Regulatory bodies often release changes to their rules that widen the umbrella for the types of businesses that fall under their domain. While certain companies may have been exempt before, it’s always important to be ready should the changes redefine who qualifies. An apt example is last year’s Final Rule modifications by the Federal Trade Commission (FTC) to their Standards for Safeguarding Customer Information (Safeguards Rule). To keep pace with current technology, the FTC amended its Safeguards Rule, adding five main changes.
The most pertinent additions include an expanded definition of “financial institution” and new accountability rules requiring periodic reports to a company’s board of directors. The FTC’s changes to its Safeguards Rule seek to enforce stricter data security requirements amid increased cybercrime and mounting outcry from the public for greater protection of their sensitive information. The revised Safeguards Rule and its various provisions will be effective and financial institutions must prepare themselves accordingly.
What is the FTC Safeguards Rule?
The FTC is a federal agency that strives to protect consumers from fraudulent, misleading and prejudicial business practices by enforcing more than seventy federal laws. Should the FTC determine that an organization engaged in deceptive practices – such as a confusing privacy policy or a lack of reasonable security measures – which resulted in a data security incident, it will take appropriate action against them. Various rules propagated under its authority include the Health Breach Notification Rule (HBN Rule), the Children’s Online Privacy Protection Act (COPPA) and the Safeguards Rule.
Although the Safeguards Rule took effect in 2003, the recent revisions provide more concrete guidelines. The Safeguards Rule aims to ensure that entities covered by the Rule keep – as the name implies – safeguards to protect the security of customer information. Moreover, financial institutions must develop, implement and maintain an information security program with administrative, technical and physical defenses. Additionally, the FTC requires the security program to be in writing and suitable to the size and complexity of the business in question, the nature and scope of its activities and the sensitivity of its customers’ information.
The two most relevant changes to the Safeguards Rule
One of the key revisions to the Safeguards Rule is that it expanded the definition of “financial institution” to include entities engaged in actions the Federal Reserve Board determines to be related to financial activities. The new use of “financial institution” may be broader than how the term gets used in common parlance, so be sure to research if your organization qualifies.
According to Section 314.1(b) of the Safeguards Rule, a financial institution is any entity that participates in an activity that is “financial in nature” or any of the activities described in section 4(k) of the Bank Holding Company Act of 1956. Section 314.2(h) of the Safeguards Rule lists several examples, such as mortgage lenders, finance companies, collection agencies and tax preparation firms, to name a few. Note that many of these new additions – like payday lenders – were not included when the Safeguards Rule took effect in 2003, originally. The FTC’s change also adds “finders,” or companies that bring together buyers and sellers of a product or service, to the list of financial intuitions.
The second noteworthy modification to the Safeguards Rule is the new accountability provisions which require a qualified individual to report to their company’s board of directors or governing body. This person's report must include an overall assessment of the organization’s compliance with its established information security program and contain specific topics such as risk assessment, test results and recommended changes to enhance effectiveness. Likewise, the report must be in writing and performed regularly or at least annually.
The underlying implication of this change is that the qualified individual will take responsibility for ensuring that everything adheres to the business’s program; should a breach occur that jeopardizes customers’ information, they could be at fault.
Information security program: Best policies, practices and solutions
Whether a company was just added to the FTC’s list of financial institutions or was already under its preview, various cybersecurity policies, practices and solutions can protect their client's data and minimize the risk of non-compliance. First, create a security policy and a business continuity plan. Some good habits are to diligently follow security updates and patches, encrypt all sensitive data, use anonymous data whenever possible and implement physical security measures like restricted access and fire suppression.
Be sure to perform risk assessments as often as possible, including backup, data recovery and incident response tests. Likewise, businesses should deploy solutions and tools like security monitoring, network security devices and anti-malware/antivirus software. As for the people in a company, education is the best defense against cyberattacks. Employees should also undergo training on the latest risks.
Prioritizing partnership
Though some companies might have the technical capabilities to establish an information security program in house, others do not have that same luxury. Financial businesses must reach out to a security consultant company to comply with the Safeguards Rule and remain within the good graces of the FTC. When researching, look for a partner with extensive engineering expertise and experience designing software solutions. Similarly, check out what organizations they have assisted in the past – do they align with your company’s profile? Lastly, a security strategy must be foundational, not an afterthought, so leverage a third party with the same mindset.