What is the FTC Safeguards Rule?
The FTC Safeguards Rule is a set of regulations established by the Federal Trade Commission that aims to “safeguard” consumer data.
The FTC Safeguards Rule!
The set of laws originated in 2002, and aimed to make sure financial institutions (mainly banks) developed, implemented, and maintained a comprehensive security program to keep their customers’ information safe.
However, the commission issued a revised version of its rule in December 2021, which brings us to what we’re talking about here today.
The scope of the rule has now changed, and chances are that your business could be affected.
Who Does FTC Safeguards Affect?
In December 2021, the Federal Trade Commission (FTC) expanded the scope of the FTC Safeguards Rule to include more than just banking institutions.
As of this year, non-banking financial institutions are also affected, including automotive dealers, mortgage brokers, accountants, travel agencies, retailers that extend credit, and other “finders”.
While the final rule went into effect on January 10, 2022, and was initially planned to be enforceable starting December 9, 2022, the FTC has extended the deadline to June 9, 2023, to give companies more time to review their security measures.
Here are a few of the business types that must comply:
- Automobile dealerships
- Financial advisors & investment advisors
- Personal property or real estate appraisers
- Collection agencies
- Accountants and tax preparation services
- Mortgage brokers
- Credit unions
- Finders: Any business that acts in bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate
- Dental clinics that offer financing to patients
Your FTC Safeguards Compliance Checklist
If you are a business that is affected by the revised FTC Safeguards Rule, there are 7 things you need to do to ensure that you comply.
Here is your FTC Safeguards Compliance Checklist:
- Designate your Qualified Individual
This one is quite simple. You must appoint a person or team to be responsible for overseeing and implementing the Safeguards Rule.1
- Conduct Routine Risk Assessments
From easiest on the list to probably the hardest, you must now conduct routine risk assessments. This includes identifying and assessing the risks to consumer information in your company’s possession, including the likelihood and potential damage of a data breach.
Tip: Here at Iceberg Cyber, we take care of this part for businesses for only $100/mo. Learn more here.
- Implement your Access Controls
Design and implement security measures to address the identified risks, including administrative, technical, and physical safeguards.
- Train your staff
You need to provide your people with security awareness training and schedule regular refreshers. This can be in the form of a webinar or an all-staff meeting.
- Monitor your Service Providers
You need to make sure that any third-party service providers who have access to consumer information are also complying with the Safeguards Rule.
- Create an Incident Response Plan
Every business needs a “What if?” response and recovery plan in place in case it experiences a security breach.
P.S. Here at Iceberg Cyber, we can help you with that. You can start by filling in the form here.
- Report to your Board of Directors
Finally, last but not least, your Qualified Individual must report in writing regularly – and at least annually – to your Board of Directors or governing body. If your company doesn’t have a Board or its equivalent, the report must go to a senior officer responsible for your information security program.
Tip: Here at Iceberg Cyber, we provide the reports for you! You can get started by filling in our form here.
What Are The Penalties If You Don’t Comply?
Unfortunately, the penalties for not complying with the Safeguards Rule can be extensive—and expensive.
Penalties are based on violations of the consent decree. This means if there is a violation of customer privacy, the FTC can audit the business and seek penalties.
The FTC can seek up to $46k per consent order violation, and the FTC can take an expansive view of what a “violation” is, depending on the circumstances—particularly if there are issues involving multiple customer records.
Even worse, you may be subject to claims (including class action claims) under the “unfair and deceptive acts and practices” (UDAP) laws of the various states for failure to comply with the Safeguards Rule.
These laws typically permit actual and punitive damages, as well as attorneys’ fees and costs.
In other words, it pays (literally) to be compliant.
Need Help? Get Compliant for Just $100/Mo.
Here at Iceberg Cyber, we provide continuous cyber monitoring for businesses that need to become FTC Safeguards Compliant.
We’ll enable around-the-clock monitoring, give you an action report of what needs to be fixed, and also give you easy-to-understand monthly reports that you can share with your Board of Directors, or simply keep for safekeeping.
We’ll even give you a document to prove that your business has taken all 7 steps to become compliant, should the FTC ever come knocking.
How do you get started? Simply head over to our page here and fill in our quick form. We’ll reach out to you with next steps!
Have a question for us? You can email us directly at firstname.lastname@example.org.
Until next time!