Here’s how to comply with the FTC Safeguards Rule to protect your customer data and reduce the risks of data breaches.
Why does your company need to know about compliance with the FTC Safeguards Rule? First, if you’re a business that falls under the FTC’s very wide definition of a “financial institution,” then you need to follow their rules to set up and maintain a comprehensive security program to keep customer financial data safe.
To not do so can mean you are levied with severe penalties that can include hefty fines and, in some cases, even legal action and prison time.
However, besides the punitive aspects of non-compliance, you would want to follow FTC’s rules to better protect your customers’ data. After all, cyberattacks and data breaches are ramping up, costing organizations huge amounts of money and tarnishing their reputations.
With a growing number of new vulnerabilities and increasingly sophisticated attacks, the average cost of cybercrime is projected to rise from $8.4 trillion in 2022 to more than $23 trillion in 2027. This is a statistic that no one wants to fall victim to.
And it’s not just huge corporations at risk, either. Small and medium-sized businesses (SMBs) must also protect their data from hackers.
So, with that in mind, here’s what you need to know about SMB compliance with the FTC Safeguard Rule.
What Is the FTC Safeguards Rule?
The U.S. Federal Trade Commission’s Standards for Safeguarding Customer Information, or, in short, “FTC Safeguard Rule,” makes it incumbent on non-banking financial institutions to set up, deploy, and maintain comprehensive security programs to ensure that customer financial data is kept safe.
Any “non-public personal information” must be protected from external threats, including data breaches, data leaks, and ransomware.
The FTC defines these non-bank “financial institutions” as any organization “engaging in an activity that is financial in nature.” This includes businesses that handle consumer financial data, give credit, wire money, or charge fees to facilitate financial transactions.
A few of the businesses covered by FTC Safeguard compliance include:
- Mortgage lenders
- Payday lenders
- Finance companies
- Account servicers
- Mortgage brokers
- Check cashers
- Wire transfer companies
- Collection agencies
- Credit counselors and other financial advisors
- Tax preparation firms
- Non-federally insured credit unions
- Personal property or real estate appraisers
- Travel agencies in connection with financial services
- Investment advisors are not required to register with the SEC
The Safeguards Rule was established in 2003 but was amended in 2021 “to ensure the Rule keeps pace with current technology,” providing clearer guidance for businesses.
Then, in 2023, it was amended, requiring “covered entities to report certain data breaches and security incidents.” In May 2024, the breach notification requirements kicked in.
Why Should Business Owners Care?
The FTC can levy civil penalties on covered companies to deter conduct that harms consumers. “Because they can exceed what a wrongdoer earned through their misconduct,” explains the FTC, “penalties send a clear message that preying on consumers will not be profitable.”
After receiving a “Notice of Penalty Offenses,” a company can face civil penalties of up to $100,000 per violation. Criminal penalties can also include up to five years of imprisonment.
Besides the threat of penalties, the FTC Safeguards compliance requirements show organizations what they must do to protect critical customer data, avoiding the potential financial and reputational risks of non-compliance.
5 Easy Steps to Ensure Your Business Is FTC Safeguard Compliant
A covered company must create an information security program that is “appropriate to the size and complexity of your business, the nature and scope of your activities, and the sensitivity of the information at issue.”
Its three objectives are to:
- Ensure the security and confidentiality of customer information.
- Protect against anticipated threats or hazards to the security or integrity of that information.
- Protect against unauthorized access to that information that could result in substantial harm or inconvenience to any customer.
Here are five steps that companies should take to achieve these goals.
Step 1: Develop a Written Information Security Program (WISP)
Businesses need to create a comprehensive written information security program (WISP) that, among other things:
- Designates a qualified individual to oversee and implement the program.
- Performs a risk assessment.
- Designs and implements safeguards to control risks.
- Regularly tests and monitors key controls.
- Implements policies and procedures for training and expertise.
- Oversees service providers.
- Establishes an incident response plan.
- Covers board reporting.
- Handles notifications of events.
- Establishes a plan for addressing business continuity and disaster recovery.
Step 2: Designate a Data Security Officer
Your company needs to appoint a data security officer, the so-called “qualified individual,” who is essential in overseeing FTC compliance. While the person doesn’t need a title or degree, they must have “real-world know-how suited to your circumstances.”
This role can be given to a staff member or outsourced to a service provider. If it is designated to a service provider, the company must appoint someone internally to oversee the provider.
Step 3: Implement Access Controls
A company must determine who has access to its customer information and revisit this access regularly to see if they still have a legitimate business need for it.
As part of access controls and maintaining the integrity of customer data, businesses should:
- Set up a zero-trust architecture where users continuously verify their right to access internal resources.
- Implement multi-factor authentication.
- Encrypt customer data.
- Establish secure coding practices.
- Dispose of customer information securely.
- Segment the private network.
- Continually monitor user activity.
- And much more.
Step 4: Regularly Monitor and Update Systems
The FTC requires companies to regularly monitor and test the effectiveness of their safeguards and systems in order to determine if their procedures for detecting actual and attempted attacks work.
Testing can be accomplished through regular monitoring of systems or annual penetration testing and vulnerability assessments. The latter might include system-wide scans designed to test for publicly known security vulnerabilities every six months.
To stay up to date, companies need also to ensure all their software is kept up to date, including the latest security patches.
Step 5: Employee Training and Awareness
A company must regularly train employees on FTC Safeguards rules and data security best practices so they can spot risks and play their part in keeping the company safe.
A sampling of training topics might include:
- Identifying and handling phishing attempts.
- Strengthening passwords.
- Securing I.T. assets and sensitive information.
- Reporting incidents.
- Role-based training for specific job functions.
- Relevant regulatory guidelines.
- Handling incident responses.
Achieve and Maintain FTC Safeguard Compliance With Help From Attentus
Maintaining compliance with the FTC Safeguards Rule can be a complex undertaking with a lot at stake.
This is why it’s valuable to have a partner like Attentus Technologies. With over 20 years of experience and a client retention rate of over 10 years, we’ve built a reputation for delivering reliable security solutions. One of our core values is building trusted relationships, ensuring that we work as an extension of your team to protect your business.
We can help you develop and implement a Written Information Security Program (WISP), designate the ideal data security officer, and provide ongoing security expertise with our managed I.T. services. Whether it’s setting up access controls, providing system monitoring, or conducting employee training, our expertise covers all areas of compliance.
While the FTC Safeguards Rule may seem overwhelming, we can help you keep your customer data safe. Contact us for a free consultation and take an important first step toward compliance and peace of mind.
