Decrypted | Insights from Virtru to Unlock New Ideas

FTC Safeguards Rule Checklist: How Many Have You Done?

Written by Shelby Imes | Sep 23, 2022 7:51:47 PM

The December 2021 amendment to the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule has prompted organizations to take a range of actions, from simply making small tweaks to their infosec programs, to frantically building one from scratch. Regardless of where your organization falls on the scale, it’s helpful to have a definitive list of action items you can review to help ensure you’re in the clear by the deadline.

A checklist, maybe?

Keep reading to learn more about changes to the Safeguards Rule, and what boxes your organization can check off to comply.

The GLBA Safeguards Rule Amendment, aka The Final Rule


The Safeguards Rule (known fully as “Standards for Safeguarding Customer Information”) is one of three major guidelines that comprise the Federal Trade Commissions’s GLBA. It mandates organizations defined as “financial institutions” to implement safeguards that prepare and protect customer data from breaches and security incidents. Customer data in this case is defined as any nonpublic personal information a customer gives to an organization.

In December 2021, the FTC released “The Final Rule,” an amendment to the Safeguards Rule that encompasses a variety of changes, including an expansion of the FTC’s jurisdiction and specific requirements for executing an information security program.  Specifically, the amendment changed the definition of “financial institution” to specify the types of businesses that must comply, including:

  • auto dealerships,
  • mortgage brokers,
  • tax preparers,
  • payday lenders,
  • collection agencies,
  • non-federally insured credit unions,
  • and any other business that significantly participates in financial activities, or affects people's ability to access financial products or financial services.

And, they added a new category of businesses that must comply, described generally as finders.

The purpose of new changes to the FTC Safeguards Rule is to maintain protection of customer data in a world with increasingly sophisticated cyber attacks. The original Safeguards Rule was released in 2003—since then, advancements in tech and public comment have persuaded the FTC to mandate appropriate safeguards for the year 2022.

The Final Rule also lists out reasonable steps that a financial institution’s information security program can take to build out digital and physical safeguards for data. We’ve simplified them, and assembled them here in a checklist for you.

Checklist for Developing an Information Security Program

You can read the full FTC Safeguards Rule text here, but to make sense of it, we’ve broken the requirements up into four buckets: accountability, risk management, personnel management, and data security.

On Accountability:

In the new Safeguards Rule update, the FTC stresses that financial institutions should create internal processes of accountability to 1) ensure there is always a cybersecurity advocate focused on running the information security program and 2) to track down and properly investigate the source of risks or breaches.

☑️ Designate a Qualified Individual

This person can be anyone in the organization with the knowledge and experience it takes to manage an infosec program.

☑️ Build Change Management Into Your Infosec Program

As new tech is introduced to your company, ensure it’s fully vetted for security, and constantly implement and reevaluate security practices as business changes and technology advances.

☑️ Hold Your Service Providers to a High-Security Standard

Breaches can happen through the vulnerability of a service provider — and if they have access to your systems or data, their breach is, by extension, your breach. Ensure your providers have the ability to securely partner with you, and continually monitor them.

☑️ Have Your Qualified Individual Report to Your Board of Directors or Senior Officer

The FTC requires that qualified individuals report to their company’s board of directors at least once a year on the overall status of the information security program, and “material matters” such as the findings of risk assessments, service provider dealings, detailed accounts of security events, and future recommendations.

☑️ Maintain Modernity in Your Information Security Program

Hackers’ tactics are always changing. You will need to change with them, to ensure they don’t outsmart you as time goes on.

On Risk Management:

Organizations should be vigilant about predicting and preparing for risk within their information systems. The risk management bucket focuses on having written documentation on the ways your organization is vulnerable to attacks and preparing an organized response in the case of a breach.

☑️ Complete a Written Risk Assessment

This should include taking inventory of your data and where it’s being stored. Then, assess your organization's threats and risks; this should be an evaluation of any internal or external security risks that could compromise the security, confidentiality, or integrity of customer information. Then write down your findings, including the criteria you used to conduct the assessment.

☑️ Set a Schedule to Regularly Assess Risk in the Future

In addition to your initial risk assessment, the FTC requires you to periodically assess your organization for risks as threats evolve. Specific requirements include annual penetration testing, and vulnerability assessments twice a year. The FTC also provides the option for continuous monitoring, meaning that companies can opt to implement a system of consistent or live penetration/vulnerability assessments. Organizations can choose one option or implement both.

☑️ Draft a Written Incident Response Plan

Outline exactly how your organization should spring into action in response to identified risks. This should include a list of goals, roles and responsibilities, processes and procedures for beginning and commencing work, and a post-mortem to identify lessons learned.

On Personnel Management:

It takes a village to implement a strong infosec program—and the FTC makes this very clear with their directives on managing people, managing access controls, and monitoring activity.

☑️ Log Users’ Activity and Stay Vigilant for Unauthorized Activity

Know who is accessing customer data, and enact a system to alert you about users’ unauthorized access.

☑️ Train Your Staff on Security Practices

Train both your general staff and your infosec staff on required on such safeguards and security practices developed in your program. Update your training program as needed.

☑️ Decide on Access Controls

Designate who has access to what data, for what reason, and for how long. Then, revisit access controls often to ensure that only authorized individuals have access to data.

On Data Security:

It all comes down to the data. The FTC outlines specific methods for organizing, monitoring, and protecting data based on modern industry standards.

☑️ Take Inventory of your Data

Keep a log of what data you have, what systems, devices, platforms, and people it makes contact with. Make sure you’re always updating it.

☑️ Secure the Apps Your Company Uses or Develops

Make sure you’re conducting assessments on apps you use or create within your organization. They should be held to comparable security standards as your business.

☑️ Roll Out Multi-Factor Authentication for Those Accessing Any Customer Data

Multi-factor authentication is verifying the identity of a user using at least two identification factors, including a knowledge factor, a possession factor, and an inherence factor.

☑️ Dispose of Customer Information Every Two Years

Unless there’s a business or legal need for your organization to hang on to customer information, the law requires it to be destroyed to protect the privacy of your customers.

☑️ Deploy Encryption to Information at Rest and Flowing In and Out of Your Organization

Encryption is an industry-standard method of data protection; and when it comes to encrypting your data inside and outside of your organization, you want to make sure you deploy a service that your staff can easily adapt to, and use on a daily basis.

More Than Just Data Encryption: Check Multiple Boxes With Virtru

Virtru encrypts your data on a granular level using the Trusted Data Format, an open standard of security that empowers data owners with unmatched levels of control and oversight. From email to file sharing to app integrations to gateway protections, Virtru is the “easy button” to encrypt your data wherever it goes, and wherever it lands.

With Virtru, data owners maintain complete control and power over their data, including the ability to revoke or grant access, apply watermarks, disable forwarding, and easily view activity logs for any data from an email to a file to a message sent from a SaaS app. Or, establish an encrypted safety net for all customer data with the Virtru gateway or Data Loss Prevention rules. 

Dealerships and other FTC “financial institutions” meet GBLA Safeguards requirements using Virtru data protection. Book a demo today to see how Virtru can help you reach compliance by December.

Download the Checklist

Here’s one for the road—download our handy checklist for free.