What Is the FTC Safeguards Rule and Who Does It Impact?

Passed in 2003, the FTC’s original Safeguards Rule provided financial institutions with five loosely defined guidelines for protecting customer data:

1. Appoint a program coordinator
2. Conduct risk assessment
3. Establish safeguards and perform audits
4. Monitor service providers
5. Regularly update information security programs

Historically, the FTC has given financial institutions broad leeway to interpret these guidelines as they have seen fit. Similarly, the existing definition of a financial institution has only applied to organizations “significantly engaged in financial activities,” excluding by default businesses with other primary purposes that nevertheless provide credit lending as part of regular operations.

The December 9, 2021 amendment to the Safeguards Rule will go into effect on June 9, 2023, and it will mandate several significant changes to compliance.

What Is the FTC Safeguards Rule: Then and Now

Standardization

The amended rule requires organizations to comply with industry-standard technologies and practices in data security. Organizations that flout these requirements will risk steep fines or even prison sentences for extreme violations.

Broader Definition of Financial Institution

The FTC has expanded its definition of financial institutions to carve in many formerly peripheral industries. Under the expanded definition, the Safeguards rule will also apply to organizations engaged in “activities incidental to such financial activities,” which will include many businesses that are not necessarily within the financial services industry. (More on this below.)

Multi-factor Authentication

A simple username and password system such as email accounts for the point of origin in 80% of successful account hacks – excluding phishing scams requiring the account owner to take voluntary action. Multi-factor authentication is a credential-hardening technique that requires users to provide two or more authenticators to access an account. Recent studies have found that multi-factor authentication prevents 99.9% of automated cyberattacks and that a corresponding 99.9% of compromised accounts used only single-point authentication.

Encryption

The amendment requires financial institutions to encrypt all data in transit and in storage. While this may not sound like a major to do, it will have large implications for organizations who rely on emails and attachments to collect PII. Though most popular business email platforms such as Gmail and Outlook have encryption as an option, few users take advantage of it and most emails still transit in plaintext.

Industries Affected by the FTC Safeguards Rule Amendment

The updated rule will continue to apply to all financial institutions under its current umbrella. However according to the expanded definition of a financial institution, industries and sectors that could be affected going forward include:

•   Car dealerships
•   Mortgage brokers
•   Travel agencies
•   Real estate services
•   Retailers extending credit through their own credit card services
•   Property appraisers
•   Investment advisement companies

How could these businesses be considered financial institutions?

In the words of the FTC, any business that engages in activities incidental to financial activities can be considered a non-banking financial institution, essentially extending credit or loans themselves or act as a go-between for their customers and financial services.

Data Breaches Rising Worldwide

Continuing an upward trend that began in 2020, data breaches have spiked 70% in Q3 2022 over the previous quarter. Notable examples from the last two months include the breach of Singapore Telecommunications subsidiary Optus which exfiltrated 2.8 million records from the company’s network and the still unsolved Uber data breach which cybersecurity experts have called a “total compromise.”

Already in Australia – where Optus is headquartered – the government has announced plans to follow suit with the U.S. and tighten existing customer data regulatory controls. On the heels of the E.U.’s proposed Cyber Resilience Act – which would mandate built-in security features for newly manufactured connected devices –it is safe to say these concurrent government responses are an indicator of a general trend towards updating antiquated data security regulations to reflect recent developments in technology.

The FTC Safeguards Rule: Now & In the Future

In late October 2022, the FTC released details of ongoing punitive action against online alcohol marketplace Drizly and its CEO James Cory Rellas. This followed revelations that failures in the company’s data security practices enabled a recent data breach that exposed the personally identifiable information (PII) of about 2.5 million consumers.

Despite receiving a warning two years ago about known vulnerabilities in their system configuration, the company’s leadership declined to take action. The Commission’s orders against Drizly significantly restrict the kinds of data the company can collect going forward, and binds the CEO to specified security practices.

With the changes to the FTC’s Safeguards Rule announced in December 2021, still pending effect until June 2023 (Note: This deadline was extended by six months in November 2022; the original date of effect was December 2022), high-profile responses in the months to come should signal to businesses just how strictly the Commission intends to enforce information and data security policies in the near future.

Prepare Your Organization With FileInvite

For organizations previously unregulated by the Safeguards Rule, and those behind the curve of current data security technologies and practices, achieving and maintaining compliance will not be a quick and easy fix. It will require overhauling employee data handling practices and adopting new, unfamiliar technologies.

FileInvite’s secure, SOC 2 Type 2 compliant file sharing and document portal platform can help your organization get a jumpstart clearing the pervasive security hurdle of employees and clients using email to exchange sensitive information. FileInvite streamlines document collection processes while simultaneously getting your organization’s file-sharing practices into compliance through automatic 256-bit end-to-end encryption for storage and transmission.

Sign up for your free FileInvite account to begin the process of ensuring your organization is compliant with the updated Safeguards rule. Or, feel free to reach out to our team with any questions that you have.