Overview of FTC Safeguards Rule
The Federal Trade Commission (FTC) "Standards for Safeguarding Customer Information" (commonly referred to as Safeguards Rule) is a set of requirements issued under Section 501(a) of the Gramm-leach-Bliley Act (GLBA) which requires financial institutions (now to include dealerships) to implement and maintain a comprehensive and documented information security program. Issued to protect consumer information and mitigate identity theft, privacy violations, and misuse of confidential data, the Safeguards Rule was issued in 2002 and officially took effect on May 23rd, 2003.
By now all financial institutions and dealerships have become familiar with the requirements of the Federal Trade Commission (FTC) "Standards for Safeguarding Customer Information" (Safeguards Rule) which requires organizations to develop, implement, and maintain a comprehensive written information security program. But due by December 9, 2022, the Revised Safeguards Rule will require organizations to revise their information security programs and implement new compliance measures.
FTC Safeguards Rule Revisions
December 9, 2022 - Required Revisions Take Effect
Effective December 9, 2022, financial institutions (including dealerships) are required to revise their information security programs and implement new security measures including annual periodic penetration testing or continuous monitoring of information systems to remain compliant.
The new requirements include:
- The designation of a "Qualified Individual" to oversee information security and implement specific technical measures.
- Preparation of a series of written documents, including:
- A written security risk assessment
- A written information security program (revised to include new requirements)
- A written incident response plan
- Written reports to the board of directors or equivalent regarding information security
- Implementation of specific IT technical requirements, including:
- Encryption
- Multifactor authentication
- Systems monitoring, penetration testing, and vulnerability assessments.
- Implementation of specific procedural requirements, including the development and ongoing monitoring of:
- Access controls to customer information
- Inventory of systems that handle customer information
- Secure software development and utilization practices
- Disposal procedures for customer information
- Change management procedures
- Employee training and management
- Security awareness training that is updated when necessary to reflect and educate employees on current risks facing the organization.
- Periodic review of service providers' security practices
Note: Organizations must take steps throughout 2022 and in advance of this date to comply by this deadline.
- January 10, 2022 - The Revised Safeguards Rule Takes Effect
- December 9, 2021 - FTC Publishes Revised Safeguards Rule
The FTC publishes revisions to Safeguards Rule (also referred to as Revised Safeguards Rule or Revised Rule), which expanded upon and added new revision requirements.
Original Safeguards Rule-
Requirement of conducting risk assessments.
-
Requirement of regular testing and/or monitoring of key controls, systems, and procedures used to protect client information.
Revised Safeguards Rule-
Assessments must be conducted regularly going forward.
-
Testing must be done with the goal of detecting actual and attempted attacks or intrusions on information systems.
-
- May 23, 2003 -The FTC Safeguards Rule Takes Effect
- 2002 - The FTC Safeguards Rule is First Issued
Next Steps to Compliance
Our team of testers are certified processionals, ready to help you uncover exploitable security vulnerabilities and meet FTC Safeguards Rule requirements. At the end of your project, we will deliver a comprehensive report of our findings, including remediation recommendations. We even offer remediation re-testing for FREE for up to six findings, within six months of project completion. Schedule a call with our team to discuss your unique security needs.
FTC Safeguards Rule FAQs
- Who does the FTC Safeguards Rule apply to? The FTC Safeguards Rule broadly applies to all financial institutions including dealerships and other entities that provide or facilitate financial services.
- What is the purpose of the FTC Safeguards Rule? The purpose of the FTC Safeguards Rule is to protect consumer information from misuse or data breach, ultimately protecting customer from identity theft or privacy violations.
- How is consumer information defined by the Federal Trade Commission (FTC)? The Revised Safeguards Rule applies to all customer information in your possession, whether such information pertains to individuals with whom you have a customer relationship or to the customers of other financial institutions that have if information to you. Accordingly, the protections it affords are likely relevant to all the customer personal information in your possession.
- Why were revisions to the FTC Safeguards Rule necessary? Revisions to the Safeguards Rule have been issued since 2003 when it was established to address and combat new and evolving security threats.
- What is the difference between the GLBA Safeguards Rule and the GLBA Privacy Rule? The Privacy Rule deals with how you share information about consumers who obtain, or apply for, credit or lease products from you and it includes specific notice requirements. The Safeguards Rule deals with how you protect information you receive from consumers. These obligations are independent of each other and are subject to different standards, requiring the appropriate steps to comply with each.
