Changes to the FTC's Safeguards Rule will go into effect on June 9, 2023, and will mandate several major changes for US-based financial institutions.
Passed in 2003, the FTC’s original Safeguards Rule provided financial institutions with five loosely defined guidelines for protecting customer data:
Historically, the FTC has given financial institutions broad leeway to interpret these guidelines as they have seen fit. Similarly, the existing definition of a financial institution has only applied to organizations “significantly engaged in financial activities,” excluding by default businesses with other primary purposes that nevertheless provide credit lending as part of regular operations.
The December 9, 2021 amendment to the Safeguards Rule will go into effect on June 9, 2023, and it will mandate several significant changes to compliance.
The amended rule requires organizations to comply with industry-standard technologies and practices in data security. Organizations that flout these requirements will risk steep fines or even prison sentences for extreme violations.
The FTC has expanded its definition of financial institutions to carve in many formerly peripheral industries. Under the expanded definition, the Safeguards rule will also apply to organizations engaged in “activities incidental to such financial activities,” which will include many businesses that are not necessarily within the financial services industry. (More on this below.)
A simple username and password system such as email accounts for the point of origin in 80% of successful account hacks – excluding phishing scams requiring the account owner to take voluntary action. Multi-factor authentication is a credential-hardening technique that requires users to provide two or more authenticators to access an account. Recent studies have found that multi-factor authentication prevents 99.9% of automated cyberattacks and that a corresponding 99.9% of compromised accounts used only single-point authentication.
The amendment requires financial institutions to encrypt all data in transit and in storage. While this may not sound like a major to do, it will have large implications for organizations who rely on emails and attachments to collect PII. Though most popular business email platforms such as Gmail and Outlook have encryption as an option, few users take advantage of it and most emails still transit in plaintext.
The updated rule will continue to apply to all financial institutions under its current umbrella. However according to the expanded definition of a financial institution, industries and sectors that could be affected going forward include:
How could these businesses be considered financial institutions?
In the words of the FTC, any business that engages in activities incidental to financial activities can be considered a non-banking financial institution, essentially extending credit or loans themselves or act as a go-between for their customers and financial services.
Continuing an upward trend that began in 2020, data breaches have spiked 70% in Q3 2022 over the previous quarter. Notable examples from the last two months include the breach of Singapore Telecommunications subsidiary Optus which exfiltrated 2.8 million records from the company’s network and the still unsolved Uber data breach which cybersecurity experts have called a “total compromise.”
Already in Australia – where Optus is headquartered – the government has announced plans to follow suit with the U.S. and tighten existing customer data regulatory controls. On the heels of the E.U.’s proposed Cyber Resilience Act – which would mandate built-in security features for newly manufactured connected devices –it is safe to say these concurrent government responses are an indicator of a general trend towards updating antiquated data security regulations to reflect recent developments in technology.
In late October 2022, the FTC released details of ongoing punitive action against online alcohol marketplace Drizly and its CEO James Cory Rellas. This followed revelations that failures in the company’s data security practices enabled a recent data breach that exposed the personally identifiable information (PII) of about 2.5 million consumers.
Despite receiving a warning two years ago about known vulnerabilities in their system configuration, the company’s leadership declined to take action. The Commission’s orders against Drizly significantly restrict the kinds of data the company can collect going forward, and binds the CEO to specified security practices.
With the changes to the FTC’s Safeguards Rule announced in December 2021, still pending effect until June 2023 (Note: This deadline was extended by six months in November 2022; the original date of effect was December 2022), high-profile responses in the months to come should signal to businesses just how strictly the Commission intends to enforce information and data security policies in the near future.
For organizations previously unregulated by the Safeguards Rule, and those behind the curve of current data security technologies and practices, achieving and maintaining compliance will not be a quick and easy fix. It will require overhauling employee data handling practices and adopting new, unfamiliar technologies.
FileInvite’s secure, SOC 2 Type 2 compliant file sharing and document portal platform can help your organization get a jumpstart clearing the pervasive security hurdle of employees and clients using email to exchange sensitive information. FileInvite streamlines document collection processes while simultaneously getting your organization’s file-sharing practices into compliance through automatic 256-bit end-to-end encryption for storage and transmission.
To learn more and request a demo, visit FileInvite today.
The 2023 FTC Safeguards Rule update is a revision to the existing rule, aimed at enhancing data security requirements for financial institutions and increasing consumer protections.
The 2023 FTC Safeguards Rule update took effect on June 9, 2023.
The FTC Safeguards Rule applies to financial institutions, including banks, credit unions, mortgage lenders, and other entities involved in providing financial services.
The key changes in the 2023 FTC Safeguards Rule update include expanded definitions of "financial institutions," more specific requirements for risk assessments and information security programs, and updated rules for third-party service providers.
Under the 2023 FTC Safeguards Rule update, financial institutions are required to conduct comprehensive risk assessments, develop written information security programs, and implement safeguards to protect customer information.
Some examples of safeguards that financial institutions can implement include encryption, strong password policies, multi-factor authentication, regular software updates, employee training and education on data security, secure network and systems monitoring, and incident response plans.
Financial institutions that fail to comply with the 2023 FTC Safeguards Rule update may be subject to enforcement actions and penalties, which can include monetary fines and reputational damage.
Small businesses that meet the definition of a financial institution are also required to comply with the 2023 FTC Safeguards Rule update. However, the rule takes into account the size and complexity of the institution, allowing for flexibility in implementing the required safeguards.
The FTC Safeguards Rule generally applies to financial institutions, including those that are depository institutions or credit unions. However, there may be certain limited exceptions based on the size of the institution or the nature of the services provided.
The 2023 FTC Safeguards Rule update may impact the way financial institutions operate by requiring additional resources and investments in data security and compliance efforts. However, compliance with the updated rule can also help protect the institution's reputation and customer trust, and may provide a competitive advantage over institutions that do not prioritize data security and customer privacy.
Handle customer PII? An FTC-mandated info security program may be in your firm’s future. Here’s a breakdown of which firms must comply and who is...
Businesses that collect and handle personally identifiable information and other sensitive data must understand their obligations ahead of upcoming...
The FTC's updated Safeguard Rule's requirements around encryption, authentication, and customer data disposal expose email’s security shortcomings.