FTC Safeguards Rule

The FTC Safeguards Rule has been around since 2003; however, some recent updates have applied to a broader scope of businesses.  While it used to be just financial institutions that had to comply, there is now a growing list of businesses that handle personal financial data that need to adhere to the guidelines.  We’ll touch on what businesses need to comply, associated penalties, a summary of the guidelines, and associated security controls.

What does the rule do?

A definition from the FTC Website.

The Safeguards Rule requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information. The Rule defines customer information to mean “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.” (The definition of “nonpublic personal information” in Section 314.2(l) further explains what is – and isn’t – included.) The Rule covers information about your own customers and information about customers of other financial institutions that have provided that data to you.

If you handle client’s financial data you have an obligation to protect it.  In the digital age that we live in, companies that don’t secure their personal data can be a nightmare.  The FTC is trying to hold businesses accountable when they don’t do their part and a compromise hurts the consumer.

Who needs to comply?

While this rule used to pertain mainly to banking institutions, there is not a growing number of organizations that use clients personal information in their transactions.  They are all now required to comply with the safeguards rule.  Here is a brief list.

FTC Safeguards rule applies to the following businesses.

• automobile dealers
• mortgage lenders
• payday lenders
• finance companies
• mortgage brokers
• account servicers
• check cashers
• wire transferors
• collection agencies
• credit counselors and other financial advisors
• tax preparation firms
• non-federally insured credit unions
• investment advisors that aren’t required to register with the SEC.

You’ll notice that car dealerships, tax accountants, and collection agencies and others are now on that list. 

What happens if you don’t comply?

If your business doesn’t comply to the FTC Safeguards rule, and has a breach, they can impose fines and other penalties.  Required breech notification can be costly, and you may be asked to pay for corrective measures as well.  Worse, there may be other significant damages to your business.

• Fines: The FTC can impose fines of up to $100,000 per violation for companies and up to $10,000 per violation for individuals. 
• Injunctions: The FTC can seek long-term injunctions that could shut your business down, or make it hard to operate.
• Consent decrees: The FTC can impose long-term consent decrees. 
• Restitution payments: Restitution payments may be required to affected consumers.
• Legal fees
• Corrective measures: Corrective measures such as credit monitoring may be required at the expense of the business.
• Imprisonment: In cases of extreme negligence, business owners, and executives could go to prison for criminal negligence. 
• Lawsuits
• Regulatory scrutiny: You may have to do costly regulatory audits for years. 
• Reputational damage
• Lost sales and revenue
• Data Loss

As you can see, penalties for non-compliance are numerous and steep.  There is also potential additional damage to your businesses that may result from a breach beyond fines.  From a business risk management standpoint, there should be plenty of motivation to put the appropriate security controls in place.

What are the guidelines?

Compliance with the FTC Safeguards rule will require a combination of written compliance policies, a designated qualified individual to head up compliance, and numerous cybersecurity controls. There are a total of nine elements to the required information security program.  We’ll touch on each briefly.

1. Qualified Individual – There needs to be somebody within your organization to lead the charge and make sure the right solutions for compliance are put in place.  i.t.NOW does most of the heavy lifting for our clients, but ultimately, they are responsible for compliance and should have someone on their team assigned to oversee the work.
2. Risk Assessment – Most security plans start by assessing existing risks and looking where you keep data.  From there you can start implementing a plan on how to secure that data.  An inventory of IT assets and software should be part of this along with examining cloud solutions where you store critical data.
3. Cybersecurity Safeguards – Security controls should be designed specific to your system based on where you store data and other risk factors.  There are numerous things that the FTC wants to see you use as part of your security controls.
   
   Access Control
   Inventory
   Encryption
   Assess your apps
   Multifactor Authentication
   Secure Disposal of customer data
   Change Management
   Logging
   Testing and Monitoring
   Train Personnel
   Monitor Service Providers
   Keep Information Security Plan current
   Develop a written response plan
   Report on compliance to companies governing body
   Reasonable Technical safeguards.
   
