FTC Safeguards Rules Checklist:
The Safeguards Rule does not prescribe a single standardized security program.
Rather, it provides guidelines companies should follow based on their unique risk profile. While specific controls will vary, below is a checklist covering the key elements the rule requires organizations to implement:
Designate a Qualified Individual
- Appoint a single Qualified Individual to head up and be accountable for your security program.
- This person must have appropriate experience/qualifications to manage your organization's security risks.
- If outsourcing security duties, you must still designate an internal individual to oversee the program.
Conduct Risk Assessment (Only over 5,000 clients)
- Complete a written risk assessment identifying internal and external threats to customer data.
- Evaluate the likelihood and potential impact of these risks to determine controls needed.
- Set a schedule for continuous risk assessment through penetration testing, vulnerability scans, or continuous monitoring.
Develop Security Policies & Procedures
- Create a formal security program outlining your safeguards, controls, policies, and procedures.
- Maintain change management processes addressing new technologies, business operations, etc.
- Have an incident response plan detailing roles, actions, and communications if a breach occurs.
- Establish protocols for properly disposing of customer information on a set schedule.
Limit Data Access
- Inventory customer data collected and systems/devices storing this data.
- Implement access controls designating authorized access to data.
- Require multifactor authentication for systems accessing sensitive data.
- Monitor systems for unauthorized access attempts and suspicious activity.
Manage Service Providers
- Inventory third parties that access your systems or data.
- Ensure service providers implement appropriate security safeguards.
- Oversee these vendors to confirm protections meet your standards.
Protect Data
- Encrypt customer data at rest and in transit whenever feasible.
- For cases where encryption cannot be used, have compensating controls approved by your Qualified Individual.
- Follow secure software development practices for any internal apps created.
Maintain Security
- Provide regular security awareness training for employees.
- Keep Qualified Individual and security staff trained on latest threats and countermeasures.
- Report at minimum annually to your board/senior officer on the state of your security program.
- Periodically review the effectiveness of your safeguards and update as needed.
What Are the Penalties for Non-Compliance?
The Federal Trade Commission has authority to impose civil penalties up to $43,792 per violation of the Safeguards Rule. Recent cases have seen major companies pay millions for failing to adequately protect consumer data.
Beyond financial penalties, a breach due to non-compliance can severely damage your reputation with customers. And victims could pursue class action lawsuits resulting in substantial legal fees and settlement costs.
It’s critical for companies that qualify as “financial institutions” to examine the updated Safeguards Rule requirements and take steps for full compliance. Robust information security programs will enable organizations to both avoid regulator fines and build trust with customers by properly securing sensitive financial data. Here is a rewritten version for the FTC Safeguards Rule: