Written by: Daniel Haurey on 06/06/24

It’s a common misconception that only corporations with more than 5,000 customers are subject to the enhanced cybersecurity demands outlined in the Federal Trade Commission Safeguard Rule. Smaller organizations should prepare to execute similar data information security assessments and improvements on a much simpler scale. While they are exempt from a handful of requirements – designating a “qualified individual” on staff to manage compliance, evaluating their outsourced IT service provider, and having an incident response plan – they remain governed by the intent of the FTC rule:  Protecting customers from identity theft and implementing a robust data security program.

As the agency that enforces a variety of antitrust and consumer protection laws affecting virtually every area of commerce, the FTC has focused on protecting consumers and customer data as well as improving financial institution security with its Safeguards Rule, which was expanded and updated in October 2023. The rule applies to any record containing nonpublic or sensitive personal information about any customer of a financial institution and requires “administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.”

In layman’s terms, the new FTC regulation for financial institutions demands those organizations craft a comprehensive data security program that follows information security best practices and addresses three major areas:

  1. Ensures the security and confidentiality of customer data;
  2. Protects against threats to the security or integrity of that information; and
  3. Protects against unauthorized access to or use of the data in a way that could result in harm or inconvenience to the customer.

FTC Safeguards Rule Take Integrated Approach

The rule has multiple elements and addresses the broad spectrum of cybersecurity measures, responsibilities, and actions that align with established best practices for safeguarding sensitive information. These requirements include:

  • Personal information protection
  • Qualified program administration
  • Ongoing written risk assessments that clearly describe how identified risks will be mitigated
  • Comprehensive security and privacy policies and procedures
  • Employee training
  • Incident response planning [Need help with this? Download our template]
  • Auditing/Reporting

Other FTC Safeguards Rule guidelines are aligned with the outcomes of a required risk assessment that identifies an organization’s existing internal and external risks to the “security, confidentiality, and integrity” of customer data. The rule requires periodic risk assessments and demands that companies design a security program to close those gaps, using digital and physical access controls, encryption, multifactor authentication, penetration testing, and vulnerability assessments.

In addition to those technical FTC compliance requirements, the Safeguards Rule demands security measures for in-house applications, secure disposal processes, stringent information security policies supporting a robust security culture, detailed security logs, and testing. Businesses are also required to implement compliance and security awareness training for employees, empowering their best line of defense by engaging employees in protecting their business.

Meeting FTC Safeguards Requirements

While smaller organizations must still execute regular assessments, they do not need to be documented in advance, and the required security measures for those small to midsized businesses are significantly fewer than those demanded of larger corporations. What are best practices for those companies not fully governed by the FTC Safeguard Rule?

Here are some tips for getting started:

  1. Start with a trusted, third-party risk assessment to identify gaps, vulnerabilities, and other concerns.
  2. Use that report to create a roadmap for improvements, preferably built with the guidance of experts, such as your managed IT services provider (MSP)
  3. Tackle policy creation, particularly policies for password creation and management, BYOD, access control and acceptable use, and others tied directly to security best practices.
  4. Implement employee security awareness training, augmenting those efforts with regularly scheduled updates to explain and review security policies.
  5. While smaller organizations are not required by the FTC Safeguards Rule to have an incident response plan, we highly recommend crafting a business continuity plan that covers backup and disaster recovery, as well as a clear incident response plan. Lean on trusted business partners such as your MSP, cyber insurance provider, and security solutions vendors for assistance.

Nearly all organizations will need to connect with a cybersecurity expert to meet the detailed requirements of the FTC Safeguards Rule, and smaller companies are no different. Cybersecurity, compliance, and data loss prevention are complicated challenges and require multifaceted solutions integrated seamlessly together.

If you have questions about where your business falls within the FTC Safeguard Rule, request a consultation today.