FTC Financial Data Security Rule and Safeguards Rule

Are you aware that if your business falls within Federal Trade Commissions’ definition of a “financial institution” that you must comply with the updated requirements of the FTC Safeguards Rule by June 9, 2023?  The Rule authorizes the FTC to impose fines for non-compliance with a maximum civil penalty of up to $46,517.

The first question that comes to mind may be “is my business considered a financial institution?”

Well, if your business is engaged in a business that is “financial in nature”, chances are your business fits within the legal definition. The definition states that a business is a financial institution if it is “engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k)”.

Quick disclaimer, we’re not attorneys, and you should definitely seek counsel on this if you think it applies to you. But in plain English, businesses such as mortgage brokers, motor vehicle dealers, and payday lenders are required to comply.  Other types of businesses include account servicers, check cashers, wire transferors, travel agencies operated in connection with financial services, collection agencies, credit counselors and other financial advisors, tax preparation firms, and non-federally insured credit unions.

What are businesses required to do?

The rule requires financial institutions covered by the rule to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards to protect customer information.  More specifically, the rule requires businesses to:

  • Designate a Qualified Individual to implement and supervise your company’s information security program
  • Conduct a risk assessment
  • Design and implement safeguards to control the risks identified through your risk assessment
    • Implement and periodically review access controls
    • Know what you have and where you have it
    • Encrypt customer information on your system and when it’s in transit
    • Assess your apps
    • Implement multi-factor authentication for anyone accessing customer information on your system
    • Dispose of customer information securely
    • Anticipate and evaluate changes to your information system or network
    • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access
  • Regularly monitor and test the effectiveness of your safeguards
  • Train your staff
  • Monitor your service providers
  • Keep your information security program current
  • Create a written incident response plan
  • Require your Qualified Individual to report to your Board of Directors

The good news is that there are tools and resources in the marketplace to help businesses become compliant, especially within the automobile dealers industry.

If you need assistance with evaluating your current level of compliance and how to maintain it, we can help!