Skip to content

Understanding the FTC’s New Safeguard Rule Amendments

Published
Nov 9, 2022
Share

By Kendall Cabrera  

The Federal Trade Commission (“FTC”) issued new amendments to its Standards for Safeguarding Customer Information (the Safeguards Rule) that need to be completed by December 9, 2022.

The Safeguards Rule requires those applicable financial institutions to adhere to the rule’s requirements in order to protect consumer data from unauthorized third parties. The rule’s requirements state a security program must be written appropriate to the size and complexity of the business. The program should address the scope and nature of the business’s activities and the sensitivity of the information.

Examples of financial institutions impacted:

  • Automotive dealerships
  • Personal property or real estate appraisers
  • Career counselors
  • Businesses that print and sell checks to consumers
  • Accountants and other tax preparation services
  • Travel agents
  • Mortgage brokers
  • Additional examples at eCFR :: 16 CFR 314.2 -- Definitions

Since 2003, the rule contained five components to a financial institution’s security program:

  1. A designated program coordinator/overseer
  2. A comprehensive risk assessment
  3. Adequate safeguards and regular audits
  4. Someone who oversees service providers
  5. Adjustments to the information security program as needed

Previously, the FTC required compliance to the aforementioned five elements but allowed more flexibility. Now, based on the revisions to the Safeguards Rule, the five elements still must be met with a series of technological minimums, regardless of size or circumstance. The updated rule states an information security program should include the following:

Program Coordinator

Select a qualified individual capable of implementing and supervising an institution’s information security program.

Risk Assessment

Conduct a risk assessment to determine foreseeable threats—both internal and external.

Design and Implement Safeguards

1.  Use the risks identified through the risk assessment to produce

  • Implement and schedule periodic reviews of the access controls.
  • Maintain accurate accounting of all systems, devices, platforms and personnel.
  • Encrypt customer information, whether in systems or in transit.
  • Evaluate the security of the applications in use.
  • Use multi-factor authentication for everyone accessing customer information on the systems.
  • Delete, dispose and/or remove customer information securely. A couple of exceptions to this are if there is a legitimate business need and/or legal requirement to keep the information.
  • Think of future necessary changes to an information system or network. Build flexible change management into the information security program.
  • Maintain a log of authorized activity and watch for unauthorized access to customer information.

2.  Monitor and test how effective an institution’s safeguards are and make changes where necessary.

3.  Train staff to spot risks. This can increase the program’s impact. It’s also important to provide security awareness training and schedule regular refreshers for all employees.

Service Providers

Monitor service providers’ work of the security program that is being done for financial institutions.

Information Security Program

1. Stay current with an information security program. Implement changes to mitigate issues found during risk assessments and conduct periodic program testing.

2.  Write down the incident response plan, which should cover:

  • Goals
  • Security event processes
  • Clarity of roles, responsibilities and levels of decision-making authority
  • Internal and external communications and information sharing
  • How to fix identified weaknesses in your systems and controls
  • How to document and report the security responses
  • An after-action report on events, responses and possible improvements

The qualified individual is required to provide a written report to a firm’s board of directors regarding the company’s overall compliance with the information security program.

If this impacts your business, we recommend reviewing the full FTC article and definitions, which can be found at:

https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know#Information_security_program

In addition, it is important to connect with your technology and cybersecurity team to get these controls implemented immediately.

Contact EisnerAmper

If you have any questions, we'd like to hear from you.

Explore More Insights

a screen shot of a computer
Article

The Change Healthcare Data Breach and Navigating Your Exposure

Read More
a city with many buildings and streets
Article

Seven Key Benefits of Outsourced Private Equity IT

Read More
a piece of wood with a piece of wood on it
Article

Nine Key Challenges Private Equity Firms Face that IT Outsourcing Can Address

Read More
Article

Top 10 Common Cybersecurity Mistakes in 2023

Read More
a person holding a phone
Article

Securing Your Digital Companions: A Guide to Mobile Device Security

Read More
close-up of hands working on a laptop
Article

A Guide to Cyber Hygiene Best Practices

Read More
a close-up of a computer
Article

Mobile App Building: Tools to Get Started

Read More
a small toy on a keyboard
Article

Building a Secure Organization: 5 Best Cybersecurity Practices for Commercial Construction Firms

Read More
a computer screen with many icons
Article

The Guardian of Our Digital Galaxy: Why Cybersecurity is Non-Negotiable in Today's World

Read More
a view of a city from a window
Article

Unleashing Your Data's Potential: How ETL is Reshaping Finance and Accounting

  • Artificial Intelligence
Read More
a light bulb on a table
Article

Leveraging AI to Assist Consumers with Products and Lifestyle

  • Artificial Intelligence
Read More
a city skyline at sunset
Article

More than Compliance: Turn Web Scanning into a Strategic Business Asset

Read More
View All Insights

Receive the latest business insights, analysis, and perspectives from EisnerAmper professionals.

Subscribe