Extended Deadline to Comply with FTC Safeguards Rule

The Federal Trade Commission has extended the deadline for businesses to adhere to some of the adjustments it made to improve the data security measures financial institutions are required to protect personal information of their customers. The new criteria must be complied by June 9, 2023.

What is the FTC Safeguards Rule

The FTC Safeguards Rule took effect in 2003. It requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security program to keep their customer’s information safe.

 The Rule was amended in 2021 to keep up with evolving technology. It provides more concrete guidance for businesses and the core data security principles they need to implement.

What are the Amended Changes to the Safeguards Rule?

The FTC approved the changes to the Safeguards Rule in October 2021. Originally, the new provisions were set to go into effect on December 9, 2022 but this was extended another six months.

The provisions of the updated rule include the following requirements:

  • Designate a qualified individual to oversee their information security program
  • Develop a written security risk assessment and information security program
  • Limit and monitor who can access sensitive customer information
  • Encrypt all sensitive information
  • Train personnel on security awareness
  • Develop an incident response plan
  • Periodically assess the security practices of service providers
  • Systems monitoring, penetration testing and vulnerability assessments
  • Implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information.

The Cost of Non-Compliance

The new provisions required under the Safeguards Rule may have some businesses worried about the costs. Audits, trainings, new technologies and processes costs can add up. It is estimated that for an organization to be fully compliant with the FTC Safeguards Rule, the average cost would be $250,000 annually. As a Managed Service Provider, we can help eliminate some of those costs.

The costs of not complying and having a security incident occur can cost much more. Businesses lose an average of $14.8 million dollars per business event because of business disruption, productivity losses, revenue losses and fines and penalties.

The following is a list of the possible legal ramifications of non-compliance to the FTC Safeguards Rule:

  • Fines and penalties:Varying depending on the severity of non-compliance and the regulatory body governing the issue.
  • Lawsuits:Stakeholders including customers, employees, vendors, and other affected parties might decide to file a lawsuit to collect damages.
  • Regulatory scrutiny:Offending businesses can be subjected to costly regulatory audits for years to come.
  • Imprisonment:In the worst cases of non-compliance, business owners, directors, and executives could go to prison for criminal negligence.

How Can API Help?

Many organizations do not have the staff, time or resources available to make sure that they comply with the new provisions of the FTC Safeguards rule. Absolute Performance has several years of experience in compliance and security measures and protocols.

With our Cyber Health Plans, we can help provide continuous assessments using the latest attack methods and tools. We, also provide periodic checkups to see how healthy your IT environment is. Contact us today to find out how we can help your organization comply with the new guidelines.