The Safeguards Rule and What it Means for Small Businesses
What is the Safeguards Rule?
Per the FTC, the 'Safeguards Rule’ can be summarized as:
The Safeguards Rule requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure. In addition to developing their own safeguards, companies covered by the Rule are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care.
In simpler terms, companies that operate in a financial capacity are on the hook for their customers data and are required to have an information security program in place.
The deadline for organizations to adhere to the Safeguards Rule is June 9th, 2023.
Who does the Safeguards Rule Impact?
Last year, the FTC updated the rule to include a wider scope of organizations that must adhere to the law. Following the increase in security breaches over the last few years, the rule has been updated to require financial institutions handling sensitive customer data to “to develop, implement, and maintain a comprehensive security system to keep their customers’ information safe.”
The Safeguards Rule defines an entity as a ‘financial institution’ if it is engaged in any activity that is ‘financial in nature’ in Section 314.1 (b). While this is a bit vague, the definitions in Section 314.1 (h) provide some examples on organizations that will have to adhere to the rule seen below:
Small businesses operating in any of the below capacities will have to adhere to the rule:
A retailer that extends credit by issuing its own credit card directly to consumers
An automobile dealership that, as a usual part of its business, leases automobiles on a non operating basis for longer than 90 days
A personal property or real estate appraiser
A career counselor that specializes in providing career counseling services to individuals currently employed by or recently displaced from a financial organization, individuals who are seeking employment with a financial organization, or individuals who are currently employed by or seeking placement with the finance, accounting or audit departments of any company
A business that prints and sells checks for consumers, either as its sole business or as one of its product lines
A business that regularly wires money to and from consumers
A check cashing business
A business that operates a travel agency in connection with financial services
An entity that provides real estate settlement services
A mortgage broker is a financial institution
An investment advisory company and a credit counseling service
A company acting as a finder in bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate
How do Small Businesses Ensure Compliance with the Safeguards Rule?
In short, the Safeguards Rule aims to push businesses handling sensitive information towards the development of an information security program. From a high level, the Safeguards Rule requires organizations to have a program as complex or in-depth as the organization.
Impacted organizations have the following requirements:
Designate a qualified individual responsible for overseeing the program
Perform a risk assessment to establish a starting point
Design and implement safeguards to identified risks
Provide security training of employees
Develop an Incident Response Plan
Provide an annual report to leadership detailing the status of the program
The full listing of requirements and their components can be found here.
We Can Help
Thoreson Consulting can assist in bringing your organization into compliance with the Safeguards Rule. We offer risk assessments, employee training, and assistance in developing a robust information security program - all requirements of the rule.
Additionally, as a Virtual Information Security Officer (vISO) to your organization, Thoreson Consulting can assist in keeping your business secure.
If you have any questions on the Safeguards Rule or are interested in the services offered by Thoreson Consulting, please do not hesitate to reach out!