The FTC’s Standards for Safeguarding Customer Information (Safeguards Rule) first became law in 2003. Late last year, these standards were finally updated to suit the modern threat landscape, and on the 9th of December 2022, compliance with the revised Safeguards Rule is expected to become mandatory.
Failure to comply with the Final Rule could result in hefty fines, class action lawsuits, and even imprisonment in severe cases.
Though a petition has been put forward to delay the Safeguards Rule enforcement until December 2023, entities subject to the FTC’s jurisdiction should assume the regulation will be enforced on schedule and start implementing compliance strategies immediately.
Read on to learn how to establish a cybersecurity program that complies with the FTC Safeguards Rule.
The FTC Safeguards Rule requires financial institutions to develop, implement, and maintain an adequate information and data security program with the proper safeguards in place to protect sensitive customer information. Any record considered “non-public personal information” handled by the institution or others must be safeguarded and protected against external threats.
The newly updated FTC Safeguards Rule (16 C.F.R. Part 314) provides further guidance on basic data security principles that financial institutions can follow and implement. Compliance with the new rule can also help organizations meet many of the regulatory standards set by the GLBA.
Entities expected to comply are still classified with the very misleading title of a “Financial Institution,” where “finance” refers to any relations with customer financial data, either through lines of credit, loans, or general financial information.
Some examples of businesses classified as “Financial Institutions” by the FTC include:
For more information on the rule requirements for classifying financial institutions for large and small businesses, refer to section 314.2(h).
The Federal Trade Commission may continue broadening its definition of a Financial institution as digital transformation shortens the divide between third-party service providers and their influence on financial operations. So if your business isn’t classified as a Financial institution, it could be in the future. Regularly reference the FTC’s definition of a Financial Institution to learn if you’re suddenly expected to comply.
The FTC Safeguards rule is a subset of the Gramm-Leach-Bliley Act (GLBA)
An effective compliance program for FTC’s new rules can be summarised with three primary objectives:
The customer information landscape of every Financial Institution is unique. But regardless of the scope of information requiring protection, these five strategies will guide the implementation of appropriate safeguards that could prevent a costly Safeguards Rule violation by supporting compliance with the FTC’s revised rules.
Under the FTC Safeguards Rule, a “Qualified Individual” is an official title for a person overseeing the implementation of a customer information security program. This role can either be assigned to an employee or outsourced to a service provider. If you designate this role to a third party, you still need to appoint an internally qualified individual to represent the company’s customer data security program.
A Qualified Individual isn’t required to hold any specialized certifications. The only requirement is experience in managing security operations.
Before customer data integrity can be evaluated, all internal and external assets with access to customer data need to be identified. This process is considerably more difficult for the external digital landscape since assets mapping to customer data could extend to the fourth-party landscape.
All of your internal and external assets could be identified through a process known as digital footprint mapping.
Don’t forget to include previous third-party vendors in this analysis. Many regulations stipulate a customer data retention period even after a partnership has ended.
Here are some examples of data retention periods for popular cybersecurity regulations.
Once all of your internal and external assets have been identified, map the flow of customer information between them. Address the entire lifecycle of each customer data category, noting where it’s collected, transmitted, stored, and destroyed.
Though the FTC is mainly concerned with the security of highly-sensitive financial information (such as Social Security Numbers, credit card numbers, etc.), your data map should also include general contact information since it could be used in phishing campaigns preceding security incidents.
According to the FTC Safeguards rule, any record containing nonpublic personal information is classified as customer information.
A customer data flow chart should reflect your company’s customer information ecosystem. Based on this new understanding of when and where customer data is stored, establish a periodic data inventory schedule to ensure your security teams remain informed of the range of customer data being processed.
Your inventory efforts should include any apps, cloud solutions, systems, devices, and departments aligning with your customer data flow chart.
Risk assessments are one of the best methods of evaluating an organization’s security posture. These assessments will indicate which regions of your IT ecosystem are most vulnerable to compromise. When this data is compared to your digital asset and customer information flow topographies, the degree of risk to customer data integrity can be identified and quantified, allowing the degree of FTC Safeguard compliance to be quantified.
You can establish an FTC compliance measurement process based on a security risk quantification model focusing on customer data integrity threats. The degree of risks to customer data safety is directly proportional to the degree of Safeguards rule compliance.
Conventional risk assessments based on popular cybersecurity frameworks, like NIST CSF, may be too rigid for such a task. To accommodate for unique asset ecosystems and security inquiries, it’s best to use a custom security questionnaire builder.
Risk assessments (or security questionnaires) should be used alongside a security rating solution to expedite the discovery and evaluation of attack surface exposures. A real-time security rating solution can monitor security posture improvements internally and across your entire third-party network.
Risk assessments will identify critical security risks threatening customer data safety. A capable internal cybersecurity team can then deploy necessary remediation responses for each of them. While this effort could elevate your security posture to a level reflective of an exemplary customer data security standard, it’s a point-in-time approach that doesn’t ensure ongoing FTC safeguards rule compliance.
An ongoing compliance program should include the implementation of the following controls.
