Customer data security is of increasing importance to companies aiming to operate on a global scale. From ChatGPT to the U.S. House of Representatives, data breaches are on the rise and cost businesses an average of almost $10 million per breach. Major brands are frequently in the news, suffering massive costs. In 2022 alone, T-Mobile’s breach cost $350 million just in customer payouts.
As a result, the Federal Trade Commission (FTC) added new rules to the Standards for Safeguarding Customer Information, known as the FTC Safeguards Rule. While enforcement of the new regulations took effect in December 2022, the FTC extended the deadline for compliance with certain aspects of the Rule to June 2023. How can companies best understand these new rules, and how can they comply with the FTC Safeguards Rule as soon as possible?
What is the FTC Safeguards Rule?
The FTC Safeguards Rule dates back to 2003 but was amended in 2021 to keep up with changing technology, creating new avenues for data breaches. It aims to ensure financial institutions implement safety protocols that protect customer data.
The Rule requires relevant financial institutions to create and maintain an information security program to safeguard customer information. The information that companies should protect includes:
- Data and insights on a company’s customers
- Received information about customers of other financial institutions
This means companies must safeguard records of nonpublic personal information, which can take any form, from paper to electronic.
Who does the Rule change affect?
A common challenge with the original FTC Safeguard Rule was defining a financial institution. It used to be rather broad, with the Rule being more concerned with the activities a business undertakes than how the company categorizes itself. As a result, many companies weren’t sure whether they needed to abide by the Rule, making themselves vulnerable to action by the FTC.
The Rule change has better defined the definition of a financial institution, with the updated list including the following:
- Businesses that print or sell checks in any quantity or wire money to or from customers
- Check-cashing businesses
- Any accountants or tax preparation firms
- Mortgage brokers
- Companies that advise on investments
- Real estate or personal property appraisers, as well as real estate settlement services
- Businesses that lease personal property for at least 90 days, such as auto dealerships
- Travel agencies
- Retailers that extend credit to customers using their own credit card
- Financial career counselors, specifically those who help those seeking employment within a financial business or have recently moved away from a job at a financial organization
- Any organization providing credit counseling services
- Any company that charges a fee for connecting customers that are looking for a loan to a lender
With this new clarity, companies can better determine if they should act. Now they must know what steps they should take if they are considered a financial institution and how the FTC’s updates come into play.
The FTC Safeguards Rule updates
Before the updates, all businesses had to do was follow five loose guidelines for implementing an information security program:
- Designate a program coordinator
- Perform a risk assessment
- Perform audits and implement safeguards
- Oversee service providers
- Update and adjust the information security program over time
While businesses had a lot of freedom in completing these tasks, the FTC’s updates now aim to provide more concrete guidance to address the threats of modern technology. Businesses now must comply with industry-standard means of protecting data, and the Rule applies to a broader range of entities with the update to the definition of financial institution.
The result is a Rule that still preserves the flexibility of the original FTC Safeguards Rule but with more guidance and a more straightforward route to avoiding fines or penalties.
The deadline extension
While many aspects of the rule took effect within 30 days after its publication, other parts were only applied following December 9, 2022. However, the FTC approved a deadline for elements of the Rule that affected financial institutions. The extension came after reports of a shortage of qualified workers to implement the many changes needed for the information security programs. The resulting supply chain issues may have delayed companies beyond their control, made worse by the pandemic.
Companies have until June 9, 2023 to implement the below changes and set up their comprehensive information security plan:
- Designating a qualified individual to oversee the implementation of the information security plan, which can be an individual within the company or someone outsourced
- Performing a written risk assessment
- Implementing the monitoring of sensitive customer data and limiting access to it
- Encrypting all sensitive data
- Training security personnel
- Developing an incident response plan
- Assessing security practices of service providers periodically
- Implementing multi-factor authentication or other equivalent methods of limiting individual access to customer information
Protecting customer information is critical
While the FTC Safeguards Rule will help shore up vulnerabilities in many companies across the country, the reality is that data breaches can and will still occur. Large companies like T-Mobile may be in the news, but small to medium-sized businesses are also at risk of a potentially crippling digital security breach. To combat this, businesses of all sizes should take steps beyond the FTC Safeguards Rule, investing in additional protection of their sensitive data by acquiring cyber insurance.
The right insurance plan can be challenging to find, as they vary in the risks they cover. Companies should discuss specific needs with a trusted broker, relying on their expertise to highlight their business liabilities. McGowanPRO has decades of experience customizing insurance plans for businesses in every industry. With an Information Security & Data Privacy Liability policy tailored to your specific needs, your company can worry less about potential security breaches and focus on growing your operations and bottom line.
Contact us today to learn how we can help protect your organization.