In October of last year, the Federal Trade Commission (FTC) announced amendments to the Standards for Safeguarding Customer Information, or “Safeguards Rule,” for short. A part of the Gramm-Leach-Bliley Act, the Safeguards Rule went into effect in 2003, but with changes in technology, the FTC saw opportunities for an update to protect the security and integrity of consumer’s personal information.
Though there have been recent petitions to try and delay the implementation date, these new guidelines are currently scheduled to go into effect on December 9th of this year. By not complying with the Safeguards Rules, you open yourself up to severe penalties. Financial institutions that are found to be in violation face fines up to $100,000 per incident. Individuals who are found to be in violation face fines up to $10,000 per incident, and individuals who are found to be in egregious and/or repetitive violation may face prison time up to five years.
Who Is Affected?
As customer data has become more digitized, the act has been updated to include specific cybersecurity and data confidentiality requirements for anything defined as a “financial institution.” The FTC's definition of a financial institution is broader than what you might typically expect and includes not only “any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities" but also anyone who acts as a "finder," bringing together buyers and sellers while the parties themselves negotiate and complete the transaction.
This expands the Safeguards Rule to include to a lot of nontraditional parties, such as a retailer that extends credit by issuing its own credit card directly to consumers, an automobile dealership that leases automobiles on a nonoperating basis, or a personal property or real estate appraiser.
Understanding the Nine Safeguard Elements
Under the updated rules, these companies are required to develop a written information security program in order to ensure the security and confidentiality of customer information, protect against any anticipated threats or hazards to the security or integrity of such information, and protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer. To guide the creation and implementation of this program, the Nine Safeguard Elements were established.
Designate a “qualified individual” to supervise and implement the program
The Qualified Individual can be an employee of your company or can work for an affiliate or service provider and doesn’t need a particular degree or title. Instead, what matters is real-world know‑how suited to your circumstances. The Qualified Individual selected by a small business may have an entirely different background from someone running a large corporation’s complex system—and that's a good thing.
If your company brings in a service provider, the responsibility still remains yours, and you should designate a senior employee to supervise that person. Additionally, if the Qualified Individual works for an affiliate or service provider, that affiliate or service provider also must maintain an information security program.
Conduct a thorough risk assessment
An IT risk assessment provides a clear picture of current IT practices and vulnerabilities, but you can’t formulate an effective information security program until you know what information you have and where it’s stored. After completing that inventory, conduct an assessment to determine foreseeable risks and threats—internal and external—to the security, confidentiality, and integrity of customer information. Among other things, your risk assessment must be written and must include criteria for evaluating those risks and threats.
Design and implement safeguards based on the risk assessment
In designing your information security program, the Safeguards Rule requires your company to:
- Implement and periodically review access controls
- Know what you have and where you have it
- Encrypt customer information on your system and when it’s in transit
- Assess your apps
- Implement multi-factor authentication for anyone accessing customer information on your system
- Dispose of customer information securely
- Anticipate and evaluate changes to your information system or network
- Maintain a log of authorized users’ activity and keep an eye out for unauthorized access
Monitor and test effectiveness of the program
For information systems, the monitoring and testing includes either continuous monitoring or annual penetration testing and vulnerability assessments every six months. It’s not enough to identify risks—you need to always have effective controls in place and continually reassess those controls.
Train staff
Human error is the driving cause of 95% of cybersecurity breaches, which is why it’s essential to train staff to identify and properly respond to attempts to commit fraud or identity theft. Provide your people with security awareness training and schedule regular refreshers. Insist on specialized training for employees, affiliates, or service providers with hands-on responsibility for carrying out your information security program and verify that they’re keeping their ear to the ground for the latest word on emerging threats and countermeasures.
Monitor Service Providers
Vendor and supplier security is critical. In addition to assessing your internal risks, you need to determine what data these outside parties can access—and what their controls and safeguards are.
Select service providers with the skills and experience to maintain appropriate safeguards. Your contracts must spell out your security expectations, build in ways to monitor your service provider’s work, and provide for periodic reassessments of their suitability for the job.
Keep the program up-to-date
The only constant in information security is change—changes to your operations, changes based on what you learn during risk assessments, changes due to emerging threats, changes in personnel, and changes necessitated by other circumstances you know or have reason to know may have a material impact on your information security program. The best programs are flexible enough to accommodate periodic modifications.
Create an incident response plan
When something goes wrong, how will you protect the integrity of customer information you’ve been entrusted with?
Every business needs a “What if?” response and recovery plan in place in case it experiences what the Rule calls a security event—an episode resulting in unauthorized access to or misuse of information stored on your system or maintained in physical form. Your response plan must cover:
- The goals of your plan
- The internal processes your company will activate in response to a security event
- Clear roles, responsibilities, and levels of decision-making authority
- Communications and information sharing both inside and outside your company
- A process to fix any identified weaknesses in your systems and controls
- Procedures for documenting and reporting security events and your company’s response
- A postmortem of what happened and a revision of your incident response plan and information security program based on what you learned
It’s a good idea to run through the Incident Response Plan annually through a tabletop exercise so all the parties involved with this plan understand their role if and when the plan needs to be put into motion.
Report to the board of directors
Your Qualified Individual must report in writing regularly—and at least annually—to your Board of Directors or governing body with an overall assessment of your company’s compliance with its information security program. If your company doesn’t have a Board or its equivalent, the report must go to a senior officer responsible for your information security program.
The Services You Need for Compliance
In order to meet the requirements of the Safeguards Rule, you need:
- Annual penetration tests and biannual vulnerability assessments
- Comprehensive data and systems inventory
- Employee training
- Risk assessments that test your physical, electronic, technical, and administrative safeguards
In addition to the financial ramifications are reputational consequences—you never want to be the business that people can’t trust with their information.