The Federal Trade Commission’s Safeguards Rule, or the Safeguards Rule for short, is all about ensuring that businesses it covers maintain safeguards to protect customer information. It was put into effect in 2003 but was recently amended in 2021 to stay current with technology.
This is important because there are specific technological requirements that need to be adhered to, or large fines of up to $100,000 for each violation and/or imprisonment of up to 5 years can be enforced.
To keep you safe, not paying fines, and out of jail, we are going to break down who this regulation applies to, what the requirements are, and how to meet them to stay compliant.
FTC Safeguards Affected Organizations
For small and mid-sized business owners, it’s crucial to understand who falls under the purview of the Safeguards Rule. Officially, it applies to “financial institutions” within the FTC’s jurisdiction, not subject to the enforcement authority of another regulator. The technicalities can be found under section 505 of the Gramm-Leach-Bliley Act.
But let’s break down what “financial institution” means and what businesses it includes. Despite the name, it isn’t just organizations that deal with money. It’s any organization that engages in “incidental” activities to financial ones.
Yeah, I know. I hate legal speak too. So who does that really mean? It means businesses that have any activity related to financial services are considered financial institutions.
It’s easier to give examples.
Some of these are easily understood examples of financial institutions as they deal directly with money. But note there are many that you might not have initially considered.
- Financial Services
- Investment Advisors
- Accounting Firms
- Money Wiring Services
- Check Printing Services
- Schools
- Retailers
- Auto Dealerships
- Travel Agencies
- Real Estate Services
- Mortgage Brokers
This is not comprehensive by any means, but it should give you a good understanding of who is subject to the FTC Safeguards Rule. Of course, I’m just summarizing for easy reference. If you think you may be impacted by this definition, get professional advice. There are other rules at play, such as the size of the organization, that need to be factored in.
FTC Safeguards Requirements
So, what exactly does the Safeguards Rule require businesses to do? It mandates institutions in question establish an information security program with administrative, technical, and physical safeguards designed to protect customer information – which includes any nonpublic personal information, regardless of the format.
The objective is to ensure security and confidentiality, protect against anticipated threats, and guard against unauthorized access that could harm customers.
Let’s break that down a bit.
The first requirement is administrative. That means there needs to be a designated individual to implement and supervise the program. This person doesn’t need a specific title but should have real-world knowledge suited to your specific business and circumstances. They can be an employee, an affiliate, or a service provider. This individual should work with you to maintain an information security program for your business.
Next, are the safeguards. Physical safeguards are fairly straightforward. You’re going to need secure storage of physical documents and files, with limited access, and under lock and key. You should audit this to be sure you have all the necessary protections in place.
Technological safeguards are the same mentality, but often overlooked because of their non-physical nature. Again, access controls are critical, which includes security requirements like MFA (multi-factor authentication). As are additional protections such as encryption.
Remember, the core of your program should be designed to control any risks effectively, which includes monitoring, testing, educating staff, and having an incident response plan that outlines your response to a security breach and how to recover from it.
FTC Safeguards Compliance
When it comes to implementing the Safeguards Rule, it’s essential to ensure that your business complies with its requirements. The Rule is specific about the actions you need to take, with topics I’ve touched on such as designating an administrator, conducting risk assessments, and implementing appropriate safeguards.
I won’t delve into each as I’ve already mentioned them. But as an IT service provider, I will summarize some of the technological requirements and the easiest way to achieve compliance.
Data Security
You need your files to be secure. This will include access control, in both rights management and also in conditional policies. Rights management deals with employee roles and who is allowed access to certain data. Conditional policies deal with how they access the data, which can be managed in a multitude of ways; such as location or device specific controls. This can be fine-tuned to meet the needs of your organization.
What should be basic policies will be completely enforced. Password policies (as far as length, complexity, and password management) as well as the use of MFA for additional authentication are required, not merely a good idea.
Advanced Security
Here’s where things get complicated, but the right provider can make it easy. You need to consistently monitor and detect your systems. The solution for this is known as advanced security. To let you in on an industry term, it’s known as XDR – eXtended Detection and Response. This involves multiple facets of protection and covers every inch of your infrastructure from servers to workstations.
Yes, it includes things like antivirus and malware protection, but it’s far more complicated than that because threats are far more complicated than that these days. Advanced Security includes artificial intelligence that collects log data to aggregate and normalize activity – so it can identify when something abnormal occurs and will alert you (and/or your IT provider). It includes 24/7 security monitoring by real people, so nothing goes unseen. It applies protections like this everywhere, across cloud environments, email, and employee devices.
I could go on with examples and more details, but you get the idea. This is THE security you need for your organization. Period.
Pen-Testing
Lastly, you will be required to test the effectiveness of your environment and safeguards as well. You need to make sure that it is doing what you think it is doing. This is called Pen Testing (short for penetration testing). This is where somebody attempts to breach your network to test how well it keeps bad guys out. Depending on your industry, you will be required to do this at regular intervals, not less than once a year.
Different providers take a different stance on this. Our take? We don’t do pen testing. It doesn’t make much sense if we set up security for one of our partners and then test it ourselves. It’s sort of cheating. We’d rather have a third-party company audit our work to ensure we did a good job. If there’s anything we missed, then there’s a good chance we’d miss it in our pen test too.
Plus, there’s the benefit of choosing a third-party company that specializes in pen-testing. They will always do a better job than a general IT provider. We go one step further with our recommendation too. We suggest rotating pen-test companies every testing period. You will always get fresh eyes and different feedback as extra precautions for your security.
This is a very complicated topic that is tough to summarize in a short article. The FTC offers additional guidance on the Safeguards Rule and data security in general. But as always, if you need further assistance regarding cybersecurity or have more questions, feel free to get in touch.