Who does the FTC Safeguards Rule apply to?

Before we go any further, let’s determine who the Rule applies to (spoiler: it might surprise you!). The FTC Safeguards Rule applies to financial institutions. You might think that means that only banks and other lending institutions are included, but that’s not the case! Business such as accounting firms, auto dealerships, even real estate appraisers are included in the FTC’s definition of “financial institution” starting June 9, 2022.

What does the Safeguards Rule require?

In short, the FTC Safeguards Rule requires companies to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information.

Your information security program must be written and it must be appropriate to the size and complexity of your business, the nature and scope of your activities, and the sensitivity of the information at issue. The objectives of your company’s program are:

1. To ensure the security and confidentiality of customer information;
2. To protect against anticipated threats or hazards to the security or integrity of that information; and
3. To protect against unauthorized access to that information that could result in substantial harm or inconvenience to any customer.

What does a reasonable information security program look like?

Section 314.4 of the Safeguards Rule identifies nine elements that your company’s information security program must include:

1. Designate a Qualified Individual to implement and supervise your company’s information security program.
2. Conduct a risk assessment.
3. Design and implement safeguards to control the risks identified through your risk assessment.
   • Implement and periodically review access controls.
   • Know what you have and where you have it.
   • Encrypt customer information on your system and when it’s in transit.
   • Assess your apps.
   • Implement multi-factor authentication for anyone accessing customer information on your system.
   • Dispose of customer information securely.
   • Anticipate and evaluate changes to your information system or network.
   • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access.
4. Regularly monitor and test the effectiveness of your safeguards.
5. Train your staff.
6. Monitor your service providers.
7. Keep your information security program current.
8. Create a written incident response plan.
9. Require your Qualified Individual to report to your Board of Directors.

Some components of a good information security program are tactical and others are strategic, and it involves working with your IT department (or outsourced IT provider) and your business leadership. Tactical items such as enabling MFA (more on why you should do that here), encrypting customer information and evaluating changes to your network can be completed by your IT team, but strategic items such as risk assessments, developing a written response plan, and reporting will also involve the business leaders in your organization.

Do you need help protecting your customer data?

The FTC has published a detailed guide with everything you need to know about the Safeguards Rule, but if you need help understanding and implementing the required safeguards, we’d love to chat! Keeping your data secure is just one part of our managed IT services offering. Schedule a free 15-minute discovery call with someone from our team today!

P.S. if you’re looking for a new IT service provider, check out our guide that covers how to choose your next IT service provider for some quick tips to get you started!