Decrypted | Insights from Virtru to Unlock New Ideas

5 Ways To Start Complying With The FTC Safeguards Rule

Written by Shelby Imes | Sep 2, 2022 1:36:47 AM

Information security programs aren’t built in a day – but they can certainly be breached in one. That’s why in December 2021, the Federal Trade Commission (FTC) tightened regulations around customer data security, encapsulated in the Standards for Safeguarding Customer Information (The Safeguards Rule, for short.)

Enforcement of the new rules begins on June 9th.  In this blog, we’ll explain who is subject to the FTC Safeguards Rule and five things to consider when working toward compliance.

What Was Updated in the FTC Safeguards Rule?

The original Safeguards Rule (before the 2021 amendment) was rather flexible, and for the most part, allowed businesses to decide for themselves how they would fulfill the requirements. The Federal Trade Commission originally gave five loose guidelines: (1) designate a program coordinator; (2) perform a risk assessment; (3) implement safeguards and perform audits; (4) oversee service providers; (5) update and adjust info security program over time. It was up to businesses how they’d complete those tasks. 

In December 2021, the FTC released a more specific set of standards for how financial institutions should be protecting customer data. Businesses are no longer allowed to just “figure it out.” They have to comply with industry-standard methods of data security, or they risk significant fines or even jail time.

Taking it a step further, the FTC expanded the range of entities that need to comply with the Safeguards Rule. By changing the definition of “financial institution,” the FTC loops in many new industries and types of businesses, like auto dealerships, travel agencies, and more. 

 

Who Qualifies As A “Financial Institution” and Why Does It Matter? 

The Safeguards Rule was originally intended to regulate “financial institutions” – which in the original drafting of this rule, meant any organization “significantly engaged in financial activities.” 

A financial institution is now defined as any organization that is significantly involved in financial activities and activities incidental to such financial activities.” Speaking generally, the FTC is focusing on organizations that handle big money, extend lines of credit or major loans, connect consumers with financial institutions, or are involved with others’ ability to access money.  

This seemingly small definition change is actually a huge deal, because it now thrusts many businesses under the Safeguards umbrella. Many who did not have to comply before, will have to do so on or before June 9th, 2023. 

Not sure if your business falls under this umbrella? The FTC Safeguards Rule itself outlines some examples. Financial institutions are: 

  • Retailers extending credit to consumers through their own in-house credit card. 
  • Organizations that lease personal property on a nonoperating basis for at least 90 days. (Think auto dealerships.)
  • Personal property or real estate appraisers. (Appraisal is considered a financial activity.)
  • Real estate settlement services.
  • Financial career counselors who specifically work with people seeking employment with a financial organization, or who were recently uprooted from a financial organization.
  • Any business that prints or sells checks, regardless of frequency.
  • Any business that wires money to and from consumers.
  • Check-cashing businesses.
  • Accountants or tax preparation firms.
  • Mortgage brokers.
  • Travel agencies.
  • Credit counseling services.
  • Investment advisory companies.
  • Any company that operates as a finder, defined by the FTC as “those who charge a fee to connect consumers who are looking for a loan to a lender.”

You can view the full explanation of “financial institutions” here

 

Who Does Not Qualify As A “Financial Institution”?

Scanning through the list, you may still find yourself questioning if your company qualifies as a financial institution. The FTC also outlined who specifically does not count as a financial institution within the context of the Safeguards Rule. We’ll list them here: 

  • Retailers whose only form of credit extension is occasional layaways
  • Retailers who accept payment through credit cards, checks, and cash not issued by the retailer itself
  • Merchants that allow consumers to “run tabs”
  • Grocery stores that cash checks, or facilitate cashback using checks
  • Institutions chartered by Congress specifically to engage in securitizations, secondary market sales (including sales of servicing rights), or similar transactions as long as such institutions do not sell or transfer nonpublic personal information to a nonaffiliated third party other than as permitted by The Code of Federal Regulations (CFR)
  • The Federal Agricultural Mortgage Corporation or any entity chartered and operating under the Farm Credit Act of 1971
  • Any person or entity with respect to any financial activity that is subject to the jurisdiction of the Commodity Futures Trading Commission under the Commodity Exchange Act 

You can view the full explanation of who is not considered for this rule, here

Five Ways You Can Begin Complying With The Safeguards Rule Today

Aside from creating a new definition of a financial institution, the FTC increased its requirements for building an infosec program from five recommendations, to nine common-sense requirements. 

