The FTC Safeguards Rule: Have a plan… time is running out

The Federal Trade Commission (FTC) updated GLBA in 2003 with the first Safeguards Rule. Those requirements were updated again in 2021 and now must be met by June of this year. This means time is running out, and we need to get a plan in place.

“The FTC Safeguards Rule requires covered companies to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information.”

The penalty can be steep–up to $11,000 per day per each breach. Other financial penalties can be assessed per day per violation for regular violators.

So, the first thing to do is determine if you are required to meet the regulations. If you have over 5,000 clients, then you’ll have to meet all the requirements in § 314.4 Elements. If you have any clients at all, even if under 5,000, the Rule applies to financial institutions within the FTC’s jurisdiction and that are not subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act.

According to the FTC, “…the definition of a ’financial institution’ isn’t a hushed hall with tellers, deposit slips, and ballpoint pens on chains. Rather, the FTC Safeguards Rule covers businesses like mortgage lenders, mortgage brokers, motor vehicle dealers, payday lenders, finance companies, account servicers, check cashing companies, wire transferors, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors that aren’t required to register with the SEC. That’s not an exhaustive list, so if you aren’t sure if you’re covered, now’s the time to nail that down.”

The next item to work out is who will be a qualified individual (QI) for the organization. This person will be responsible for the process, the implementation, and enforcement of the security program. They can be a 3rd party consultant; however, someone at the executive level will still need to be responsible for the system and for the consultant’s performance.

Your plans must address all Elements (§ 314.4) of the FTC Safeguards Rule. These Elements are only a high-level guide for developing an enterprise cybersecurity program. To do it well, a company must put a holistic approach together to include implementations, monitoring, incident response, and security procedures to comply with the regulation. You will also need to allocate resources and budget to actively measure new solutions against the security controls to see what is working and what needs changed.

Companies updating their systems to meet the FTC Safeguards Rule may need to demonstrate their cybersecurity practices. Proper execution will illustrate a commitment to establish and maintain a good cybersecurity program.

To summarize, if you are a mortgage company, mortgage broker, creditor, or debt collector, you need to meet the current FTC Safeguards Rule.

Everyone should have a cybersecurity program for their organization. Protecting data also includes protecting the system in access, monitoring, risk, training, and recovery. Ultimately, you need to understand and enforce a set of security controls.

Businesses can secure their information systems if they know how to integrate the requirements into their security system. Duffy Compliance provides the guidance necessary to get and stay compliant.

Time is running out. Schedule a call with us so we can build a plan to close the gaps in your current program. You will breathe easier knowing we have your back.