The U.S. Federal Trade Commission (FTC)—a bipartisan federal agency that champions the interests of American consumers—has added certain businesses to the Safeguards Rule, which was designed by the FTC to protect customer information from being shared inappropriately as required by the Gramm-Leach-Bliley Act that has been in force since 1999.
The Safeguards Rule requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure. The FTC considers an organization a financial institution if they are significantly engaged in financial activities or significantly engaged in activities incidental to such financial activities. In addition to developing their own safeguards, companies covered by the Rule are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care.
According to the FTC, customer information includes personally identifiable data collected in relation to lease, insurance, or finance contracts; this holds true across data types except for information that is publicly available. The FTC has clearly stated that all businesses must:
- Assign an employee or vendor to manage the security plan. In order to be considered a successful implementation, the manager must be provided with the authority, time, and resources necessary to fulfill compliance requirements.
- Perform reasonable risk assessments, including assessment of the existing safeguards to determine if they are sufficient to mitigate risks to an acceptable level; it is considered a leading practice to record such risk assessments in writing in case the FTC requires evidence of compliance.
- Put sufficient security safeguards in place to mitigate the identified risks to the required level according to risk tolerance; these safeguards must be regularly monitored to ensure their effectiveness. A helpful four-step self-assessment guide is included below.
- Perform vendor security management for all vendors which may have access to process or store the organization’s sensitive information. This can include validation of security certifications on a regular basis, or the performance of security audits of those vendors’ operations. The requirements for security compliance should be part of the organization’s contracts with service providers.
- Adapt the security program as needed to improve the effectiveness of the program, or when the risk profile of the organization changes.
Please note that some financial institutions do have additional requirements with which they must comply under the Gramm-Leach-Bliley Act and the FTC’s Privacy Rule.
Contact us at email@example.com to learn how we can help your organization comply with its compliance requirements under these laws and rules.