Amarillo 806-371-7661
Pampa 806-665-8429
Hereford 806-364-4686
Write Us a Review

< Back to the Insights Gallery

FTC's Safeguards Rule amended to require 30-day breach notification


ARTICLE | February 19, 2024

Authored by RSM US LLP


The U.S. Federal Trade Commission (FTC) on Oct. 11 amended its Standards for Safeguarding Customer Information—known as the Safeguards Rule, for short—to require all nonbanking financial institutions to report data breach incidents within 30 days after discovery of a security breach involving the information of at least 500 consumers. The new notification requirement will go into effect May 13, 2024.

The purpose of the Safeguards Rule is to ensure that entities covered by the rule protect the security of customer information. The Safeguards Rule took effect in 2003, but the FTC amended it in 2021 to keep pace with current technology. While preserving the flexibility of the original Safeguards Rule, the revised rule provides more concrete guidance for businesses. It reflects core data security principles that all covered companies need to implement.

In the event of a breach, organizations are required to notify the FTC using their online portal and disclose details about the security incident, such as the following:

  • Name and contact information of the reporting institution
  • Number of affected and potentially affected consumers
  • Description of the types of data that have possibly been exposed
  • Exposure date and, if possible to determine, the duration of the incident
  • Confirmation of whether law enforcement advised that public disclosure of the breach could obstruct an investigation or threaten national security

The agency has added a provision for a 60-day delay should a law enforcement official seek an extension in the public disclosure of a specific incident.

The FTC provides a guide for businesses to notify the agency in the event of a data breach. Noncompliance with the rule could result in costly fines, litigation and damage to the institution's reputation, including criminal penalties.

Who does the rule apply to?

The updated rule applies to a wide range of entities, including, but not limited to, mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, travel agencies operated in connection with financial services, collection agencies, credit counselors and other financial advisors, tax preparation firms, nonfederally insured credit unions, and investment advisors that are not required to register with the Securities and Exchange Commission.

The Safeguards Rule applies to financial institutions subject to the FTC’s jurisdiction and that aren’t subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act. The rule applies to all customer information in an institution’s possession, regardless of whether such information pertains to individuals with whom the institution has a customer relationship or the customers of other financial institutions that have provided such information to the institution in question.

Why the change?

The rule change comes in response to increasing concerns about the vulnerability of sensitive personal information to data breaches, identity theft and other cyberthreats. Data breaches at organizations entrusted with personally identifiable information continue to increase, and this reinforces the need for the FTC and businesses engaging in an activity that is financial in nature to work together to combat cybersecurity threats and strengthen the critical cybersecurity infrastructure. Ensuring the confidentiality, security and integrity of information depends on cooperation among the FTC, institutions and other entities, including consumer monitoring sources, contractors and third-party servicers.

Why is this important to my organization?

Any breach of the security of consumer information displays a potential lack of administrative capability. As cyber events become more frequent, it is critical that organizations maintain an information security program and ongoing compliance monitoring program to comply with insurance requirements and to establish a defense in the event of legal proceedings.

What does the new rule cover?

The new rule requires institutions to implement comprehensive information security programs to protect consumers' personal and financial data from unauthorized access or misuse. Institutions will need to evaluate and update their existing policies, procedures and systems to align with the new requirements. This process may include updating their data security practices, conducting risk assessments and training employees on data security best practices.

The Safeguards Rule identifies nine program elements and eight safeguard controls that your company’s information security program must include.

Program elements

  • Board reporting and oversight
  • Qualified information security owner
  • Information technology risk assessment
  • Security training
  • Information security program
  • Incident response plan
  • Monitor service providers
  • Vulnerability program management
  • Program maintenance

Safeguard controls

  • Periodic access reviews
  • Periodic inventory of consumer data
  • Customer data encryption
  • Evaluate application security
  • Implement multifactor authentication (MFA)
  • Secure disposal of consumer data
  • Maintain logs
  • Change management

Next steps

To support the implementation of the program requirements, institutions may employ consulting firms with experience in data security and regulatory compliance. Consulting firms can provide customized guidance and support to help institutions develop and implement comprehensive information security programs that align with the new Safeguards Rule.

Let's Talk!

Contact us at one of our locations or fill out the form below and we'll contact you to discuss your specific situation.

  • Should be Empty:
  • Topic Name:

This article was written by John MacDonald and originally appeared on 2024-02-19.
2022 RSM US LLP. All rights reserved.
https://rsmus.com/insights/industries/financial-services/ftcs-safeguards-rule-amended-to-require-30-day-breach-notificati.html

RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each is separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit rsmus.com/about us for more information regarding RSM US LLP and RSM International. The RSM logo is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.

Johnson & Sheldon, PLLC is a proud member of the RSM US Alliance, a premier affiliation of independent accounting and consulting firms in the United States. RSM US Alliance provides our firm with access to resources of RSM US LLP, the leading provider of audit, tax and consulting services focused on the middle market. RSM US LLP is a licensed CPA firm and the U.S. member of RSM International, a global network of independent audit, tax and consulting firms with more than 43,000 people in over 120 countries.

Our membership in RSM US Alliance has elevated our capabilities in the marketplace, helping to differentiate our firm from the competition while allowing us to maintain our independence and entrepreneurial culture. We have access to a valuable peer network of like-sized firms as well as a broad range of tools, expertise and technical resources.

For more information on how ​Johnson & Sheldon, PLLC can assist you, please contact us: Amarillo | Pampa | Hereford