myCPE
myCPE

All Courses, One Price. Unlimited Access and Many Benefits.

Subscribe $199

April Accelerate Sale 2024 : 67% Savings on Subscription. Offer Ends Soon! April Accelerate Sale 2024 :
67% Savings on Subscription. Offer Ends Soon!
00hrs : 00min : 00sec

View Offer

Data security is a prime concern for every business, especially when it comes to customers' clients details related to bank or any other financial data. So, to safeguard these details, data security programs were aligned under the FTC safeguard rule with rigorous requirements. And if any organization doesn't comply with these requirements, they may be subject to hefty fines, disruptive sanctions, and even imprisonment.

But don't panic! In this blog, we will guide you through everything about the Federal Trade Commission safeguards Rule. Along with this, you will also learn about how to comply with the new FTC safeguards rule after the extension of FTC Safeguards Rule provisions to June 2023.

Understanding Federal Trade Commission (FTC)

FTC Safeguards Rule was established in 2003 for financial organizations to ensure data security. In addition, as part of GLBA (Gramm-Leach-Bliley), the financial modernization act of 1999 made it the first time financial institutions were required to document how they handled sensitive customer information.

Almost two decades ago, technology and information security rules were slightly different. As a result, a much-needed update has been made to the original regulation to provide better business guidance as of 2021.

The Gramm-Leach-Bliley Act: Under the act, financial institutions must explain to their customers how they share information and ensure that sensitive information is safeguarded.

Businesses Covered Under the Safeguard Rule

Under Section 505 of the Gramm-Leach-Bliley Act, the Rule applies only to financial institutions within the FTC's jurisdiction. Financial institutions in this context aren't secluded halls with ballpoint pens on chains, tellers, and deposit slips. Instead, the FTC Safeguards Rule covers businesses like mortgage lenders, mortgage brokers, payday lenders, motor vehicle dealers, account servicers, check cashing companies, collection agencies, finance companies, wire transferors, credit counselors and other financial advisors, non-federally insured credit unions, tax preparation firms, and investment advisors that aren’t required to register with the SEC.

New Deadline for certain revised FTC Safeguards Rule extension - June 2023

The FTC has extended the deadline for companies to comply with some of the data security changes it implemented to protect financial institutions' customers' personal information by six months. Accordingly, FTC Safeguards Rule extension for six months is now June 9, 2023.

Consequences of FTC regulations violation

As we all know that the security of data is utmost important for any individual or company. Hence, it becomes essential for any organization to strictly follow the FTC safeguard rule. And, we can’t ignore the fact that the consequences of not complying with the FTC Safeguards Rule can be serious like:

Your company will be subject to significant fines, and its reputation may be damaged.

As of June 2023, the FTC will be allowed to impose fines of up to $100,000 per violation under updated guidelines.

You may also face lawsuits from unhappy customers and employees, which could further harm your business' reputation.

Safeguards Rule: How to Adhere to It Properly?

Securing the FTC Safeguards Rule requires several steps from small business owners:

  • To collect, maintain, and share personal information, they must first identify it. All their customer and employee data, including those kept on file, must be inventoried.
  • Secondly, they must assess the risks associated with this information. An important part of this process includes identifying potential vulnerabilities in their systems and processes that could lead to a data breach.
  • As a third step, they must devise a written security plan that outlines how this data will be protected.
  • As a final step, they should monitor the security of their systems and processes.

Following § 314.3 Standards for safeguarding customer information:

Ensure information security by developing, applying, and maintaining a comprehensive program. Administrative, technical, and physical security measures must be tailored to the size of your organization, the scope of the activities you carry out, and the sensitivity of the customer information you protect.

Objectives of a Comprehensive Information Security Programs

Assure that confidential and sensitive financial information is maintained in a secure and confidential manner

Ensure data integrity and security against anticipated threats

It is important to protect confidential details from unauthorized access or use by keeping it secure

A Comprehensive Information Security Program: What are the Requirements?

According to 314.4, the following elements must be included in your information security program:

Individuals with qualifications

Identify the person responsible for overseeing, implementing, and enforcing your information security program. In-house employees, affiliates, or service providers may qualify as Qualified Individuals. In your dealings with service providers and affiliates, you should:

Maintain responsibility for this part's compliance;

The qualified individual will be directed and overseen by a senior executive

Maintain an appropriate information security program for the service provider.

