Information security programs aren’t built in a day – but they can certainly be breached in one. That’s why in December 2021, the Federal Trade Commission (FTC) tightened regulations around customer data security, encapsulated in the Standards for Safeguarding Customer Information (The Safeguards Rule, for short.)
Enforcement of the new rules will begin on December 9th, 2022. In this blog, we’ll explain who is subject to the FTC Safeguards Rule and five things to consider when working toward compliance.
The original Safeguards Rule (before the 2021 amendment) was rather flexible, and for the most part, allowed businesses to decide for themselves how they would fulfill the requirements. The Federal Trade Commission originally gave five loose guidelines: (1) designate a program coordinator; (2) perform a risk assessment; (3) implement safeguards and perform audits; (4) oversee service providers; (5) update and adjust info security program over time. It was up to businesses how they’d complete those tasks.
In December 2021, the FTC released a more specific set of standards for how financial institutions should be protecting customer data. Businesses are no longer allowed to just “figure it out.” They have to comply with industry-standard methods of data security, or they risk significant fines or even jail time.
Taking it a step further, the FTC expanded the range of entities that need to comply with the Safeguards Rule. By changing the definition of “financial institution,” the FTC loops in many new industries and types of businesses, like auto dealerships, travel agencies, and more.
The Safeguards Rule was originally intended to regulate “financial institutions” – which in the original drafting of this rule, meant any organization “significantly engaged in financial activities.”
Now in 2022, a financial institution, by the Federal Trade Commission’s standards, is any organization that is significantly involved in financial activities and “activities incidental to such financial activities.” Speaking generally, the FTC is focusing on organizations that handle big money, extend lines of credit or major loans, connect consumers with financial institutions, or are involved with others’ ability to access money.
This seemingly small definition change is actually a huge deal, because it now thrusts many businesses under the Safeguards umbrella. Many who did not have to comply before, will have to do so before December 9th, 2022.
Not sure if your business falls under this umbrella? The FTC Safeguards Rule itself outlines some examples. Financial institutions are:
You can view the full explanation of “financial institutions” here.
Scanning through the list, you may still find yourself questioning if your company qualifies as a financial institution. The FTC also outlined who specifically does not count as a financial institution within the context of the Safeguards Rule. We’ll list them here:
You can view the full explanation of who is not considered for this rule, here.
Aside from creating a new definition of a financial institution, the FTC increased its requirements for building an infosec program from five recommendations, to nine common-sense requirements.
If your organization is subject to the Safeguards Rule, here are five simple steps you can take to position your business for compliance.
As mentioned, part of the FTC’s amendments to the rule includes designating someone within your organization to be the “Qualified Individual.” This person will be responsible for overseeing the development and execution of your organization’s info security program, and they will also be required (by the FTC) to report to your company’s board of directors.
The FTC itself says that this person does not need to have any particular accolades or certifications, but should be well experienced to handle securing an organization of your size and structure.
Even if your company decides to outsource data privacy and security support to a service provider, you will still need to designate an internal Qualified Individual. In the words of the FTC, “the buck stops with you.” With increasing rates of harmful hacks and large-scale data breaches, there should be at least one individual in your organization who is vigilant about protecting the data.
The Safeguards amendment now requires organizations to encrypt all sensitive customer data at rest and in motion. This is a broad requirement, as data can move in many different ways and for many different reasons.
Luckily, Virtru offers data encryption for email and files that is simple and affordable and remarkably easy to integrate with popular cloud collaboration services like Google Workspace and Microsoft 365.
The Safeguards Rule now requires companies to be in a state of periodic reevaluation over who in the organization has access to what information, and for how long. This is to lower the risk of breaches by only giving access to data on a need-to-know basis. By not allowing everyone access to all data at all times, you lower the risk of sensitive data being exposed during a hack or breach.
With Virtru, it's incredibly easy to apply policies to email and files so you can protect sensitive data flowing in and out of your business. Furthermore, with Virtru Control Center we give your business the ability to audit and track every piece of encrypted data that you share and send -- which includes the ability to grant and revoke access to data at any point in time -- which is a great way to comply with FTC Safeguards.
The FTC urges organizations to reevaluate their in-house applications or third-party partners to ensure that they are following the requirements set forth in the Safeguards Rule. A breach targeted at a third party or by an unprepared in-house application can have staggering effects on the customer data it’s designed to protect.
When it comes to encryption, you may be concerned about companies that encrypt your data, but hold the keys to decrypt. With Virtru, we give you full reign over the encryption keys to your data. We would not be able to decrypt it if we tried – this allows you to maintain complete trust over your data whether it’s on-premises, in a private cloud, or in a public cloud.
Training your employees is a crucial requirement in the Safeguards Rule. Your Qualified Individual can implement as many security measures as possible, but if they’re difficult to grasp or a hassle to use, your risk potential skyrockets. Employee participation is how your organization stays secure and afloat. Make it easy on them by choosing user-friendly software that’s easy to adopt.
Virtru makes data encryption easy across the board for employees at all levels. Our data protection solutions can be integrated natively into any email provider, and to common CRM systems like Salesforce and Zendesk. All employees need to do to encrypt is click a button. We can even provide Gateway Security that automatically finds sensitive data, and encrypts it before exiting your system.
From email, to inbound and outbound file sharing, to app integration, and more, Virtru doesn’t just encrypt your data. We provide multifaceted compliance solutions, with ease. Learn more about how Virtru can help you meet FTC compliance requirements today.
Contact us to learn more about our partnership opportunities.