The Newly Updated Federal Trade Commission rules for Safeguarding Customer Information and why it Matters.

FTC part 314 Standards for Safeguarding Customer Information took effect June 9, 2023, and was updated on November 13, 2023.  This FTC Regulation is part of the Gramm-Leach-Billey Act, and its purpose is to ensure that anyone who handles customer information takes reasonable steps to protect the security, confidentiality, and integrity of that information.

Who is Covered?

Any organization that keeps and or processes financial information that is not otherwise regulated by another body, such as the SEC or FDIC etc.   Some examples include (but not limited to) the following:

  • Mortgage Lenders
  • “Pay Day” Lenders
  • Finance Companies
  • Mortgage brokers
  • Account servicers
  • Check cashing services.
  • Wire transferors
  • Travel agencies operated in connection with financial services.
  • Collection agencies
  • Credit counselors and other financial advisors
  • Tax preparation firms
  • Non-federally insured credit unions
  • Investment advisors that are not required to register with the Securities and Exchange Commission

Those are the examples from the FTC, they also mention the following types of transactions that are covered by this regulation.  If you have relationship with consumers where they:

  • Obtain Real Estate Settlement Services
  • Purchase Insurance Products
  • Obtain Credit for the purposes of purchasing a vehicle.
  • Obtain Property Appraisal services.

Here are some concrete examples of companies that may be covered:

  • A retailer that extends credit by issuing its own credit card directly to consumers
  • An automobile dealership that, as a usual part of its business, arranges financing.
  • A personal property or real estate appraisal company.
  • A career counselor – that deals with clients who work for or seek to work for a covered entity.
  • A business that prints and sells checks for consumers.
  • A business that regularly wires money to and from consumers
  • An accountant or other tax preparation service

As you can see this is a pretty wide number of companies that are covered by this.  If you are collecting, using, or maintaining financial or personal information from customers or prospects, you will need to consider this regulation and think about how it applies and what you should do to comply.

Ok, so now that you have thought about if you are covered or not, let’s consider what is required.  Here are the standards that the FTC is mandating for safeguarding customer information.

Create an Information security program that is written and addresses administrative, technical, and physical security.  Here below are the details of what they require and how they will judge if your plan follows these regulations.

  1. Designate a qualified person to be responsible for this project.  That person may be an employee or an outside vendor.  If it is an outside vendor, there still needs to be an employee whose job it is to oversee that vendor.  You still maintain the overall responsibility for this project.  You also need to make sure that this vendor also maintains a security program that protects you.
  2. Base your written security program on a thorough risk assessment which includes the following:
    • Define the criteria for evaluation and categorization of risks and threats.
    • Create an assessment for the confidentiality, integrity, and availability of this information.
    • Define how the risks will be mitigated or accepted.
    • Perform additional risk assessments regularly and as systems change.
  3. Implement Safeguards to control the risks identified.
    • Periodically review controls to
      • Authenticate and permit access only to authorized users.
      • Limit users access only to what they need to perform their duties.
    • Identify Data, personnel, devices, systems, and facilities that you use. 
    • Encrypt data at rest and in transit as far as possible and in cases where it is not feasible provide well documented compensating controls.
    • Adopt secure development practices for all in-house developed programs.
    • Implement Multi-factor authentication.
    • Develop and maintain procedures for secure disposal of customer information.
    • Adopt procedures for change management.
    • Implement methods to monitor activity of authorized users and detect unauthorized users.
  4. Regularly test the effectiveness of the safeguards you implement
    • Continuously monitory the system or
    • Conduct Annual Penetration Tests or when things change.
  5. Implement Policies and Procedures that:
    • Personnel Cybersecurity Training
    • Utilizer qualified Information Security personnel to oversee the plan.
    • Provide personnel with security updates and training.
    • Verifying that key information security personnel take steps to maintain current knowledge.
  6. Oversee Service Providers
    • Taking reasonable steps to select and retain service providers that can maintain appropriate safeguards for the customer information at issue.
    • Requiring your service providers by contract to implement and maintain such safeguards; and
    • Periodically assessing your service providers based on the risk they present and the continued adequacy of their safeguards.
  7. Evaluate and adjust your plan considering monitoring and testing.  Mitigate the risks shown from your Penetration tests or ongoing monitoring.
  8. Establish a Written Incident response plan.
    • The goals of the incident response plan
    • The internal processes for responding to a security event.
    • The definition of clear roles, responsibilities, and levels of decision-making authority.
    • External and internal communications and information sharing. 
    • Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls
    • Documentation and reporting regarding security events and related incident response activities
    • The evaluation and revision as necessary of the incident response plan following a security event.
  9. Require your Qualified Individuals report in writing at least annually.
  10. Update on Reporting Incidents.  There was an update on November 13, 2023, that addressed the requirements for reporting breaches to the FTC.  Companies are required to report unauthorized acquisition of unencrypted customer information, involving at least 500 customers to the Commission.  Here is what needs to be reported:
    • the name and contact information of the reporting financial institution.
    • a description of the types of information that were involved in the notification event.
    • if the information is possible to determine, the date or date range of the notification event.
    • the number of consumers affected.
    • a general description of the notification event.

A quick reading of this article or the FTC document itself shows that various governing bodies and insurance companies are taking cybersecurity more and more seriously each month.  The items outlined in this article are becoming standards in the IT industry.  We are starting to see commonalities in all the various standards and regulations.  Some are more stringent than others, but all are moving in the same direction. 

If your exact business is not covered here, sooner or later it will be subject to similar mandates.  These mandates may be from industry self-regulating bodies or from other government agencies.  At the very least all businesses who want to obtain cyber insurance will be under very similar rules.  Since all businesses should consider cyber insurance, that means everyone must consider these safeguards.  Also, who wants to be hit by a cyber-attack?  A thorough review and consideration of where your company stands with respect to these safety measures is good practice for any company.

If you are not sure where you stand on cybersecurity, give us a call or send me a message.  I will be happy to discuss this with you and help you know where you stand.

The content of this summary article was sourced from the FTC website, if you would like to see it in detail you go to https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314  You can also learn the details about the November 2023 update of the rule with criteria for reporting incidents.  You can find that here, https://www.federalregister.gov/documents/2023/11/13/2023-24412/standards-for-safeguarding-customer-information

Get a Free IT Consultation

Related Posts

I.T. Services Group, LLC

Philadelphia Office
100 Granite Drive, Suite 4
Media, PA 19063

Tel: (484) 443-4000

Fax: (413) 254-5828

Copyright ©2024 ITSG - I.T. Services Group. All rights reserved. Web Design by Media Proper