If your organization is subject to the Safeguards Rule, here are five simple steps you can take to position your business for compliance.

1. Start Thinking About Who Will Be Your Organization’s "Qualified Individual”

As mentioned, part of the FTC’s amendments to the rule includes designating someone within your organization to be the “Qualified Individual.” This person will be responsible for overseeing the development and execution of your organization’s info security program, and they will also be required (by the FTC) to report to your company’s board of directors. 

The FTC itself says that this person does not need to have any particular accolades or certifications, but should be well experienced to handle securing an organization of your size and structure. 

Even if your company decides to outsource data privacy and security support to a service provider, you will still need to designate an internal Qualified Individual. In the words of the FTC, “the buck stops with you.” With increasing rates of harmful hacks and large-scale data breaches, there should be at least one individual in your organization who is vigilant about protecting the data. 

2. Seek Out An Encryption Service For Files, Emails, and Apps 

The Safeguards amendment now requires organizations to encrypt all sensitive customer data at rest and in motion. This is a broad requirement, as data can move in many different ways and for many different reasons. 

Luckily, Virtru offers data encryption for email and files that is simple and affordable and remarkably easy to integrate with popular cloud collaboration services like Google Workspace and Microsoft 365.

3. Get In The Habit of Constantly Reviewing Access Controls

The Safeguards Rule now requires companies to be in a state of periodic reevaluation over who in the organization has access to what information, and for how long. This is to lower the risk of breaches by only giving access to data on a need-to-know basis. By not allowing everyone access to all data at all times, you lower the risk of sensitive data being exposed during a hack or breach. 

With Virtru, it's incredibly easy to apply policies to email and files so you can protect sensitive data flowing in and out of your business. Furthermore, with Virtru Control Center we give your business the ability to audit and track every piece of encrypted data that you share and send -- which includes the ability to grant and revoke access to data at any point in time -- which is a great way to comply with FTC Safeguards.

4. Assess Your Applications and Partners

The FTC urges organizations to reevaluate their in-house applications or third-party partners to ensure that they are following the requirements set forth in the Safeguards Rule. A breach targeted at a third party or by an unprepared in-house application can have staggering effects on the customer data it’s designed to protect. 

When it comes to encryption, you may be concerned about companies that encrypt your data, but hold the keys to decrypt. With Virtru, we give you full reign over the encryption keys to your data. We would not be able to decrypt it if we tried – this allows you to maintain complete trust over your data whether it’s on-premises, in a private cloud, or in a public cloud.

 

5. Make Sure The Secure Software You Choose Is User-Friendly 

Training your employees is a crucial requirement in the Safeguards Rule. Your Qualified Individual can implement as many security measures as possible, but if they’re difficult to grasp or a hassle to use, your risk potential skyrockets. Employee participation is how your organization stays secure and afloat. Make it easy on them by choosing user-friendly software that’s easy to adopt. 

Virtru makes data encryption easy across the board for employees at all levels. Our data protection solutions can be integrated natively into any email provider, and to common CRM systems like Salesforce and Zendesk. All employees need to do to encrypt is click a button. We can even provide Gateway Security that automatically finds sensitive data, and encrypts it before exiting your system. 

Virtru Is Your Partner in Multifaceted Data Security 

From email, to inbound and outbound file sharing, to app integration, and more, Virtru doesn’t just encrypt your data. We provide multifaceted compliance solutions, with ease. Learn more about how Virtru can help you meet FTC compliance requirements today

 

Blog updated June 2023