The FTC Safeguard Rule and Your Company

Cyber attacks have been on the rise for years now and becoming one of the biggest growing threats that the world has to face today. It is because the attackers, or hackers, are attacking anyone and everyone to get Personal Information and Money.

There are an average of 2,200 cyberattacks per day.(CompTIA )

Why is that a lot of places get hacked successfully?

This can be answered for a various amount of reasons. Here are a few:

· No proper training or testing for employees on cybersecurity and awareness

· Software and Hardware being outdated

· Little to No Security Hardware or Software in place to protect data or people

· No Encryption of Data in place

· No Security Policies or Practices being implemented

· Untrained people doing Network work

Long story short is that when someone or a company is attacked successfully, they were not prepared properly or at all to handle the attack and the aftermath that came with it.

This leads a lot of companies to be out of work for a good amount of time to possibly shutting their doors forever. These attacks get stronger and harder to stop every day. This led to the FTC revision of the Safeguard Rule.

The FTC Safeguard Rule

The FTC Safeguard Rule was created in 2003 to protect customer information and require companies to take the steps needed to protect that information. The Rule got amended in 2021 to be able to keep up with the current technology and threat. This amendment, while keeping the flexibility of the original 2003 rule, is a better guidance for businesses to follow.

Who is Required to Follow this Rule?

The Safeguard rule applies to financial institutions subject to the FTC’s jurisdiction and that aren’t subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6805. According to Section 314.1(b), an entity is a “financial institution” if it’s engaged in an activity that is “financial in nature” or is “incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C § 1843(k).” (FTC Guidance)

In other words, any business that provide a service of leasing money to people or handling finances for people. Whether it is through a loan or a credit card, this rule applies to the company.

Some examples of companies that it applies to are:

· Auto Dealerships

· Finance Companies

· Collection Agencies

· Loan Offices

· CPAs and tax preparation firms

· Finance Advisors

Companies that the FTC Safeguard Rule does not apply too:

o Merchants allowing just to run a tab

o Grocery store

o Retailer that accepts cash, checks or credit cards

o Retailers that extend credit by lay away and deferred payment plans

What are the Requirements of the Rule?

The deadline for this Rule is June 9th, 2023.

This requires that a person, either within the company or a third party, is assigned as the Qualified Individual and will oversee, implement, and enforce the Information Security Program that they have created.

An Information Security Program is a set of guidelines and rules to make sure that the administrative, technical and physical safeguards are in place to handle customer information through its whole life cycle or time the company has it.

The Information Security Program has a Series of Steps that it needs to have and develop policies to meet the FTC Safeguard Rule. These Include:

· Encryption of data means the transformation of data into a form that results in a low probability of assigning meaning without the use of a protective process or key, consistent with current cryptographic standards and accompanied by appropriate safeguards for cryptographic key material.

· Information system means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information containing customer information or connected to a system containing customer information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental controls systems that contains customer information or that is connected to a system that contains customer information.

· Multi-factor Authentication with verification of at least 2 of the following factors:

o Knowledge (ex. Passwords)

o Possession (ex. Tokens)

o Inherence (ex. Biometric characteristics)

· Penetration Testing to attempt to defeat the information system from inside and outside the network – to be performed annually at a minimum

· Designate a qualified individual responsible for overseeing and implementing your information security program and enforcing it.

· Risk (vulnerability) Assessment used to identify internal and external risks of customer information to be used for your information security program. Done every 6 months.

· Secure disposal of customer information in any format no later than 2 years after last date of information is used in connection with a product or service.

· Periodically review data retention policy

· Monitor and Log activity of authorized users

· Continuous monitoring of information systems, key controls, systems and procedures

· Security Awareness Training for all employees. Performed yearly

· A written incident response plan that addresses:

o (1) The goals of the incident response plan;

o (2) The internal processes for responding to a security event;

o (3) The definition of clear roles, responsibilities, and levels of decision-making authority;

o (4) External and internal communications and information sharing;

o (5) Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls;

o (6) Documentation and reporting regarding security events and related incident response activities

o (7) The evaluation and revision as necessary of the incident response plan following a security event.

· Reports in writing by qualified individual about the overall status of information security program and material matters

· Implement and Review Access Controls

· Assess applications

· Evaluate changes to information system or network

What happens if my company does not meet the FTC Safeguard Rule Guidelines?

With attacks happening every day, companies are at a high risk of being successfully attack.

64% of companies have experienced at least one cyber-attack.(TechJury)

When a company gets attacked and the investigation finds that the company did not meet the standards that the FTC Safeguard has in place, insurance companies will deny full coverage for the claim that the company makes. There are some other things that can happen including:

o Expensive Fines – max fine of $11,000 per day per occurrence of breach. If it is the first time the agency will not fine you for the occurrence but they can seek damages for consent violations which could total over $43,000 per day for each violation.

o Extensive Penalties - You could face long-term consent decrees or extensive injunctive relief, which could significantly hamper your business operations. These penalties can force you to cease certain activities in relation to your violation.

o Litigation Risks - you could be sued in case of a security breach if you are found to be non-compliant with the Safeguards Rule. In addition, there are cases wherein you will also have to notify victims after a breach. That greatly increases the risk of litigation.

o Reputational Damage - Not only will it impact your customers’ trust, but it can also worsen your relationships with suppliers and other affiliates. That could hamper your ability to transact as you could run the risk of banks not buying your paper. In fact, many banks are already sending addendums to this effect to many dealership groups.

o Data Loss – You could lose data of yours or your customers that cannot be recovered or cost thousands of dollars to recover

Statistics

Here are some statistics you need to know about:

· The average ransomware remediation cost in the United States is $622,596.18. (ProvenData)

· IBM Security study found that in 2019, it took 279 days to identify and recover from a data breach. (Nationwide Insurance)

· The average cost of a data breach in the United States was $9.44 million in 2019. (Statista)

With the constant rise in Cyber Attacks and the amended FTC Safeguard Rule, the sooner companies need to be implementing a Information Security Program. The risk of attacks and consequences of not meeting the Guidelines, companies can not afford to not do anything.

If your company needs help with getting started on the Information Security Program or are interested in working with us, Click Here for a Free IT Consultation!