The Federal Trade Commission or FTC, established in 1914, was put forth by then-president Woodrow Wilson to protect consumers, investors, and businesses from anti-competition or industry monopoly. Essentially this meant promoting competition and providing more opportunities for others to enter the market sector.
Federal Trade Commission’s major role in the U.S economy is helping with its smooth running. They achieve this by enforcing various laws and regulations to prevent anti-competition, deception, and unfair business practices. One such rule for the protection of consumers is the FTC safeguards rule.
This article focuses on what the FTC safeguards rule is, what the 2023 amendment means for your business, and strategies to implement the rule seamlessly. Let’s dive in without further ado!
- The FTC Safeguards Rule is a set of standards under the Gramm-Leach-Billey Act of 1999. Its purpose is to ensure that financial institutions protect customers’s non-public personal data.
- The Safeguards Rule was amended in 2023 October to state that non-banking financial institutions are required to inform the FTC within 30 days of a breach if it affects 500 or more customers.
- The Safeguard Rule states that organizations must design and implement an information security program that addresses the size and complexity of their organization.
- Organizations under FTC jurisdiction must assess risks, implement safeguards, oversee service providers, and regularly monitor security measures through penetration tests.
What Is the FTC Safeguards Rule?
FTC Safeguards Rule or Standards for Safeguarding Customer Information is a set of regulations established under the Gramm-Leach-Billey Act (GLBA) of 1999. Its primary goal is to ensure the protection of consumers’ personal information held by financial institutions. They are required to secure the confidentiality and security of consumers’ non-public personal data.
Here, banks, credit unions, insurance companies, and other companies that engage in financial activities all come under the umbrella term “financial institutions”. While non-public personal data includes social security numbers, credit history, and account numbers.
The standard was established in 2003 but underwent modification in 2021 to apace with the current trends in technology. The revised rule provides more solid guidance for businesses in terms of protecting customer data.
Gramm-Leach-Billey Act, 1999
The Gramm-Leach-Bliley Act, established in 1999, is also known as the Financial Services Modernization Act of 1999. It is a US federal law that governs how financial institutions handle individuals’ private information. The act mandates disclosure of information-sharing practices, and implementing safeguards for sensitive data. The rules under GLBA are the Safeguards Rule, the Financial Privacy Rule, and Pretexting provisions.
Who Does The FTC Safeguards Rule Apply To?
As mentioned above, the FTC Safeguards Rule mostly applies to financial institutions that come under the FTC jurisdiction. Besides this, according to the Gramm-Leach-Billey Act, the finance business should also not come under any other enforcement authority of another regulator.
If you’re wondering whether your business falls under financial institutions subject to FTC’s safeguards rule, well let’s clear that right up! Section 314.2 of the rule lists some examples of entities that come under the term financial institutions. They include:
- Mortgage brokers & lenders
- Payday lenders
- Finance companies
- Check cashers
- Collection agencies
- Credit counselors and other financial advisors
- Tax preparation firms
- Non-federally insured credit unions,
- Investment advisors who aren’t required to register with the SEC
The 2021 amendments to the Safeguards Rule add a new example of a financial institution – finders. Those are companies that bring together buyers and sellers and then the parties themselves negotiate and consummate the transaction. It is also key to note that even if your company wasn’t covered in the original rule, it is important to keep checking since the rule is under constant evolution.
Latest 2023 Amendment To FTC Safeguards Rule
October 2023 marked the 20-year anniversary of the Gramm-Leach-Billey Act under which the FTC Safeguards Rule came into effect. Along with this, the FTC also announced an amendment to the rule that states that non-banking financial institutions within the FTC’s jurisdiction will have to report any data breach that affects 500 or more people.
What Is It?
The revised rule essentially focuses on notification events which are defined as the acquisition of customer information without said customer’s authorization. If at least 500 individuals’ information is affected, then the company in question must contact the FTC as soon as possible and within 30 days after the discovery of the breach.
The organization must then fill out a form that includes –
- Name and contact information of the organization
- Description of information type
- Specific date or date range of the breach
- The number of customers affected
- A general description of the breach.
Who Does It Affect?
Wonderīng if the latest amendment is applicable to your organization? Well if your company comes under a non-banking financial institution under the jurisdiction of FTC such as mortgage brokers, payday lenders or motor vehicle dealers, then the answer is yes.
Why Was It Enforced?
