FTC Safeguards Compliance Rule, June 9th Deadline – Requirements

What is the FTC Safeguards Rule?

The Federal Trade Commission’s Standards for Safeguarding Customer Information – the Safeguards Rule, for short – is there to provide guidelines for businesses on how to maintain safeguards to protect the security of customer information.

The Safeguards Rule took effect in 2003, but it was updated in 2021. The 2021 update provides more concrete guidance for businesses, outlining compliance requirements for businesses handling financial data. It reflects core data security principles that all covered companies need to implement.

When is the deadline?

The deadline for complying with some of the updated requirements of the Safeguards Rule is now June 9, 2023.

Who does this apply to?

The Safeguards Rule applies to financial institutions subject to the FTC’s jurisdiction and that aren’t subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6805. According to Section 314.1(b), an entity is a “financial institution” if it’s engaged in an activity that is “financial in nature”

By June 9, 2023, such companies must ensure compliance with all aspects of the Safeguards Rule to avoid potential penalties. Upgrading your cybersecurity program before the June 9 2023 deadline is key.

To simplify the mandatory rules, we have compiled a manageable list of requirements:

1. Designate a qualified individual to oversee their information security
   program
2. Develop a written risk assessment
3. Limit and monitor who can access sensitive customer information
4. Encrypt all sensitive information
5. Train security personnel
6. Develop an incident response plan
7. Periodically assess the security practices of service providers, and
8. Implement multi-factor authentication or another method with
   equivalent protection for any individual accessing customer
   information.

However, for firms with fewer than 5,000 contact records, there is an exemption within the Safeguards Rule for financial institutions in such cases. It’s important to note that this exemption is based on the total number of contacts including the contacts held by those contacts. For example, if you have a database size of 100 and one of those records such as a client for whom you hold sensitive data has 4901 contact records, you are not exempt.

Companies with fewer than 5,000 contact records are exempt from the following requirements:

1. Risk assessment.
2. Progress monitoring with a designated service provider.
3. Incident response plan implementation.
4. Regular reporting and documentation of progress.

However, these five requirements remain applicable:

1. Appoint an organization or a qualified employee to oversee your cybersecurity program.
2. Implement safeguards and take necessary measures to mitigate risks.
3. Regularly assess the state of your infrastructure.
4. Provide security awareness training to your staff.
5. Keep your cybersecurity systems updated.

How can Practice Protect help?

At Practice Protect, we’ve built our reputation as America’s largest cybersecurity provider serving over 23,000 accountants. No other provider has as much coal face, real world experience as us when it comes to protecting accounting firms from online fraud and cybercrime. 

We’re donating time and resources to help accounting, CAS and bookkeeping firms mandated to comply with the new FTC Safeguard Guidelines. 

Join our latest webinar on this topic where we demystify the FTC Safeguards rule and provide practical guidance to help you safeguard client data effectively.