Understanding the FTC’s New Safeguard Rule Amendments
November 09, 2022
By Kendall Cabrera
The Federal Trade Commission (“FTC”) issued new amendments to its Standards for Safeguarding Customer Information (the Safeguards Rule) that need to be completed by December 9, 2022.
The Safeguards Rule requires those applicable financial institutions to adhere to the rule’s requirements in order to protect consumer data from unauthorized third parties. The rule’s requirements state a security program must be written appropriate to the size and complexity of the business. The program should address the scope and nature of the business’s activities and the sensitivity of the information.
Examples of financial institutions impacted:
- Automotive dealerships
- Personal property or real estate appraisers
- Career counselors
- Businesses that print and sell checks to consumers
- Accountants and other tax preparation services
- Travel agents
- Mortgage brokers
- Additional examples at eCFR :: 16 CFR 314.2 -- Definitions
Since 2003, the rule contained five components to a financial institution’s security program:
- A designated program coordinator/overseer
- A comprehensive risk assessment
- Adequate safeguards and regular audits
- Someone who oversees service providers
- Adjustments to the information security program as needed
Previously, the FTC required compliance to the aforementioned five elements but allowed more flexibility. Now, based on the revisions to the Safeguards Rule, the five elements still must be met with a series of technological minimums, regardless of size or circumstance. The updated rule states an information security program should include the following:
Select a qualified individual capable of implementing and supervising an institution’s information security program.
Conduct a risk assessment to determine foreseeable threats—both internal and external.
Design and Implement Safeguards
1. Use the risks identified through the risk assessment to produce
- Implement and schedule periodic reviews of the access controls.
- Maintain accurate accounting of all systems, devices, platforms and personnel.
- Encrypt customer information, whether in systems or in transit.
- Evaluate the security of the applications in use.
- Use multi-factor authentication for everyone accessing customer information on the systems.
- Delete, dispose and/or remove customer information securely. A couple of exceptions to this are if there is a legitimate business need and/or legal requirement to keep the information.
- Think of future necessary changes to an information system or network. Build flexible change management into the information security program.
- Maintain a log of authorized activity and watch for unauthorized access to customer information.
2. Monitor and test how effective an institution’s safeguards are and make changes where necessary.
3. Train staff to spot risks. This can increase the program’s impact. It’s also important to provide security awareness training and schedule regular refreshers for all employees.
Monitor service providers’ work of the security program that is being done for financial institutions.
Information Security Program
1. Stay current with an information security program. Implement changes to mitigate issues found during risk assessments and conduct periodic program testing.
2. Write down the incident response plan, which should cover:
- Security event processes
- Clarity of roles, responsibilities and levels of decision-making authority
- Internal and external communications and information sharing
- How to fix identified weaknesses in your systems and controls
- How to document and report the security responses
- An after-action report on events, responses and possible improvements
The qualified individual is required to provide a written report to a firm’s board of directors regarding the company’s overall compliance with the information security program.
If this impacts your business, we recommend reviewing the full FTC article and definitions, which can be found at:
In addition, it is important to connect with your technology and cybersecurity team to get these controls implemented immediately.