You may have heard about the huge Facebook data leak that affected 533 million users, leaving email addresses, phone numbers, names, ID information, and employer names vulnerable. And according to the VPN provider Surfshark, almost 1 billion email accounts in the United States were exposed due to data breaches in 2020 and 2021.
Data breaches can lead to cybersecurity threats, corruption, ID fraud, or theft of intellectual property, and financial loss for your organization and reputational damage.
So it’s no surprise then that the Federal Trade Commission (FTC) decided to tighten the rules surrounding how companies provide data security and protect customer information.
In this article, we’ll review what the Safeguards Rule is all about, how to know if it applies to your business, and what you need to do to comply.
What Is the Safeguards Rule?
The standards for safeguarding customer information were set by the Federal Trade Commission. It was first introduced in 2003, but it’s since been updated as technology has continued to advance.
The Safeguards Rule requires certain companies to develop, implement, and maintain an information security program. The security program must ensure that your customers’ information is protected from security threats, preventing unauthorized access and resulting harm or inconveniences. This program handles your customer’s information and decides how to safely access, collect, distribute, or dispose of customer information.
The old Safeguards Rules were pretty flexible, but the amendments include strict methods for companies to comply with industry standards.
Does the Safeguards Rule Affect Your Business?
The list of companies who need to comply with the Safeguards Rule has grown, so it’s worth checking if this now affects your business. A handy point of reference is the Code of Federal Regulations, which explains exactly which companies are affected by the Safeguards Rule.
But as a quick definition, the FTC Safeguards Rule applies to financial institutions — those providing financial services or engaging in financial activities. These include “mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors.” However, note that the only investment advisors affected are those who don’t need to register with the SEC.
By this definition, a company that transfers money to and from customers (like a bank) as part of its business activity would be affected. However, retailers would not count as financial institutions providing they only receive payment through payment plans, cash, checks, or cards (that’s most retailers).
How to Comply With the FTC Safeguards Rule
If your business needs to comply with the Safeguards Rule, what steps should you take to protect your customers and comply with the FTC requirements?
While Section 314.4 of the Code of Federal Regulations tells you exactly what a financial institution’s information security programs need to do (and we recommend reviewing it), we’ll break it down for you here.
1. Decide on a “Designated Qualified Individual”
One of the latest amendments to the Safeguards Rules includes choosing someone from your company to set the wheels in motion for your information security program and supervise its operations. A senior team member will need to check in with this person and make sure they’re properly maintaining the program.
Remember — no matter who you designate, your organization is ultimately responsible if anything goes wrong.
Your qualified individual will submit a written report to your board of directors or an equivalent supervisory group at least once a year. They’ll discuss the state of the information security program and any notable security events, issues, related decisions, or recommended changes.
2. Make Sure Your Risk Assessment Process Is Compliant
Most businesses are aware that risk management should be part of their everyday operations, whether you’re onboarding new suppliers or conducting ongoing checks on existing stakeholders to manage inherent and residual risks.
But the FTC says that your information security program should be based on your organization’s risk assessment. Your risk assessment must take reasonable steps to identify internal and external risks to your overall security, including anything that may jeopardize your customer information through leaks or information misuse. It must also assess how effective your safeguards are and how you’ll control and mitigate your risks.
For your risk assessment to comply with the FTC rules, it needs to include criteria for how you’ll evaluate and categorize risks and threats. This means creating a scoring system and identifying different types of security risk factors such as cybersecurity risk, risk of data breaches, and risk of information being altered or disposed of.
Your risk assessment should also include an evaluation of your existing controls and how well they help you manage and discover threats. In addition, you’ll need a policy that explains how you can mitigate risk and how your information security program will help you do this.
You’ll also need a written incident response plan in line with your risk assessment process that outlines exactly how you’ll approach security events — these could be anything from one of your customers clicking a link in a spam email to an internal security breach.
The plan needs to identify who’s responsible for responding, what levels of authority they have for making decisions, how your team will talk about the event internally and externally, how you’ll fix any system issues that led to the event, how you’ll document the event, and how you’ll prevent future events.
According to the FTC, having an effective risk assessment process isn’t enough to satisfy the safeguards rules. You also have to regularly perform those risk assessments in case your risk levels change. These may happen when software becomes outdated, when new forms of phishing come up, or when you learn of a data leak that may involve your company.
Certa allows you to set automatic reminders to do ongoing risk assessments so they don’t stay on the backburner. It also lets you know about external and internal risk factors that could affect you so that you can update your risk assessments to see whether your score levels changed.
3. Create Appropriate Safeguards
The FTC gives a long list of how you can use your information security program to implement safeguards and protect your customer’s information. This can include things like deciding to encrypt customer information or implement multi-factor authentication for customers and anyone requesting access to your customer’s nonpublic personal information.
You can also track how often your customer accesses their information to monitor user activity and flag any suspicious activity such as using different devices or different IP addresses. Initiatives like these add extra layers of security to your access controls to make sure only authorized users can access data, and that they only access the data they absolutely need.
Unless required for business usage, you should safely dispose of your customers’ personal information no more than two years after their information is used for your product or service and they’re no longer an active user. That helps reduce the risk of data exposure for your past customers.
Once you have your safeguards in place, you need to make sure that your team understands how to use them. You’ll need to retrain relevant team members and third-party service providers according to your most recent risk assessment. Any time you learn about security updates, you’ll need to make sure the team is aware and prepared to respond accordingly. They’ll also need to stay up-to-date with changing security threats and keep updating their response plans accordingly.
Keep in mind that it isn’t only your team who needs to abide by the safeguards — your providers need to as well, and your contracts with them should say as much. Additionally, you need to routinely assess your third-party providers’ risk and their own safeguards to make sure they’re safe to work with.
💡To understand how to conduct vendor risk assessments, read our guide.
4. Regularly Test Your Safeguards
An important part of the safeguards rules is making sure your protections are still working effectively. Remember, you’re ultimately responsible if the information you have is hacked, and threats come when your guard is down. So, always keep your eye on the ball.
The FTC recommends doing annual penetration testing where you attempt to get through your own security systems to see how difficult they are to breach. You should also do vulnerability assessments every six months and whenever you have operational changes. Using scans and checks can help you find out about publicly known security vulnerabilities which are weaknesses in IT systems that can be preyed on by hackers.