The amendment was placed to ensure that companies that handle such sensitive financial information are more transparent in case of a data compromise. This disclosure agreement was established in hopes of giving non-banking financial companies an added incentive to safeguard their customer data.
FTC Safeguards Rule Requirements For Your Company
If your company falls under any of the above-mentioned businesses under financial institution, the FTC requires you to maintain an information security program. The information security program must be developed, implemented, and maintained with administrative, physical, and technical safeguards to ensure that customer’s non-public information is protected.
The information security program developed by your business must be par with its size and complexity. It should address the nature and scope of your business activities and ensure customer data confidentiality and security accordingly. The program should also protect against potential risks, threats, or hazards to the security of the information and protect against unauthorized access to the same.
Why Astra is the best in pentesting?
- We’re the only company that combines automated & manual pentest to create a one-of-a-kind pentest platform
- Vetted scans ensure zero false positives
- Our intelligent vulnerability scanner emulates hacker behavior & evolves with every pentest
- Astra’s scanner helps you shift left by integrating with your CI/CD
- Our platform helps you uncover, manage & fix vulnerabilities in one place
- Trusted by the brands you trust like Agora, Spicejet, Muthoot, Dream11, etc.
Strategies To Implement FTC Safeguards Rule
According to the FTC Safeguards Rule nine elements should be comprised within your information security program. These are strategies to implement and maintain your data security.
- A Qualified Individual, an employee, or a service provider should implement and supervise your business’ information security program.
- Conduct a GLBA risk assessment to find internal and external threats to your customer’s non-public information.
- Design and implement safeguards to control the risks identified in the risk assessment.
- Regularly monitor and test the effectiveness of your safeguards through annual penetration tests or regular vulnerability scans.
- Train your staff and schedule regular refreshers on their responsibility in the information security program.
- Monitor your service providers, spell out clear security expectations, and build a way to monitor the provider’s work.
- Keep your information security program current by changing it based on learnings from your risk assessments, vulnerability scans, and penetration tests.
- Create a written incident response plan that includes the goals of the plan and internal response events to an incident.
- Your Qualified Individual should report to the Board of Directors in writing, regularly or annually providing an assessment of the company’s compliance with the program.
How Can Astra Security Help?
Astra Security is a vulnerability assessment and penetration testing company that provides round-the-clock security testing services to assess internet-facing assets as quickly and efficiently as possible to detect vulnerabilities. Penetration tests by Astra Security are carried out by seasoned professionals who have vulnerabilities in payment gateways and the information security programs of your organization.
It offers the option to scan for specific compliances required by an organization. Compliance-specific scans provided by Astra include PCI-DSS, HIPAA, SOC2, ISO 27001, and GDPR. Once your penetration test is complete and all reported vulnerabilities are patched, an Astra Pentest certificate with a 180-day validity period is issued to certify your organization’s security measures.
The FTC Safeguards Rule was implemented under the Gramm-Leach-Billey Act of 1999 to ensure that customer’s personal data is secured by organizations that come under the jurisdiction of the FTC. With the 2023 amendment to the FTC Safeguards Rule, even non-banking financial institutions such as mortgage companies, and motor vehicle dealers are supposed to inform the FTC if a breach affecting more than 500 customers occurs.
Nowadays, hackers are getting more innovative in terms of hacking to obtain personal information for malicious purposes. Therefore, as an organization, it becomes your responsibility to keep up with the latest security measures to ensure such a plight does not fall on your customers.
Conduct regular risk assessments, penetration tests, and vulnerability scans to ensure your company’s FTC-mandated information security program is up-to-date and capable of protecting your customers’ data.
What is the FTC Safeguards Rule?
The FTC Safeguards Rule also known as the Standards for Safeguarding Customer Information under the Gramm-Leach-Bliley Act (GLBA), is a set of regulations that mandates financial institutions to create and maintain comprehensive information security programs to protect consumers’ non-public personal information.
What is required under the FTC Safeguards Rule?
Financial institutions are required to develop and implement written information security programs, assess risks, implement safeguards, oversee service providers, and regularly monitor security measures through penetration tests or vulnerability assessments.
What happens if a financial institution fails to comply?
FTC Safeguards Rule applies to banking and non-banking financial institutions under the FTC jurisdiction. If any such company is non-compliant it may result in regulatory actions, fines, or penalties imposed by the FTC or other overseeing regulatory bodies.