Blog Post

Regulatory Update: New Privacy and Security Requirements Loom Under FTC Safeguards Rule

According to the FTC, the basis of the Safeguards Rule is “to strengthen the data security safeguards that covered companies must put in place to protect customers’ personal information.” Covered companies are any financial institutions that are within the FTC’s jurisdiction and subject to GLBA, including entities that facilitate transactions between multiple parties.

Data privacy and information security have changed drastically in the decades since the law was initially created. Thus, the FTC issued updates in 2021 to keep the requirements aligned with the current landscape. Included in the new rules are guidelines for organizations to develop, implement and maintain an information security program, “with administrative, technical and physical safeguards designed to protect customer information.” The updates take effect in June, and include nine new elements that must be incorporated into covered organizations’ information security and compliance programs.

The nine elements outlined in the impending Safeguards Rule are:

  1. Appoint a “qualified individual,” either internally or a third party to oversee, manage and enforce the information security program.
  2. Build the program upon the findings of a risk assessment and clear definitions of foreseeable risks to the “security, confidentiality and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information.”
  3. Design and implement safeguards that address each of the identified risks, including data mapping, access controls, encryption and multi-factor authentication. Underpinning this guideline is the concept of “privacy (or security) by design ,” in which development practices for in-house applications and tools that interact with customer information include steps to evaluate and uphold data protection. Change management and data disposal principles are also noted as important elements of the overall program.
  4. Regular testing and vulnerability assessment of controls, systems and procedures.
  5. Supporting the program with awareness and training, as well as qualified experts who understand the scope of risks and best practices to address them.
  6. Third party risk management protocols to ensure all service providers are meeting and reinforcing the Safeguards Rule requirements.
  7. Evaluating and adjusting the program based on learnings from testing and monitoring, and as needed depending on material changes in the business.
  8. Establish and document a comprehensive, actionable incident response plan for any security incident impacting customer information.
  9. Regular reporting from the “qualified individual” to the board of directors to communicate risks and steps taken to mitigate them.

The FTC has broad enforcement powers through GLBA, including the ability to issue fines, require remediation, force organizations to halt operations and issue orders that prohibit certain business activities, making compliance with the new Safeguards Rule requirements critical to reducing risk and upholding a strong posture regarding data protection.

Organizations that have yet to fully implement the new requirements should take the following steps:

  • Assess the company’s present implementation of key privacy and security controls, including technology, processes and key procedures.
  • Design a customized privacy and security control testing framework incorporating regulatory requirements, best practices and addressing the company’s business profile, activities and management of all customer information including personal data.
  • Develop a detailed data protection roadmap that addresses technology needs, internal and external resources, gaps found during the assessment, change management planning and incident response protocols.
  • Examine privacy by design principles and create a framework for ensuring data protection is addressed at the outset when new tools and processes are developed or implemented.
  • Conduct a data remediation exercise to dispose of data that is no longer needed for legal, regulatory and business purposes, and likewise ensure that any retained sensitive information is adequately secured.
  • Establish reporting and documentation procedures to track the program’s effectiveness as it evolves and prepare the organization for potential disclosure to regulators.

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.