The Revised FTC Standards for Safeguarding Customer Information Starts June 9, 2023.
You’ve probably heard by now the Federal Trade Commission (FTC) has extended the compliance deadline for the Standards for Safeguarding Customer Information (or Safeguards Rule for short). All finance companies and dealerships will need to implement these changes, or they could face enforcement actions from the FTC. Here’s what you need to know about the updated FTC standards.
Who does the FTC Safeguards Rule apply to?
Any business that engages in financial activities will need to comply with the revised FTC standards rule. The revised rule exempts financial institutions that maintain customer information concerning fewer than 5,000 consumers from certain (but not all) requirements.
Here are the industries we serve who should make a compliance plan:
- Finance companies
- Buy Here Pay Here
What is the Safeguards Rule?
The Safeguards Rule was designed to protect vulnerable and sensitive customer information from threats or hazards such as unauthorized access to information that could cause substantial harm or inconvenience. It’s about keeping private, personal customer information private and secure from internal and external bad actors. It first took effect in 2003 and was amended in 2021 to keep pace with current technologies.
When does the Safeguard Rule go into effect?
All applicable businesses will need to comply with the revised Safeguards Rule by Friday, June 9, 2023, or face enforcement action from the FTC.
Where is the Safeguard Rule effective?
The FTC has federal jurisdiction over businesses throughout the United States. If you operate in the U.S., you’re expected to comply with the revised Safeguard Rule.
What are some of the key changes in the revised Safeguard Rule?
While any business required to comply with the Safeguard Rule needs to consult with legal counsel to review the rule, the changes, and how it impacts them, a few key changes include:
- Adding provisions regarding how to develop and implement specific aspects of an information security program including data encryption, multi-factor authentication, and secure disposal of information.
- Imposing requirements related to designation of a qualified individual, written risk assessment, written incident response plans, periodic penetration testing and vulnerability assessments, activity monitoring and logging, change management, employee training, testing and monitoring the effectiveness of safeguards.
- Excepts financial institutions with customer information concerning fewer than 5,000 consumers from certain (but not all) requirements.
- Expanding the definition of financial institution
- Revision to expressly include several defined term and examples instead of reference to them.
Why did the FTC revise the Safeguard Rule?
Data breaches have become inevitable rather than a risk. According to a report from IBM, 83% of companies will face a data breach. Data breaches cost an average of $9.44 million and take an average of nine months to identify and contain. This is costly to businesses, of course, but it’s the consumer who ultimately suffers. Their identities or savings could be stolen, accounts hacked and even crimes committed in their name. The Safeguards Rule helps to mitigate these breaches from occurring by encouraging businesses to think proactively about risk management and customer information security.
How can my business get and stay compliant with the Safeguard Rule?
Compliance comes down to two critical factors: people and processes. You need to have both working together for the best cybersecurity risk management strategy. Here’s what the FTC recommends businesses do to get ready.
- People: Designate a qualified individual to implement and supervise your company’s information security program.
- Process: Conduct a risk assessment.
- Process: Design and implement safeguards to control the risks identified through your assessment:
- Process: Implement and periodically review access controls.
- Process: Understand your company’s information ecosystem.
- Process: Encrypt customer information on your system and when it’s in transit.
- Process: Assess your apps.
- Process: Use multi-factor authentication for anyone accessing customer information on your system.
- Process: Dispose of customer information securely.
- Process: Anticipate and evaluate changes to your information system network.
- Process: Maintain a log of authorized users’ activity and keep an eye out for unauthorized access.
- Process: Regularly monitor and test the effectiveness of your safeguards.
- People: Train your staff.
- People: Monitor your service providers.
- Process: Keep your information security program current.
- Process: Create a written incident response plan.
Read the FTC’s full article to get additional details here.
Check out these other helpful resources:
- National Automobile Dealers Association guidance.
- Taking a customer-centric approach to a data breach, from Deloitte.
- Five steps to protect your customer data, from Forbes.
- Protecting personal information: a guide for businesses, from the FTC.
Need one-on-one advice when it comes to protecting your GPS customers, data and apps? We can help with 24/7 live customer support.