What is the FTC Safeguards Rule?

The Federal Trade Commission (FTC) requires institutions that handle customer data to keep it safe from cybersecurity threats by implementing controls that comply with its Safeguards Rule. FTC compliance helps protect consumers from data privacy and security threats in the short and long term. Read on to learn about which FTC safeguards apply to your business.

 

Breakdown of the FTC Safeguards Rule

Financial institutions are frequent targets for cyberattacks. Therefore, these organizations must secure consumer financial data to mitigate data breaches by following the FTC Safeguards Rule.

For an overview of the FTC Safeguards Rule, this blog will cover:

• Which institutions are required to comply with the FTC Safeguards
• Information security controls recommended by the FTC Safeguards Rule

Compliance with the FTC Safeguards Rule can be optimized in partnership with a compliance advisor who will guide you on the most efficient and effective strategies to secure financial data. 

 

Which Institutions are Subject to the FTC Safeguards Rule? 

The Federal Trade Commission (FTC) was established to safeguard consumers from unfair business practices and keep the economy vibrant. One critical aspect of the FTC’s protections is to keep consumer data safe from cybersecurity threats related to evolving technologies in the environment. To achieve a high level of consumer data security, the FTC developed the Standards for Safeguarding Customer Information, also known as the FTC Safeguards Rule.

Before breaking down the various aspects of the FTC Safeguards Rule, let’s first define what financial institutions are according to the FTC—and which organizations aren’t included.

 

Request a Free Consultation

 

Financial Institutions Covered by the FTC Safeguards Rule

Any organization that conducts activities of a financial nature—directly or incidentally (per section 4(k) of the Bank Holding Act of 1956, 12 U.S.C § 1843(k))—is subject to the FTC Safeguards Rule. Section 314.2(h) of this Rule lists these 13 examples of such institutions:

• Mortgage lenders
• Payday lenders
• Finance companies 
• Mortgage brokers
• Providers of financial account services
• Wire transferors
• Collection agencies
• Tax preparation firms
• Non-federally insured credit unions
• Non-SEC registered investment advisors 
• Property appraisers
• Credit counselors and other financial advisors
• Check cashing businesses

In 2021, the FTC Safeguards Rule was amended to include finders, which are defined relatively loosely as any financial institutions that mediate transactions between buyers and sellers.

To Which Institutions Does the FTC Safeguards Rule Not Apply?

On the other hand, organizations that are not considered financial institutions per Section 314.2(h) of the FTC Safeguards Rule include:

• Entities that conduct financial activities with oversight from the Commodity Futures Trading Commission and subject to the Commodity Exchange Act
• The Federal Agricultural Mortgage Corporation or institutions that operate under the Farm Credit Act
• Organizations that Congress charters to conduct:
  • Securities transactions 
  • Secondary market sales that do not involve the sale of information to third parties
• Institutions that conduct financial activities directly or incidentally but without significant engagement in those activities

Two examples of such institutions are retailers who offer consumers credit occasionally via deferred payment plans, or stores that permit customers to cash out checks after purchases.

If your organization conducts any transactions that are financial in nature, you may or may not be required to comply with the FTC Safeguards Rule. It is best to routinely review the FTC’s definition of a financial institution and determine if your organization fits the criteria.

 

Implementing FTC Safeguards via an Information Security Program

Per the FTC Safeguards Rule, institutions that handle consumer financial data must keep it safe with the help of an information security program. From its collection until its disposal, consumer data must be secured from cybersecurity threats. Any “non-public personal information” about a customer recorded on paper or electronically is subject to the FTC Safeguards Rule.

FTC information security revolves around:

• Keeping customer data secure and confidential
• Safeguarding consumer data from known and anticipate threats
• Minimizing unauthorized and potentially compromising access to sensitive data

An information security program compliant with the FTC Safeguards Rule must include administrative, technical, and physical safeguards. Let’s explore what some of these controls would look like within an FTC information security program.

Overview of FTC Information Security Controls

At a high level, the FTC Safeguards Rule requires your institution to maintain sets of controls that anticipate security threats and prevent them from impacting your data.

To keep consumer data safe, organizations must:

• Conduct risk assessments, to:
  • Detect risks to the data you collect, store, or process
  • Identify potential threats to data integrity and availability 
  • Rank risks based on pre-determined risk criteria
• Designate trained and qualified personnel to oversee FTC information security, ensuring that any individual(s) responsible for program oversight:
  • Have experience handling threats to consumer financial data
  • Can quickly respond to demanding data security risks
• Evaluate the effectiveness of the safeguards implemented, using tools like:
  • Penetration testing
  • Threat and vulnerability assessments
• Increase security awareness training to empower employees to identify threats to consumer financial data before they become full-blown attacks, via training like:
  • Specialized sessions to educate staff about advanced threats
  • Regular refreshers on cybersecurity best practices for email, etc.
• Keep the FTC information security program up-to-date, on matters such as:
  • Emerging risks identified in risk assessments
  • Changes to operations following threat alerts
• Identify service providers who readily comply with the FTC safeguards listed in your organization’s security policy
• Develop an incident response plan to:
  • Address threats before they can spread to other areas of your IT infrastructure
  • Outline roles and responsibilities for managing security incidents
  • Disseminate communication following security incidents
  • Leverage learnings from previous security events to optimize controls
• Establish governance structures for the FTC information security program leadership, where the individual tasked to oversee the program periodically reports to your organization’s board

Compliance with the FTC Safeguards Rule will help your organization keep sensitive consumer data safe and mitigate the risks of data breaches.

 

Safeguards within an FTC Information Security Program

Some of the specific safeguards you must implement when developing or optimizing an FTC information security program include:

• Access controls – Any access to environments containing sensitive consumer data must only be by legitimate business need. Furthermore, you should monitor all attempts to access consumer financial information using access logging tools.
• Asset inventories – You must also periodically inventory all environments containing consumer data. Without an understanding of the types of digital assets in your organization, you will be unable to identify where data is stored or collected. 
• Data encryption – Whether it’s at rest or in transit, sensitive consumer data should always be encrypted to prevent perpetrators from easily accessing it if a cyberattack occurs.
• Security assessments – Institutions that rely on their own web or mobile applications to handle consumer data must also assess these apps for risks that could compromise the privacy and integrity of data.
• Multifactor authentication (MFA) – The nature of security threats facing organizations in today’s IT landscape requires tools like MFA to mitigate access to sensitive data environments. These controls also provide greater confidence in the data security you implement.

With the help of the cybersecurity controls listed above, your organization will be on its way to achieving FTC compliance and protecting consumer data from security threats.

 

Get Started with FTC Safeguards

For your business to remain safe from threats targeted toward consumer financial data, you must identify and implement the appropriate security controls—such as those listed in the FTC Safeguards Rule. Working with an FTC compliance advisor like RSI Security will help you hone in on the most relevant controls for your institution. To learn more, contact RSI Security today!

 

---

Talk to one of our experts today – Schedule a Free Consultation