You’re Running Out Of Time To Comply With The FTC’s Revised Safeguards Rule
The Federal Trade Commission (FTC) has extended the deadline for compliance with its newly revised Safeguards Rule. Are you prepared to comply?
In October 2021, the FTC finalized revisions to the Gramm-Leach Bliley Act (GLBA) Safeguards Rule, which will require certain financial institutions with sensitive consumer data (like credit scores and bank account numbers) to be required by law to implement written information cybersecurity plans as well as follow other FTC compliance measures.
This was the first update of this 20-year-old regulation that was issued, following intense negotiations between regulators such as bank lobby groups like American Bankers Association. The FTC had originally stated that businesses will be subject to new rules beginning December 9, 2022, but that deadline has now been pushed to June 9, 2023.
This means you need a plan for how your business can meet these requirements before this coming summer.
GLBA Compliance 101
The Gramm-Leach-Bliley Act (GLBA) of 1999 was an attempt to update and modernize the financial industry. It was brought into effect during the Obama administration. GLBA compliance is a key part of the modern business world for millions of organizations.
GLBA compliance requires financial institutions offering consumers loan services, financial or investment advice, and/or insurance, to fully explain their information-sharing practices to their customers. Firms must allow their customers the option to “opt-out” if they do not want their sensitive information shared. If you plan to continue to operate in the business world, GLBA compliance must be a priority for you.
Failure To Comply With FTC’s Revised Safeguards Rule
If you fail to comply by the deadline, it will be very expensive for your company. Penalties can total as much as $43,792 per violation. That’s why you need to think of compliance as an investment. No matter how much it may cost you to manage your FTC compliance, it will definitely be less than it would cost to pay for noncompliance.
FTC Revised Safeguards Rule Compliance—The Basics
- Develop and report on an Information cybersecurity Program (ISP).
- Select a “Qualified Individual” to oversee your ISP.
- Implement a written “Incident Response Plan”.
- Perform written risk assessments on a regular basis.
- Encrypt all data in transit and at rest.
- Implement Multi-Factor Authentication (MFA) for all systems that access customer nonpublic personal information (NPI).
- Implement a data retention policy; dispose of NPI within two years of the end of a customer relationship (unless doing so conflicts with state or federal law).
- Maintain procedures for IT “change management”.
- Monitor and log activity to detect unauthorized use or access of customer information.
- Continuously monitor for cybersecurity threats.
- Perform “security awareness” training for all employees.
- Verify your vendors’ physical and technical safeguards
5 Components Of Proper FTC Safeguards Rule Compliance
- Written Risk Assessment
- Biannual Vulnerability Assessments
- Annual Penetration Testing
- Vendor Management
Written Risk Assessment
You need to draft a risk assessment that includes detailed criteria for how you will identify and address known cybersecurity threats, and evaluate the confidentiality, integrity, and availability of NPI. This also needs to cover how these known risks are mitigated and addressed.
Biannual Vulnerability Assessments
A vulnerability assessment is a comprehensive review of your company’s IT infrastructure, intended to identify any potential cybersecurity vulnerabilities. It examines all components of your network and how they are used by your staff in order to determine the quality of cybersecurity posture. By identifying any gaps and misconfiguration instances, you can then reduce the risk of cyber-attacks.
Multi-Factor Authentication protects accounts by requiring the user to input a code that is sent to their phone or email, in addition to their username and password. This is sometimes referred to as two-factor authentication as well. Make sure that any vendors with access to NPI also have MFA implemented on their systems.
Annual Penetration Testing
A penetration test is an authorized attack against your organization’s technology and staff that is used to evaluate your cybersecurity controls. A red team exercise simulates a full-scope attack in order to test organizational cybersecurity, and together, these two assessments can ensure that your cybersecurity posture is as strong as possible.
When it comes to FTC compliance, don’t forget about your supply chain. Every vendor and business associate who has access to your Personally Identifiable Information (PII) is subject to the same compliance systems you are.
Service provider agreements are an important part of GLBA compliance for businesses, and these contracts should clearly outline a vendor’s responsibilities when it comes to your PII. Any outside entity or individual who is responsible for receiving, maintaining, creating, or transmitting PII must be compliant and needs to have an agreement of their own in place with your business.
Don’t Put Off Your FTC Revised Safeguards Rule Compliance
Don’t expect the FTC to push the deadline again. If you’re not compliant by June this coming year, it’ll cost you.
Need expert assistance planning, implementing, and managing the above components of FTC compliance? Book a meeting with the Veltec Networks team to get started.