Risk Assessment

Assess your security risks before implementing your security program. An information security, confidentiality, and integrity risk assessment identifies reasonably foreseeable risks on both an internal and external level. Be aware of all those risks that can result in unauthorised disclosures, misuses, alterations, or destruction of the information. Evaluate whether any safeguards are sufficient to control these risks.

Periodic Review of Access Controls

Make sure that access controls, including technical and physical security controls, are implemented and reviewed on a regular basis to:

Access is restricted to authorized users only after authentication and authorization.

Only allow authorized users to access the clients/customers' information they need to perform their duties.

Asset Inventory

Establish a risk strategy and identify your business's assets, including equipment, systems, data, personnel, and facilities.

Encryption

You should encrypt sensitive information while it is in transit over external networks.

Secure Development Lifecycle

Make sure that in-house developed applications follow secure development lifecycle practices throughout the development process. To ensure the security of externally developed applications you use, have procedures in place that evaluate, assess, or test the security of the applications.

Multi-factor Authentication

All users accessing information systems should be required to authenticate with multi-factor authentication.

Secure Disposal of Data

To ensure that customer information is securely disposed of, procedures should be developed, implemented, and maintained by two years after the last date the customer information was required. Furthermore, you should periodically review your data retention policy to ensure you retain sufficient information.

Change Management

New vulnerabilities can be introduced in your environment when you make changes to your environment. Therefore, the procedure for managing change should be adopted.

Monitoring on a continual basis

Establish policies, procedures, and tools for monitoring and logging system activity so that you can make informed decisions. Ensure authorized users do not access or use customer data in an unauthorized manner or tamper with it in any way. Monitor, test, or otherwise keep track of the effectiveness of critical controls, systems, and procedures on an ongoing basis. Test and monitor the results of your information security program to determine whether or not it needs to be improved or adjusted.

In-house training

Ensure that your employees receive security awareness training promptly. As a result of the risk assessment, training materials should be updated to reflect new risks that have been identified.

The management of service providers

Choose service providers capable of maintaining a high level of security and integrity for the information they hold about their customers. In your contracts with your service providers, you should ensure that they implement and maintain these safeguards. In addition, you should periodically assess the risks your service providers expose and the continued adequacy of their security controls based on their exposure to risks.

Plan for Incident Response

It is necessary to develop a written incident response plan to ensure that you can promptly respond to any security incident that might impact the confidentiality, integrity, and availability of any sensitive information under your control and recover from the event.

A regular reporting system to the leadership

Whenever your Qualified Individual is tasked with administering your information security program, they must report at least annually to your board of directors, other equivalent governing bodies, or your senior executive officer.

Final Thoughts

To be considered compliant, your organization must follow many requirements stipulated by the FTC Safeguards Rule, but it's important to realize that these are all necessary factors for a good reason. Undoubtedly, it is easy to forget about the staggering number of security threats. However, for the sake of everyone associated with an organization, we all must do our part in managing risks in an environment where the volume of new vulnerabilities and developments is always on the rise.

Throughout this article, we have covered many areas relevant to the Safeguards Rule. For more detail, you can attend our trending webinar - FTC Safeguards Rule and Everything Your Firm Needs to Know About the June 2023 Deadline! at myCPE. This course is available for CPA, CFP, CISA, Accountant and other professionals. You register now to attend this webinar and earn 2 CPE credits that meet your credit requirements.

To access this webinar, you need to subscribe myCPE Unlimited Access Plan, available at just $199 and enjoy all exclusive 11,500+ hrs of content with multiple features included.

Imtiaz Munshi, CPA
Imtiaz Munshi, CPA
CFO, AZSTEC LLC

The author Imtiaz Munshi is a Certified Public Accountant and CFO at Azstec, LLC. He is Business Strategist, Tax Planner, Entrepreneur and Advisor to "HNEs" (High Net Worth Entrepreneurs).

