If your business is subject to the FTC Safeguards Rule, but you haven’t yet become compliant under the newest requirements, there’s still time—but not much. The compliance deadline for some of the Rule’s provisions is currently set to be June 9, 2023, after which steep penalties may be issued for covered businesses that don’t put the right protections in place. Here’s what you need to know about the FTC Safeguards Rule, who it covers and what it says about data destruction.
What is the FTC Safeguards Rule?
In the simplest terms, the FTC Safeguards Rule (aka 16 CFR Part 314) is designed to make financial institutions use adequate safeguards to protect any nonpublic information about their customers.
The Rule first took effect in 2003 but was updated in 2021 to reflect the ways that data security risks have changed as technology has advanced. A bunch of new provisions were implemented, which are designed to give financial institutions more guidance about protecting information security and hold these institutions accountable for maintaining data security for any customer information. The updated Rule also expanded the definition of “financial institution” and made some institutions exempt from certain provisions.
Some of the Rule’s provisions were originally supposed to go into effect on December 9, 2022. In November, the FTC announced a six-month extension due to supply chain issues and staffing shortages that were making it difficult for covered businesses to upgrade their security systems in time. There’s no indication that the deadline will be pushed back again, so covered businesses should plan on being fully compliant by June.
Does the FTC Safeguards Rule cover our business?
The Safeguards Rule describes covered organizations as “non-banking financial institutions” doing business that’s “financial in nature.” If you’re unsure whether that definition includes your business, the text of the Rule includes a long list of examples.
Some businesses that may have to comply with the Rule are mortgage lenders/brokers, collection agencies, credit counselors, accountants and firms that do tax preparation, real estate appraisers, car dealerships and financial or investment advisors.
“Finders” are also covered by the Rule. This category describes anyone who brings together buyers and sellers, even if the parties do their own negotiating. (Consult your attorney if you’re unsure whether or not your business needs to comply.)
What does a business covered by the FTC Safeguards Rule need to do?
There are eight elements of the Rule that covered businesses have to implement by the June 9th deadline, explained in detail in section 314.4 of the Rule. Make sure to review them thoroughly if your business is covered.
- A qualified individual must be designated to oversee, implement and enforce your information security program. They can be an employee or an external service provider you contract with, as long as there’s someone in charge. If you do use an outside service provider, it’s still your responsibility to appoint someone to oversee them.
- Safeguards must be implemented to limit the risks to your customers’ information. The full text of the Rule includes eight specific points that your safeguards should address. For example, all customer information must be encrypted. Another mandatory requirement addresses procedures for secure data disposal. A covered business must maintain an updated data retention policy. Furthermore, the Safeguards Rule requires businesses to use secure disposal methods (like shredding) to destroy customer information within two years of its last use unless there’s a legitimate business or legal reason to hold onto those records.
- You must train your employees on policies and procedures to ensure that they’re able to use your information security systems correctly and know how to spot security risks.
- If you use outside service providers to implement and maintain your security systems, you’re required to periodically assess their risk level and the effectiveness of the safeguards they use.
(Note: If your business has information about fewer than 5,000 customers, you’re exempt from the last four points.)
- A written risk assessment must be developed. It should identify internal and external risks to your data security that could reasonably threaten any customer information you have. The risk assessment also has to describe the criteria you use to identify security risks and describe how your information security program will mitigate those risks.
- Your information security systems have to be continuously monitored or undergo periodic penetration testing and vulnerability assessments.
- You must have a written incident response plan documenting the process that should be followed if your business experiences any breach or security event involving customer information.
- The qualified individual overseeing your information security program must report in writing at least once per year to your board of directors or to a senior officer responsible for information security. Their report should include an overall assessment of how well your information security program complies with the Safeguards Rule.
Since enforcement hasn’t begun, it’s unclear how strictly the FTC will crack down on the Safeguards Rule and how extensive the penalties will be. But your business shouldn’t take any risks with federal penalties, especially when taking steps to proactively protect customer information is in your best interest anyway.
Let Northeast Data Destruction help you take care of the data disposal piece of complying with the FTC Safeguards Rule. Our shredding services are a secure way for your business to dispose of paper records, hard drives and any other media that might contain sensitive information. From delivering locked containers to providing a Certificate of Destruction for your compliance records, we handle every element of the shredding process. Contact us today.