ftc-safeguardsWho’s on First?

Have you ever heard that old comedy routine?  It’s funny to listen to comedians create confusion with wordplay, but it’s not so funny when you’re trying to figure out something like the brand-new FTC Safeguards Rule that kicked into effect on June 9, 2023.

We’ve found in the Galactic community that there’s confusion regarding who it applies to and what changes may need to be made to a security program.  So, let’s talk about the new regulation and let’s help you figure find a path forward for your organization’s data security.

First off, are you covered by the FTC Safeguards Rule?

The FTC expanded their definition of who they call a “financial institution”, and a lot of organizations are being specifically called out such as mortgage lenders, finance companies, and even mortgage brokers themselves. Payday lenders (yes, the people who give you cash in advance for your check) and check cashers (the folks who just cash the check for you) are being called out also are being called out.

Here’s a brief list of some entities that are newly covered by FTC rules:

  • Mortgage lenders
  • “Pay day” lenders
  • Finance companies
  • Mortgage brokers
  • Account servicers
  • Check cashers
  • Wire transferors
  • Travel agencies operated in connection with financial services
  • Real Estate appraisers
  • Credit counselors and other financial advisors
  • Automotive dealerships
  • Tax preparation firms
  • Non-federally insured credit unions
  • Investment advisors that are not required to register with the Securities and Exchange Commission, and entities acting as finders.

Didn’t see your organization on the list?  Well, if your organization offers services to those on the list above, it does fall under the Safeguards.  That means if you’re not addressing them, you’re putting your organization at risk.

If you’re saying, “My organization isn’t covered at all!  I guess I don’t have to think about the FTC Safeguards, right?”

WRONG

If you aren’t covered by FTC Safeguards at all, there are still two good reasons for still taking action:

  1. Your clients/customers and organizations you do business with may be covered and thus they’ll be more confident working with you if you take action.
  2. These safeguards aren’t going away, and, in fact, they may continue to redefine who is covered. Also, they challenge organizations to go to higher standards of security.  Taking action now before you’re required to do so simply means you’re ahead of the game, and that your organization is meeting high standards of safety.

Now that we’ve addressed why everyone needs to take the FTC Safeguards seriously, let’s look at some misconceptions, so that you don’t end up putting your organization at risk.

MISCONCEPTION 1: If I service less than 5,000 consumers, I don’t have to comply with the rule.

FTC does have an exemption for businesses that have fewer than 5,000 clients, BUT this exemption is not talking about the number of consumers an organization currently services. FTC defines this exemption only for businesses that store less than 5,000 customer records.

So, let’s say you’re a small lender who only touches 200 people in a month. BUT you’ve been in business for 10 years and have 10,000 people on file (here think non-public information such as credit cards, birth dates, social security numbers, etc.).  Guess what?  You’ll still be required to comply FULLY with the FTC Safeguards. The 5,000 number is the total number of consumers on your list, not the number of active consumers at any given time.

MAJOR TAKEAWAY: The FTC Safeguard is about 5,000 or more consumers total...not annually, not monthly.

MISCONCEPTION 2:  Okay, so my organization has fewer than 5,000 consumers on file.  That means I don’t have to comply with FTC Safeguards.

This is definitely not the case. The FTC Safeguards Rule has fewer guidelines for organizations who have less than 5,000 consumers in their database, but that does not mean the Safeguards are completely inapplicable.

The FTC still expects smaller businesses to comply with 7 elements of their framework. These elements include:

  • Element 1:Organizations must designate a qualified individual to run their security program. This could be someone on your staff, or the person or organization that runs your IT. Just because an organization is small doesn’t mean they are exempt from security.
  • Element 2:Security must be evaluated on a regular basis to look for internal and external security holes and to evaluate the state of security and assess any controls in place to address those risks.
  • Element 3:Organizations must put controls in place to address security holes. Knowing about the gaps in your security isn’t good enough. At a minimum, organizations will be expected to have a written security program that addresses security gaps identified from a risk assessment.
  • Element 4:Organizations must regularly monitor security effectiveness.  FTC Safeguards expects organizations to regularly test or monitor the effectiveness of the safeguards they have in place. Since hackers are constantly devising ways to break through security, businesses will need to continually test against the security measures they have in place.
  • Element 5:Organizations must have policies and procedures to help personnel adhere to their security program as well as written policies and procedures around securing their consumer data.
  • Element 6:Organizations will have to adhere to standards for protecting the confidentiality, integrity and security of their consumer data.  This means organizations must ensure their security controls adhere to the FTC’s standards in terms of protecting data.
  • Element 7:And, of course, organizations need to ensure continual improvement of their program based on regular testing. They will then be expected to make adjustments to their security program as needed.

MAJOR TAKEAWAY: Just to recap, the exemption is not a free pass on the Safeguards —you’ll still need to adhere to parts of the FTC requirements.

MISCONCEPTION 3: If a third party is housing my organization’s data, we aren’t the responsible party when it comes to complying with FTC Safeguards.

Whether data is stored onsite or in the cloud, it needs to adhere to similar security standards. Even if your data is being hosted by a third party off site, you are still responsible for it.

MAJOR TAKEAWAY: It’s not about WHERE your data is stored.  The responsibility lies with the organization that owns the data.

SO, WHAT’S THE BOTTOM LINE?

The FTC Safeguards will affect small organizations. BUT, even if you aren’t explicitly covered, this is a good baseline security framework to follow to make sure your organization is not the lowest hanging fruit.