In 2021, the Federal Trade Commission (FTC) amended the Safeguard Rule to meet the demands of changing technology. As of now, businesses that are considered non-banking Financial Institutions (That’s YOU BHPH!), have until December of 2022 to become compliant with the new revisions. Let’s break it down and make sure your business practices meet the new standards.

WHAT IS THE SAFEGUARD RULE?

The Safeguard Rule is a set of standards put into place to protect the security of your customer’s confidential information.  Originally implemented in 2003, the rule requires companies to Develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information. Even if you have managed to stay old-school and all your records are on paper, you are still subject to the requirements set forth by the FTC (Federal Trade Commission).

WHAT ARE THE REQUIREMENTS OF THE SAFEGUARD RULE?

 Maintain an Information Security Program with administrative, technical, and physical safeguards

1. Designate a Qualified Individual to implement and supervise your company’s information security program – You need someone whose job duty is to manage and watch over your Information Security Program.
2. Conduct a risk assessment – You need to first determine what information you have and where it is being stored, then assess any foreseeable risks and threats (think How can my customers’ information be stolen?) to that information. This assessment must be written and must include criteria for evaluating those risks. You will want to periodically reassess and update your written evaluation.
3. Design and implement safeguards to control the risks identified through your risk assessment – This also comes with a list of steps to keep your company compliant and your customers safe.
   1. Implement and periodically review access controls – Periodically assess who has access to your customers’ information and if they still need to have it.
   2. Know what you have and where you have it – Keep an accurate record of your data inventory and the people who can access it.
   3. Encrypt customer information on your system and when it is in transit
   4. Assess your apps – Make sure to evaluate the security of any 3^rd party apps you use
   5. Implement multi-factor authentication for anyone accessing customer information on your system – The rule requires at least two authentication factors from the following: A knowledge factor; A possession factor; or an Inherence Factor
   6. Dispose of customers’ information securely – Customer records should be disposed of no later than two years after your most recent customer finance transaction.
   7. Anticipate and evaluate changes to your information system or network – As your business grows, so will your need to upgrade your security measures. The Safeguard Rule requires financial institutions to include change management in their security information programs, meaning, there is a policy or procedure in place to make sure your program is always running at top notch security.
   8. Maintain a log of authorized users’ activity and keep an eye out for unauthorized access – There must be a procedure in place that monitors access of consumer information by an authorized user as well as a way to detect unauthorized access.
   9. Create an Incident Response Plan – In writing, this plan must cover (1) The Goals of your plan, (2) The internal process your company will activate in response to a data breach, (3) Clear roles, responsibilities, and levels of decision making authority, (4) A process to fix identified weaknesses, (5) Procedures for documenting and reporting security events and company responses, and (6) A post mortem of what happened and a revision of your incident response plan and information security program based on what you learned.

The above-mentioned information is the hard part of making sure your business is compliant with the Safeguard Rule Amendments. The rest of the rule requirements are more focused on regularly maintaining and monitoring the work you’ve done to provide your customers with the security they deserve. The rule specifically states that you must either have a continuous monitoring system in place OR conduct annual penetration testing, vulnerability assessments to include six-month system-wide scans, as well as test whenever there are changes to your operations. You will need to research and carefully select your internet service provider to make sure they are compliant and safeguarding consumer information as well as you are. Your information security program must stay current. You must train all your staff to be vigilant in security awareness and provide specialized training for staff that will be hands-on. And finally, you are REQUIRED to have an annual report of this information to your company’s governing body, such as a senior officer responsible for the information security program. The report must include an overall assessment of your company’s compliance to include risk assessment, risk management, control decisions, service provider arrangements, test results, security events and responses, and changes to the program.

All the information I have provided you with today is straight from the Federal Trade Commission website. Technology is constantly changing, and the way people steal information is as well. Remember folks, your deadline is December 09, 2022. Do you need a hand getting figuring out where to start? Contact us to get a consultation scheduled. We are happy to assist you with your growing business!