Subscribed
Jordan purchased a subscription.
Subscribed
Lina purchased a subscription.
Subscribed
Rachel purchased a subscription.
Subscribed
Caroline purchased a subscription.
Subscribed
Gary purchased a subscription.
Subscribed
Perry purchased a subscription.
Subscribed
mark purchased a subscription.
Subscribed
Pam purchased a subscription.
Subscribed
Alaa purchased a subscription.
Subscribed
Luc purchased a subscription.
Subscribed
Brandi purchased a subscription.
Subscribed
Brad purchased a subscription.
Subscribed
Jane purchased a subscription.
Subscribed
William purchased a subscription.
Subscribed
Kanwaljeet purchased a subscription.
Subscribed
TRACEY purchased a subscription.
Subscribed
Tracey purchased a subscription.
Subscribed
Abdulla purchased a subscription.
Subscribed
Mee Rina purchased a subscription.
Subscribed
Blake purchased a subscription.
Subscribed
Casey purchased a subscription.
Subscribed
Roxanne purchased a subscription.
Subscribed
Nancy purchased a subscription.
Subscribed
Jan purchased a subscription.
Subscribed
Kim purchased a subscription.
Subscribed
Linda purchased a subscription.
Subscribed
Amy purchased a subscription.
Subscribed
Nicholas purchased a subscription.
Subscribed
Vijay purchased a subscription.
Subscribed
Tyler purchased a subscription.
Subscribed
Neel purchased a subscription.
Subscribed
Gregory purchased a subscription.
Subscribed
Duane purchased a subscription.
Subscribed
Anne purchased a subscription.
Subscribed
Kevin purchased a subscription.
Subscribed
Thomas purchased a subscription.
Subscribed
Nancy purchased a subscription.
Subscribed
Sherri purchased a subscription.
Subscribed
Debbie purchased a subscription.
Subscribed
Ryan purchased a subscription.
Subscribed
Michele purchased a subscription.
Subscribed
Anna Maire purchased a subscription.
Subscribed
Brian purchased a subscription.
Subscribed
Ashley purchased a subscription.
Subscribed
Adam purchased a subscription.
Subscribed
Sandra purchased a subscription.
Subscribed
J purchased a subscription.
Subscribed
Archit purchased a subscription.
Subscribed
Julianne purchased a subscription.
Subscribed
Pranali purchased a subscription.
Subscribed
Tony purchased a subscription.
Subscribed
DIANE purchased a subscription.
Subscribed
Chuck purchased a subscription.
Subscribed
Rivka purchased a subscription.
Subscribed
Robin purchased a subscription.
Subscribed
Becky purchased a subscription.
Subscribed
Kris purchased a subscription.
Subscribed
Felicia purchased a subscription.
Subscribed
Dale purchased a subscription.
Subscribed
Craig purchased a subscription.
Subscribed
MARSHA purchased a subscription.
Subscribed
Equity purchased a subscription.
Subscribed
Emily purchased a subscription.
Subscribed
Sean purchased a subscription.
Subscribed
Tameika purchased a subscription.
Subscribed
Douglas Barrie purchased a subscription.
Subscribed
Heidi purchased a subscription.
Subscribed
Kelly purchased a subscription.
Subscribed
Tamkanat purchased a subscription.
Subscribed
Kimberly purchased a subscription.
Subscribed
Jenny purchased a subscription.
Subscribed
Merlyn purchased a subscription.
Subscribed
Carrie purchased a subscription.
Subscribed
cheryl purchased a subscription.
Subscribed
WILLIAM purchased a subscription.
Subscribed
Ryan purchased a subscription.
Subscribed
LAURA purchased a subscription.
Subscribed
Lauren purchased a subscription.
Subscribed
GAIL purchased a subscription.
Subscribed
Shuang purchased a subscription.
Subscribed
Amy purchased a subscription.
Subscribed
Kristina purchased a subscription.
Subscribed
Jessica purchased a subscription.
Subscribed
Derek purchased a subscription.
Subscribed
Frank purchased a subscription.
Subscribed
Dawna purchased a subscription.
Subscribed
Miriam purchased a subscription.
Subscribed
Roberto purchased a subscription.
Subscribed
Anastasia purchased a subscription.
Subscribed
Tareq purchased a subscription.
Subscribed
Shucen purchased a subscription.
Subscribed
Justin purchased a subscription.
Subscribed
June purchased a subscription.
Subscribed
Ekaterina purchased a subscription.
Subscribed
Scott purchased a subscription.
Subscribed
James purchased a subscription.
Subscribed
Gabriella purchased a subscription.
Subscribed
Victor purchased a subscription.
Subscribed
Rose purchased a subscription.
Subscribed
Adria purchased a subscription.