Have you been sprinting to make the deadline for the FTC Safeguards Rule? If so, you can relax your pace just a bit: You have a little more time to reach the finish line.
In the latest development of the Gramm-Leach-Bliley Act’s Safeguards Rule, the FTC has issued a deadline extension for some requirements. And for "financial institutions" like auto dealerships, mortgage brokers, travel agencies, and more, it can be confusing to know how to move forward.
Here’s everything you need to know.
FTC Safeguards Extension Guide
When is the new deadline?
Why was the deadline extended?
Which provisions received the deadline extension?
Is anything still due on December 9th?
Are there any changes made to the rule itself?
Is 6 months enough time?
Should I delay my cybersecurity efforts?
When Is The New Deadline to Comply With Certain Provisions of the FTC Safeguards Rule?
The new deadline is June 9, 2023, which gives businesses six more months to strengthen compliance with select Safeguard Rule provisions.
Why Was the Deadline Extended?
TLDR: Many small businesses don’t have the resources or the manpower to meet the FTC’s stringent requirement in what has been only a year’s time.
After months of constituent outcry, the deadline was extended to accommodate businesses facing supply chain and staffing issues, of which small businesses face the brunt. The FTC’s official announcement references explicitly an August 2022 letter written by the Small Business Administration’s Office of Advocacy.
“...The problems that are outlined in the letter are magnified for small entities,” explained Deputy Chief Counsel Major L. Clark. “Small entities do not have the buying power of large companies or additional resources to pay a premium for equipment. Likewise, as noted in the industry letter, there is a labor shortage for workers needed to implement these safeguards. During a labor shortage, employers with the resources to offer high wages and other incentives are able to attract talent. It is more difficult for small firms that cannot afford the pay scales or incentives to attract talented employees.”
The SBAOA requested the deadline be moved a full year, to December 9, 2023. As a recognition of small businesses’ unique challenges, the FTC met them halfway and gifted six additional months.
You can read the full FTC’s deadline extension PR announcement here.
Which Provisions Received the Deadline Extension?
According to the FTC’s website, the following provisions of The Rule are now due on June 9th, 2023:
- Designate a qualified individual to oversee their information security program,
- Develop a written risk assessment,
- Limit and monitor who can access sensitive customer information,
- Encrypt all sensitive information,
- Train security personnel,
- Develop an incident response plan,
- Periodically assess the security practices of service providers, and
- Implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information.
Is There Anything Still Due on December 9, 2022?
While the FTC doesn’t specifically note which requirements are still due on December 9, 2022, we noticed that not all rule provisions were included on the extension list.
In the FTC’s “What Your Business Needs to Know” explainer article published in May 2022, the commission detailed what each new requirement was and what it entailed. Below are the provisions listed in the May 2022 explainer article that were not explicitly mentioned in the extension press release in November of 2022.
- Know what you have and where you have it.
- Assess your apps.
- Anticipate and evaluate changes to your information system or network.
- Dispose of customer information securely.
- Maintain a log of authorized users’ activity and keep an eye out for unauthorized access.
- Regularly monitor and test the effectiveness of your safeguards.
- Keep your information security program current.
- Require your Qualified Individual to report to your Board of Directors.
Notice anything?
Many of the provisions omitted from the extension list are contingent upon the completion of provisions that were extended. For example, a business can’t require a Qualified Individual (QI) to report to a board of directors (provision without an explicit extension) if the business has yet to appoint a QI (an extended provision). A business can’t necessarily monitor and test the effectiveness of its safeguards (provision without an explicit extension) if they haven’t yet been required to develop and write down a risk assessment or incident response plan (extended provisions).
Common sense suggests that those contingent provisions won’t be due on December 9 unless it’s a task that your business is capable of completing. For example, if your organization has already written a risk assessment and incident response plan, it could be wise to have a plan in place for testing and monitoring by December 9, 2022.
As for the provisions that may not be contingent upon other rules, err on the side of caution. When it comes to maintaining user logs, examining access controls, disposing of customer information, and other provisions not explicitly noted to have an extended deadline, having something in place by Dec. 9th may be in your best interest.
However, this is our interpretation of the statements and documents publicly released by the FTC. It will be vital for your business to remain in communication with both legal counsel and the FTC, gain clarity on what is expected on December 9, 2022, and decide how to move forward.
Were There Any Changes Made to The Rule Itself?
In its November statement, the FTC didn’t explicitly state any changes to the rule itself, only the deadline extension. It may be safe to say that there are no additional requirements to tack onto the deadline at this time; however, continue to consult with your legal counsel as your business moves forward.
Is 6 Months Enough Time?
While not a satisfactory answer… only time will tell. An original dissenter of the Safeguards Rule amendment in 2021, Commissioner Christine S. Wilson released her own statement in conjunction with the deadline extension release in November.
“Despite assurances that financial institutions were already implementing many of the requirements of the amended rule or had sophisticated compliance programs that could easily adopt and pivot to address new obligations, I was concerned that the Commission did not understand fully the economic impact of the proposed changes. It has become clear that the Commission may have underestimated the burdens imposed by the Rule revisions,” Commissioner Wilson said.
She continues, noting that supply chain issues and widespread labor shortages have been preventing businesses from applying FTC safeguards.
She notes a heatmap by Cyberseek that estimates open job positions in cyber per state, which amount to over 500,000 across the United States.
As far as the cyber supply chain goes, that’s a complex issue with no foreseeable solution. According to the Cybersecurity & Infrastructure Agency,
“The Information and Communications Technology (ICT) supply chain is a complex, globally interconnected ecosystem that encompasses the entire life cycle of ICT hardware, software, and managed services and a wide range of entities—including third-party vendors, suppliers, service providers, and contractors … a supply chain is only as strong as its weakest link.”
If small businesses are demanded to meet a set of stringent security requirements which include the vetting of vendors who may or may not have the capacity to support a “financial institution’s" rigorous FTC compliance obligations, it’s a long road for any business to find vendors that can help them gain Safeguards compliance.
Will six months be enough? Maybe for some. But for others, the cyber supply chain issue is a societal and industrial issue that won’t dissolve in six months.
Should I Delay My Cybersecurity Efforts?
It might be tempting to kick the can down the road given the new deadline, but June will be here before we know it—and in an environment where cyberattacks are increasing in sophistication and severity, you don't have any time to lose.
You can start small and start fast by implementing simple, affordable tools for your workforce, checking items off your FTC Safeguards Checklist in just hours or days, not weeks or months.
Enterprise-Level Support for Small Businesses: Virtru Supports Over 4,700 Small and Midsize Companies
Small businesses are forced to be limber and creative in their compliance journey. It’s time for a data protection solution that can meet your business exactly where it is, providing easy adoption, a user-friendly experience, and seamless integration into your business’ workflow.
Virtru’s suite of email, file, software integrations, gateway protection, and more is that solution. Powered by the Trusted Data Format, Virtru encrypts your data at the object level, giving the data owner control, unlike other data security solutions. Data owners are given the power to control who has access to the data, when, for how long, and what exactly can be done with it.
Ever wish you could un-send an email? With Virtru, data access can be revoked at any time, regardless of whether it was shared internally or externally.
Virtru’s control center allows administrators to keep a close eye on all encrypted data, with logs of who has viewed it, when, and what actions were taken with it. Administrators can also implement DLP rules to proactively encrypt data before it leaves even the data owner’s possession.
Virtru supports over 4,700 small to medium-sized businesses in securing their data with minimal effort, at an affordable price. If you’re interested in gaining freedom through control of your data, and strengthening compliance with GLBA and FTC rules, contact our team today.
