Preparing Your Business to Comply With the FTC Safeguard Rule
Increasingly, governmental authorities around the world are stepping up to protect consumer information. While this does create some complexities for entrepreneurs and tech leaders, the end goal is to keep consumer information secure. One of the most recent developments is an update to the FTC Safeguard Rule—but what exactly is this rule, and how do you comply with it?
What Is the FTC Safeguards Rule?
The FTC Safeguard Rule is a rule that dates back to 2003, but was amended in 2021 to keep the rule aligned with modern technology. Essentially, the rule is designed to protect customer information, providing guidelines for security measures that all companies need to implement.
This rule applies to financial institutions that are traditionally subject to the FTC’s jurisdiction without being subject to enforcement authority of other regulators (under section 505 of the Gramm–Leach–Bliley Act, 15 U.S.C. § 6805). Here, the term “financial institution” is fairly broad—it’s not just about banks. This rule applies to “mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors that aren’t required to register with the SEC.”
If a financial institution maintains information on fewer than 5,000 customers, it may be exempt from some element of the rule. So what does the rule actually require?
The FTC Safeguards Rule “requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information.” Here, customer information refers to “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.”
This information security program needs to be formally documented and designed for the size, scope, and operational model of your business; in other words, there’s no one-size-fits-all information security plan that will work for every business under the FTC’s jurisdiction.
There are three priorities that this written plan must fulfill:
- Protection of the security and confidentiality of customer information
- Protection against anticipated threats and hazards to that information
- Protection against unauthorized access to customer information
Recently, the FTC Safeguards Rule extension has pushed back the deadline for compliance to June 9, 2023.
Understanding the FTC Safeguards Rule for Auto Dealers
If you want your auto dealership to remain in compliance with the law, it’s important for you to follow this ruling. That means putting together a comprehensive information security program to keep your customers’ information secure.
Even before this rule was in place, it was wise for auto dealers to employ information security measures to keep consumer data safe. Higher security measures are good for the customers and good for the business; customers are protected, the business incurs less risk, and the reputation of the business grows in the absence of security breaches and other failures.
The 9 Elements of an Information Security Program for the FTC Safeguards Rule
According to the FTC Safeguards Rule, there are nine major elements of an appropriate information security program. They are:
- A qualified supervisor/overseer. First, your business needs to designate a qualified individual to act as a supervisor and overseer for this program. This is the person responsible for orchestrating all elements on this list and making sure they are followed appropriately. This party serves as a locus of accountability and a decision maker for conflicts.
- A thorough risk assessment. After a qualified supervisor is designated, you’ll need to conduct a thorough risk assessment. The goal here is to identify potential threats to your organization and the information of your customers. Once you have a better understanding of these threats, you’ll be able to devise a much better information security program.
- Specific safeguards to control risks. Next, you’ll need to put together specific safeguards to control risks and avoid threats. There are a wide range of strategies that can be effective here, including multi-factor authentication, access management, strong passwords, security infrastructure improvements, and more. Your exact strategies will vary depending on what you found in your risk assessment.
- Regular monitoring. These risk control measures need to be regularly monitored as well—and any abnormalities need to be reported and/or acted upon.
- Staff education and training. All your staff members need to be trained on best practices for information security; even one deviating party could lead to a major breach.
- Service provider monitoring. It’s also your responsibility to monitor your service provider so you can avoid potential risks.
- Ongoing updates. The field of information security is constantly evolving, so your program needs to evolve with it. Make periodic updates and review your strategies at least once per year.
- An incident response plan. You need to have a formally documented incident response plan detailing how your business will respond to a threat or data breach.
- Accountability for the qualified supervisor. Your qualified supervisor/overseer must be responsible for reporting to your board of directors. This ensures that your information security program is created and maintained with full transparency.
Develop Your Information Security Program Today!
Your financial institution may already have an information security system in place, but are you confident that it’s in full compliance with the FTC Safeguards Rule? Whether you’re creating a strategy from scratch or updating your current one, it’s a good idea to work with a competent authority.
At CTMS, we have experience working with hundreds of businesses like yours—and we have the expertise necessary to help you put together an information security program that works. For more information, get in touch today!
Share This Post
Computer Technology Management Services (CTMS) supports organizations nationwide with high-quality, customizable business IT tools and cybersecurity strategies for dealerships and more.