiliates, you should:
Maintain responsibility for this part's compliance;
The qualified individual will be directed and overseen by a senior executive
Maintain an appropriate information security program for the service provider.
Assess your security risks before implementing your security program. An information security, confidentiality, and integrity risk assessment identifies reasonably foreseeable risks on both an internal and external level. Be aware of all those risks that can result in unauthorised disclosures, misuses, alterations, or destruction of the information. Evaluate whether any safeguards are sufficient to control these risks.
Make sure that access controls, including technical and physical security controls, are implemented and reviewed on a regular basis to:
Access is restricted to authorized users only after authentication and authorization.
Only allow authorized users to access the clients/customers' information they need to perform their duties.
Establish a risk strategy and identify your business's assets, including equipment, systems, data, personnel, and facilities.
You should encrypt sensitive information while it is in transit over external networks.
Make sure that in-house developed applications follow secure development lifecycle practices throughout the development process. To ensure the security of externally developed applications you use, have procedures in place that evaluate, assess, or test the security of the applications.
All users accessing information systems should be required to authenticate with multi-factor authentication.
To ensure that customer information is securely disposed of, procedures should be developed, implemented, and maintained by two years after the last date the customer information was required. Furthermore, you should periodically review your data retention policy to ensure you retain sufficient information.
New vulnerabilities can be introduced in your environment when you make changes to your environment. Therefore, the procedure for managing change should be adopted.
Establish policies, procedures, and tools for monitoring and logging system activity so that you can make informed decisions. Ensure authorized users do not access or use customer data in an unauthorized manner or tamper with it in any way. Monitor, test, or otherwise keep track of the effectiveness of critical controls, systems, and procedures on an ongoing basis. Test and monitor the results of your information security program to determine whether or not it needs to be improved or adjusted.
Ensure that your employees receive security awareness training promptly. As a result of the risk assessment, training materials should be updated to reflect new risks that have been identified.
Choose service providers capable of maintaining a high level of security and integrity for the information they hold about their customers. In your contracts with your service providers, you should ensure that they implement and maintain these safeguards. In addition, you should periodically assess the risks your service providers expose and the continued adequacy of their security controls based on their exposure to risks.
It is necessary to develop a written incident response plan to ensure that you can promptly respond to any security incident that might impact the confidentiality, integrity, and availability of any sensitive information under your control and recover from the event.
Whenever your Qualified Individual is tasked with administering your information security program, they must report at least annually to your board of directors, other equivalent governing bodies, or your senior executive officer.
To be considered compliant, your organization must follow many requirements stipulated by the FTC Safeguards Rule, but it's important to realize that these are all necessary factors for a good reason. Undoubtedly, it is easy to forget about the staggering number of security threats. However, for the sake of everyone associated with an organization, we all must do our part in managing risks in an environment where the volume of new vulnerabilities and developments is always on the rise.
Throughout this article, we have covered many areas relevant to the Safeguards Rule. For more detail, you can attend our trending webinar - FTC Safeguards Rule and Everything Your Firm Needs to Know About the June 2023 Deadline! at myCPE. This course is available for CPA, CFP, CISA, Accountant and other professionals. You register now to attend this webinar and earn 2 CPE credits that meet your credit requirements.
To access this webinar, you need to subscribe myCPE Unlimited Access Plan, available at just $199 and enjoy all exclusive 11,500+ hrs of content with multiple features included.
Imtiaz Munshi, CPA 
