The so-called Safeguards Rule was issued by the FTC originally in 2003, but business and technology have evolved considerably since that time, and in 2021, the FTC found it necessary to update that rule so as to be more representative of the changing landscape.
The updated rule still has most of the flexibility of the original, but it offers more solid guidance for what the covered businesses must do to provide data security for customers and clients. All aspects of this rule must be implemented by December 9, 2022 – which means there’s very little time left for dealers to comply with the updated Safeguards Rule. Clearly, the time to act is now.
Which Companies Are Covered Under The Safeguards Rule?
According to the FTC itself, those companies that engage in financial activities are subject to compliance with the updated Safeguards Rule. Granted, the phrase ‘financial activities’ can be pretty broad and subject to interpretation, but the FTC has issued some clarification on that point. It is to include such institutions as “mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, finders who bring two parties together for a financial transaction, and investment advisors that aren’t required to register with the SEC.”
What Your Information Security Program Has To Become
Here are the individual points of compliance that you must implement in your information security program by December 9, 2022:
a. Designate a Qualified Individual to implement and supervise your company’s information security program. – This Qualified Individual may either be an employee or he/she can work for an affiliate or other service provider. If you bring in a service provider to fulfill this requirement, that individual’s employer must also establish an information security program that provides protection for your business.
b. Conduct a risk assessment. Before you establish your information security program, you’ll need to take inventory of your information assets and where they’re stored. Then you’ll have to assess the potential threats and risks to the integrity, confidentiality, and security of customer data. This risk assessment must be formally written down, and include the criteria you used to assess risks.
c. Design and implement safeguards to control the risks identified through your risk assessment. Your company will be obliged to carry out the following when preparing your information security program:
Implement and periodically review access controls. Identify those individuals having access to your customer data, and periodically review whether they still need that access.
Know what you have and where you have it. It’s essential that you have a thorough understanding of your own information security system. That means you’ll have to periodically perform an inventory of your data, identifying where it’s stored, collected, and transmitted. All devices, platforms, and personnel have to be kept on a constantly updated listing.
Encrypt customer information on your system and when it’s in transit. If you can’t encrypt data for some reason, secure it using other means that are just effective, and which are approved by your Qualified Individual.
Assess your apps. Make sure to establish procedures for evaluating the security of any third-party apps or in-house apps that are used to access, store, or transmit customer data.
Implement multi-factor authentication for anyone accessing customer information on your system. This kind of system requires at least two different security measures, including a password or knowledge factor, a token or possession factor, and biometric characteristics or an inheritance factor. The lone exception to this rule is when your Qualified Individual has written permission to use an alternative type of access.
Dispose of customer information securely. All customer information must be discarded securely within two years of the last time it was used for customer service. Exceptions to this would be some kind of business requirement that mandates retaining the data, or if the data cannot be disposed of because of how it is stored.
Anticipate and evaluate changes to your information system or network. It will be necessary to establish a change management process for your information security system, so as to accommodate the constant changes that happen with networks and data systems.
Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. Establish a collection of controls and procedures for monitoring when authorized users and unauthorized users attempt to access your customer data.
d. Regularly monitor and test the effectiveness of your safeguards. It will be necessary to test your procedures for identifying attacks on your system. Continuous monitoring will be part of this, and you should also conduct penetration testing and vulnerability assessments for all currently known attacks and threats.
e. Train your staff. Your staff is often the weakest link in your security program, so it will be necessary to thoroughly train them, and to provide training refreshers. Also, anyone with direct access to your information security program should be vigilant in staying updated on the latest threats and attacks.
f. Monitor your service providers. Whenever you work with service providers, your contracts with them must include language that identifies your security expectations, and which includes ways to monitor their work.
g. Keep your information security program current. Make sure your information security program is flexible enough that it can accommodate the constant changes that occur with personnel, hardware and software, and emerging threats and attacks.
h. Create a written incident response plan. You need to have a Response Plan to cover situations identified by the Safeguards Rule as a ‘security event’, i.e. something that results in misuse of your customer data, or which involves unauthorized access. Here is what must be included in your Response Plan:
- Well-identified responsibilities, roles, and decision-making levels
- Goals of your plan
- Internal processes that will be carried out when a security event occurs
- A prepared procedure that will address weaknesses identified during the security event
- How communications and information will be shared internally and externally
- A process for identifying and reporting security events, as well as your response to them
- A follow-up summary of the event, with conclusions that address the weaknesses identified by the security event.
i. Require your Qualified Individual to report to your Board of Directors. The person you’ve identified as your Qualified Individual must report at least annually to your Board of Directors (or at least a senior manager), and this report must include an evaluation of your company’s compliance with the information security program. It must also include such related topics as service provider arrangements, risk decisions, test results, risk assessments, and if any security events have occurred, a description of the company response must be included. If any changes to the program are being considered, these must be listed in the report as well.
It’s time to find a vendor that can help you with this complicated and ever-changing topic. We know compliance as we do this NYS DFS and so we can this FTC rule and implement in your business.