4. Monitor your Cybersecurity Solutions – As part of your ISP it’s suggested that you have a system in place to regularly check the effectiveness of the security controls you have in place.
5. Train Your Staff – Regular cybersecurity training is a must to keep your organization safe.
6. Monitor your Service Providers – Provide for periodic assessments of your security providers to ensure they are suitable for the job.
7. Stay up to date – Cybersecurity is a living thing, and you will need to work to keep your plan and controls up to date with emerging threats.
8. Written Incident Response Plan – Your organization should have a written incident response plan so that you know exactly what to do if disaster strikes to minimize impact.
9. Report to Stakeholders – There should be a regular report on your ISP to the stakeholders in your organization.

What security controls do you need to have?

One of the challenges of most cyber security compliance is translating their requirements into specific security controls that you can implement.  i.t.NOW works hard to simplify compliance for our clients.  Here’s how we would typically translate these requirements into appropriate controls and policy.

1. Qualified Individual – i.t.NOW would typically assign an account manager for our clients that would help report on compliance.  As mentioned it’s critical for you to have someone within your company assigned to oversee their work.
2. Risk Assessment – When we bring on a new client i.t.NOW will perform a risk assessment and vulnerability scanning.  This will allow us to understand how to best secure your data.
3. Cybersecurity Safeguards – Here’s where things get busy.  i.t.NOW helps put the following security controls in place to satisfy requirements.   We sometimes call this security control mapping, because we’re mapping appropriate security controls to requirements.
4. Access Control – The security control here is identity control and password management.  If the client is on a domain this can be done from the domain controller.  If not this can be scripted from i.t.NOW’s remote monitoring and management software.
5. Inventory – i.t.NOW leverages a software solution for remote monitoring and management that gives us a complete hardware and software inventory.  It also allows us to automate all security patches and updates on those devices.
6. Encrypton – The mapped security controls for this can depend on where you keep your data.  Microsoft has full drive encryption included with Windows called Bitlocker we can turn on and configure for our clients.  Apple has a similar solution called filevault.  We enable and configure encryption for cloud storage, backups, and email.
7. Assess Apps – i.t.NOW uses a solution called privileged access management to protect client environments by controlling what applications can be installed on company devices.
8. Multifactor Authentication – We ensure that MFA is configured and turned on for all of your web-based applications, email, and any external network access like VPN.
9. Secure Disposal – When machines are being removed from service we can perform a certified wipe on the hard drive to ensure all client data has been safely removed.
10. Change Management – We can assist with change management process, and documentation of any needed changes.
11. Logging – Our remote monitoring and management software has logging capabilities along with Microsoft servers.  We enable and configure these logs.
12. Testing and Monitoring – To ensure security for our clients we perform vulnerability scans on a regular basis and repair any found vulnerabilities.
13. Training Personnel – We implement a cybersecurity awareness training program for all of your employees that has reporting.
14. Monitor Service providers – You’ll need to check out work here and make sure that we’re meeting the needs.
15. Information Security Plan – i.t.NOW has templates for ISP that we can share with your team to make implementing a written plan simpler.  Customize the plan from there with the help of your i.t.NOW account manager.
16. Written Incident Response Plan – i.t.NOW can also assist with templates and information that make the creation of an incident response plan simpler.
17. Report on Compliance – i.t.NOW meet with all clients quarterly to review their service and cybersecurity plan.  Present this review to your stakeholders to answer questions they may have on compliance.
18. Reasonable Technical Safeguards – Though not specifically stated we believe that security network design and strong firewalls should be part of “reasonable safeguards” and will work to ensure that you have the appropriate firewalls and solutions in place.

As you can see the number of controls needed to comply is significant.  As cybersecurity professionals we can lighten the load on your team by taking implementation and management of these controls off your plate.

Final Thoughts

For a lot of small and medium businesses compliance with something like the FTC Safeguards rule can be complex and daunting.  You likely don’t have anyone on staff with the time and expertise to tackle a project like this.  The penalties of non-compliance present a significant risk to your business.  By partnering with i.t.NOW you can leverage the technical expertise of our entire team and working together we can get you where you need to be.

For a no obligation security assessment click here.

Image by Gerd Altmann from Pixabay