3 August 2023 / Scott J. Best

New FTC Safeguard Rules: Staying Compliant in the World of Collections

Data security is one topic that is top of mind in today’s business environment, as there are daily news stories about cyberattacks which result in the exposure of personally identifying information, such as Social Security Numbers, birthdays, and addresses. Further exposure occurs when sending information via email, which, while convenient and fast, is not always secure. 
In an attempt to ensure that confidential and sensitive personal and financial information is maintained and secured, the Federal Trade Commission (FTC) has established many standards, and corresponding requirements, for various industries, most specifically financial institutions. Since the Safeguards Rule was first implemented in 2003 under the Gramm-Leach-Bliley Act, there have been significant changes in cybersecurity as well as the nature, frequency, and ferocity of cyberattacks. In an attempt to better secure consumer information, the FTC implemented new rules which went into effect in June of this year.

The new FTC Safeguard Rules set forth several requirements which need to be complied with. Those requirements include:

  1. Encryption of all customer information held or transmitted by the business.
  2. Restrict access to allow only access to authorized persons and limit information available to be reviewed to that information necessary to perform their duties or functions.  Multi-factor Authentication should be used.
  3. Designating a specific qualified employee to oversee and implement an information security program.
  4. Adopt procedures for evaluating and testing the security of external applications and devices used to transmit, access, or store consumer information.
  5. Staff must be trained, and retrained, on security awareness and there must be policies and procedures designed to monitor and log activities of authorized users and whether there has been unauthorized users and/or tampering of consumer information.
  6. Perform regular security assessments of security practices and procedures testing information security and access, confidentiality, and the integrity of the system.
  7. Develop a response plan if and when a security breach occurs.
  8. If the business maintains data on more than 5,000 consumers, there must be continuous monitoring and periodic assessments to detect changes and monitor for vulnerabilities.
  9. Data disposal procedures must be created to ensure secure disposal of consumer personal identifying information within two years of last providing products or services to the consumer.
Additionally, and perhaps more importantly, these changes will not only apply to what have historically been viewed as financial institutions. Instead, the updated Safeguard Rules will apply to any business engaged “in an activity that is financial in nature or incidental to” financial activities. Businesses now subject to the new requirements include but are not limited to, mortgage lenders and brokers, payday lenders, collection agencies, motor vehicle dealers, tax preparation firms, credit counselors, financial and investment advisors, non-federally insured credit unions, and a business that regularly wires money to and from consumers. While the new rules expanded who is required to comply with the Safeguards Rule, businesses with less than 5,000 consumers are exempt from some provisions of the updated Rule. However, it is recommended that all businesses take steps necessary to ensure consumer data and information is protected, and may be required by state-specific laws.
Failure to comply with the new standards can result in fines up to $100,000 per violation and potential lawsuits related to a data breach. If you are subject to the new Safeguard Rules, and are not in compliance with the updated rules, it is recommended you do so without delay.
Our team is constantly monitoring these changes. If you have any questions on this topic, please contact attorney Scott Best at any time.
This blog is not a solicitation for business and it is not intended to constitute legal advice on specific matters, create an attorney-client relationship or be legally binding in any way.

Related News

Insights / 23 April 2024

Is Your Camera On?

It is hard to believe that not long ago when you were scheduled in a meeting, you likely grabbed your soda, your cell, and maybe a notepad and went to see your co-workers all seated around the conference room table. On occasion, you may have even altered a date for a meeting because the conference room was booked.
Read More
Insights / 18 April 2024

Equipment Finance in 2024: Takeaways from NEFA's Equipment Finance Summit

Shareholder Sara Costanzo and attorney Andrew Voorhees recently attended the National Equipment Finance Association (NEFA)'s 2024 Equipment Finance Summit. Now, they are sharing their takeaways!
Read More
Insights / 12 April 2024

Roulette Wheel of Compliance: Pitfalls and Strategies

Shareholder Don Mausar recently spoke at the International Association of Commercial Collectors (IACC) 2024 Annual Convention. During his presentation, Roulette Wheel of Compliance, Don discussed current compliance topics, including potential pitfalls and recommended strategies.
Read More

Join Our Email List

Get the latest articles and news delivered to your email inbox!

Contact Scott

Join Our Email List