The purpose of the Federal Trade Commission’s Standards for Safeguarding Customer Information, aka the Safeguards Rule, is to ensure that entities covered by the Rule maintain safeguards to protect the security of customer information.
The deadline for the expanded safeguards was June 9, 2023.
The Rule defines “financial institution” as the types of activities your business undertakes, not how you or others categorize your company.
The Rule lists examples of the kinds of businesses that are classified as financial institutions.
Entities such as:
The Safeguards Rule requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information.
The Rule defines customer information to mean “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.”
Your information security program must be written and it must be appropriate to the size and complexity of your business, the nature and scope of your activities, and the sensitivity of the information at issue.
The objectives of your company’s program are:
Violations can carry severe financial and reputational consequences, even if there is no evidence of deliberate misconduct.
In addition to the $100,000 fine for organizations, a company’s directors and officers can be personally liable for up to $10,000 per violation and may be sentenced to up to five years in prison.
Scenario:
A mortgage broker or lender experiences an event resulting in unauthorized access and misuse of customer information stored on an information system. 6500 records were involved with the incident.
There are structural reasons why this is harder than it may seem. The deadline for these rules was June 9, 2023.
The annual written report must be submitted to the Board of Directors or governing body. If your company doesn’t have a Board or its equivalent, the report must go to a senior officer who is responsible for the information security program.
First, it must include an overall assessment of your company’s compliance with its information security program. In addition, it must cover specific topics related to the program – for example:
Your leadership is the pivotal key.
Future disruption events will force decisions. Will you be prepared?
We offer you a process to build a credible information security program as a continuation of trust and viability.
Safeguards operational compliance will further protect your customers, reputation, and business.
Criminals know you care about your stakeholders, reputation, and career. They will use any advantage as leverage to extract money from your company, including the notification of the breach to the FTC.
If you want to protect your customers, reputation, and business, we are here to support you. We will partner with you to work through the decisions required for Safeguards Rule compliance.
The alternative is delaying action and crossing your fingers that the fines and prison time do not disrupt your family and business.
Let’s get started!