In recent years, cyberattacks and data breaches at financial institutions and other organizations that collect sensitive customer data have caused significant damage to consumers, including identity theft, financial loss, and more. Last year, the Federal Trade Commission (FTC) decided enough was enough, announcing its Standards for Safeguarding Customer Information– a set of guidelines aimed at tightening up what non-banking institutions (such as mortgage brokers, motor vehicle dealers, financial lenders, and other entities under their jurisdiction) must do to keep their customers’ data safe and secure. Bay Country Finance has implemented additional security programs and measures as of November 1, 2022 – well ahead of the FTC’s December 9, 2022 deadline.
What Entities Are Covered by the 2022 FTC Safeguards Rule?
The FTC safeguards define “financial institutions” more broadly than the conventional definition. To learn more about the types of businesses you may be interacting with to which the FTC guidelines apply, see Section 314.2(h) of the Safeguards Rule.
What Do the FTC Guidelines Include?
The FTC safeguards include specific criteria for what financial services companies and others must include in their Information Security Programs, including information about:
- How they limit access to consumer information.
- Their data encryption process and/or multi-factor authentication for anyone accessing customer information on the institution’s system. (The Rule requires at least two of these authentication factors: a password, a token or a biometric characteristic. The only exception would be if the individual in charge of the program has approved in writing the use of another equivalent form of secure access controls.)
- How they collect, store, access, share, distribute, protect, use, transmit and dispose of their customers’ sensitive data.
- Whom they have appointed (a single, qualified individual) to oversee their Information Security Program.
- What system they have put in place to report periodically to their Board of Directors or the Senior Officer in Charge of information security.
- Conduct a security risk assessment and address any issues.
- How they inform customers about their information-sharing practices.
- The process by which customers can opt-out of having their information shared with third parties.
The FTC Safeguards require that the financial services entities that fall under their jurisdiction have a written Information Security Program that is appropriate to the size and complexity of the business. By requiring these safeguards, the FTC’s objectives are:
- To ensure the security and confidentiality of your information.
- To protect you from threats or hazards to the security or integrity of that information.
- To protect you from unauthorized access to that information that could result in financial loss or other inconvenience.
If you have customer financial information on file at a financial institution within the jurisdiction of the Federal Trade Commission, you can also rest easier because the Safeguards include stringent monitoring and rigorous follow-up of their Information Security Programs. Financial institutions must regularly test their safeguards, monitor their service providers, keep their programs updated, and create a written incident response plan that includes:
- A process to address any identified weaknesses in their security program.
- Levels of decision-making authority and summaries of roles and responsibilities.
- The internal process the institution must activate in response to a security event.
- Method for documenting and reporting security events, including their response to them.
- An after-the-fact analysis of what happened and why and what they learned.
By quantifying the administrative, technical, and physical procedures used to access, collect, distribute, process, protect, store, use, transmit and dispose of information, the FTC Safeguards have taken data safety and security to a new level.
