Understand the key requirements of the FTC Safeguards Rule and how to effectively build and maintain and written information security program to maintain compliance.
What is the FTC Safeguards Rule?
The Federal Trade Commission (FTC) created the Standards for Safeguarding Customer Information (“FTC Safeguards Rule”) to ensure that businesses maintain a cyber security program to protect private customer information. The FTC Safeguards Rule was originally drafted in 2003, and a recent 2021 update expanded both the scope and details of the Rule. In early 2023 the FTC extended the compliance deadline until June, 2023 for certain key program elements like two-factor authentication.
§ 314.1 Purpose and scope: This part, which implements sections 501 and 505(b)(2) of the Gramm-Leach-Bliley Act, sets forth standards for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.
Who is covered by the FTC Safeguard Rule?
The FTC Safeguards Rule applies to financial institutions subject to the FTC’s jurisdiction and that aren’t subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act (GLBA) 15 U.S.C. § 6805. While GLBA covered many traditional finance entities like banks, the FTC realized that many businesses not under GLBA also process sensitive financial information of individuals. The FTC Safeguards Rule fills that gap. For practical purposes, any business that collects the personal financial information of private citizens falls under the rule. For example, automotive dealerships that process car loans must comply with the FTC Safeguards Rule.
What are the penalties for non-compliance?
According to the FTC, penalties for non-compliance can be “extensive and expensive”. The FTC can initiate an enforcement action against the company, which may include long term “consent agreements” for both the company and senior management. The FTC cannot impose a financial penalty for the first offense. But it can seek other damages, including up to $47,517 per day for each consent violation.
Perhaps the biggest cost will be in reputation and response to a possible cyber breach of any customer information. Typical breaches in the financial sector cost up to $1000 per record.
What does the FTC Safeguards Rule Require?
In short, the Rule requires businesses to develop and implement a Written Information Security Program that protects the private information of customers. In addition to this high-level requirement, the FTC requires the program to have key control elements (“Safeguards”) and include specific technical tools and processes that have been shown to be effective in cyber security (maintaining reasonable administrative, technical, and physical safeguards). For example, technical elements include “encryption” to protect data in storage and transit, while a non-technical or “procedural” safeguard is to train all employees on basic cyber security awareness. A complete list of the Safeguards can be be found on the FTC Site.
For people not versed in technical jargon, the requirements break down into a few key elements:
- A documented list of controls (“safeguards”) that will protect information. These are essentially the “to do” items of the program, such as defining which data is protected and how.
- Essential documentation to support the controls, including information security policies, procedures and plans. The program does not exist in the eyes of the FTC unless it is written, approved by management, and distributed to employees.
- Assigned responsibility for implementing the safeguards. This FTC that specific people are accountable for understanding and implementing the program. A “qualified individual” must be appointed.
- Implementation and testing of the controls. The FTC requires that the organization test and monitor elements of the program to see if it is working as designed. This includes both procedures and technical monitoring of systems.
- Periodic reports to the Board or senior management. The cyber program leader (“Qualified Individual”) must communicate the status of the program regularly to key stakeholders, including the Board or equivalent management oversight group.
These are the core building blocks of any defensible cyber security program. Essentially businesses are required to develop a cyber program, implement the program and assess the results.
What is included in the extended deadline?
Consult the Federal Register Notice for details, but the extension applies to provisions in the revised Rule that require covered companies to:
- designate a qualified person to oversee their information security program,
- develop a written risk assessment,
- limit and monitor who can access sensitive customer information,
- encrypt all sensitive information,
- train security personnel,
- develop an incident response plan,
- periodically assess the security practices of service providers, and
- implement multi-factor authentication or another method with equivalent protection for anyone accessing customer information.
Do we need to hire a cyber security expert to implement the FTC Safeguards?
The FTC requires a “qualified individual” to be responsible for the information security program. It does NOT require that this person be an outside expert. While it is always best to have professional cyber security advice, hiring a cyber security expert may not be an option for many organizations. Based on our experience, organizations that have solid technical expertise can implement the FTC Safeguards, especially the technical elements such as access control, data storage and incident response. A great way for an organization to supplement their in-house team is to use a compliance automation tool such as ComplianceShield. These tools provide tons of built-in security expertise and documentation, which enables your internal team to focus on your own systems and resources. In some cases, you can enhance your team with a “Virtual CSO” that works part-time in your organization.
How do I get started?
The deadline for FTC Safeguards compliance was December, 2022 and then extended until June, 2023. The FTC is encouraging organizations to get started early. The first step is to assign someone in your organization to be responsible for the cyber security project. That may or may not be the person who is ultimately responsible or “Qualified Individual” to be the cyber leader.
To dramatically reduce the cost and time of developing and implementing a cyber program, consider using an all-in-one tool like ComplianceShield. Using ComplianceShield your organization can build a complete cyber security baseline that addresses all of the FTC requirements in under 10 minutes. ComplianceShield also includes a complete library of information security policy templates that address all of the key FTC requirements. To learn more contact us or see a live demo.