3 August 2023
/ Scott J. Best
New FTC Safeguard Rules: Staying Compliant in the World of Collections
Data security is one topic that is top of mind in today’s business environment, as there are daily news stories about cyberattacks which result in the exposure of personally identifying information, such as Social Security Numbers, birthdays, and addresses. Further exposure occurs when sending information via email, which, while convenient and fast, is not always secure.
In an attempt to ensure that confidential and sensitive personal and financial information is maintained and secured, the Federal Trade Commission (FTC) has established many standards, and corresponding requirements, for various industries, most specifically financial institutions. Since the Safeguards Rule was first implemented in 2003 under the Gramm-Leach-Bliley Act, there have been significant changes in cybersecurity as well as the nature, frequency, and ferocity of cyberattacks. In an attempt to better secure consumer information, the FTC implemented new rules which went into effect in June of this year.
The new FTC Safeguard Rules set forth several requirements which need to be complied with. Those requirements include:
- Encryption of all customer information held or transmitted by the business.
- Restrict access to allow only access to authorized persons and limit information available to be reviewed to that information necessary to perform their duties or functions. Multi-factor Authentication should be used.
- Designating a specific qualified employee to oversee and implement an information security program.
- Adopt procedures for evaluating and testing the security of external applications and devices used to transmit, access, or store consumer information.
- Staff must be trained, and retrained, on security awareness and there must be policies and procedures designed to monitor and log activities of authorized users and whether there has been unauthorized users and/or tampering of consumer information.
- Perform regular security assessments of security practices and procedures testing information security and access, confidentiality, and the integrity of the system.
- Develop a response plan if and when a security breach occurs.
- If the business maintains data on more than 5,000 consumers, there must be continuous monitoring and periodic assessments to detect changes and monitor for vulnerabilities.
- Data disposal procedures must be created to ensure secure disposal of consumer personal identifying information within two years of last providing products or services to the consumer.
Additionally, and perhaps more importantly, these changes will not only apply to what have historically been viewed as financial institutions. Instead, the updated Safeguard Rules will apply to any business engaged “in an activity that is financial in nature or incidental to” financial activities. Businesses now subject to the new requirements include but are not limited to, mortgage lenders and brokers, payday lenders, collection agencies, motor vehicle dealers, tax preparation firms, credit counselors, financial and investment advisors, non-federally insured credit unions, and a business that regularly wires money to and from consumers. While the new rules expanded who is required to comply with the Safeguards Rule, businesses with less than 5,000 consumers are exempt from some provisions of the updated Rule. However, it is recommended that all businesses take steps necessary to ensure consumer data and information is protected, and may be required by state-specific laws.
Failure to comply with the new standards can result in fines up to $100,000 per violation and potential lawsuits related to a data breach. If you are subject to the new Safeguard Rules, and are not in compliance with the updated rules, it is recommended you do so without delay.
Our team is constantly monitoring these changes. If you have any questions on this topic, please contact attorney Scott Best at any time.
Our team is constantly monitoring these changes. If you have any questions on this topic, please contact attorney Scott Best at any time.
This blog is not a solicitation for business and it is not intended to constitute legal advice on specific matters, create an attorney-client relationship or be legally binding in any way.
