The FTC Safeguards Rule Amendment Now Includes Your Business  

This new rule will apply to those companies with exceptions for entities that handle less than 5,000 consumer records and the exceptions will only apply to some of the requirements. The exceptions being specifically- having a written risk assessment, an incident response plan and preparing the annual report to the board of directors. If you are exempt, we will still recommend you conduct those activities.  

The National Auto Dealerships Association (NADA) communicated the upcoming changes to members, prior to the deadline extension at the end of 2022. An article by Bloomberg Law further clarified the additional types of companies that will now be in-scope for compliance.  

When does the amended FTC Safeguards Rule go into effect? 

While this originally applied to financial institutions, the FTC has proposed changes to the Safeguard rule that adds non-banking institutions into scope via the processing of consumer financial information. Due to increasing data breaches that includes a growing number of ransomware attacks, the FTC is amending this rule to include more entities in an effort to prioritize the protection of consumer information. Throughout 2022 the FTC has proposed changes and sought commentary to be included in the final rule publication.  

Deadline to be in compliance with the amended Safeguards Rule: June 9, 2023 

What are the FTC Safeguards Rule Requirements? 

Entities subject to meeting the Safeguards Rule requirements, as defined in Section 314.4 of the Code of Federal Regulations (this is the Elements section of the broader Standards for Safeguarding Customer Information of Part 314), must ensure these nine elements are included and conducted as part of the information security policy. Nine elements summarized from the current version of Section 314.4: 

1. 314.4(a) Designate someone (internal or service provider) to implement, enforce and oversee the information security program.  
2. 314.4(b)(1) Write and exercise a risk assessment plan. This is to include identifying and managing the internal and external risks to confidentiality, integrity and availability of consumer information that could lead to various data breaches, alteration or misuse and assess the safeguards in place to control these risks. Periodically conduct additional risk assessments that reexamine the risks to the confidentiality, integrity and availability of consumer information. 
3. 314.4(c)(1)-(8) Implement safeguards to control risks. These should address: 
   1. Access management and least privilege access to consumer information 
   2. Keep an asset inventory of all systems, devices, platforms, and employees 
   3. Encrypt the data of consumer information or secure it through other effective controls 
   4. Assess the security of any in-house developed apps (including adoption of secure development practices) or third-party apps that are transmitting, storing or processing the consumer data.  
   5. Implement multi-factor authentication (MFA) for anyone accessing consumer data on your system. 
   6. Ensure secure disposal of consumer information. Review your data retention policies to minimize unnecessary retention 
   7. Develop procedures and processes for change management 
   8. Implement logging or maintain a log of activity by authorized users access the data, and detect unauthorized access  
4. 314.4(d)(2) Monitor and periodically test the effectiveness of the safeguards to include detection of actual and attempted attacks on or intrusions into the information systems 
   1. For information systems this includes continuous monitoring or periodic penetration testing and vulnerability assessments. If continuous monitoring is not an option nor are there systems for detection, changes to the information systems that may create vulnerabilities, entities shall conduct: 
   2. Annual penetration testing 
   3. Vulnerability assessments to identify publicly known vulnerabilities of your systems, at least every six months; and whenever there are material changes to your operations or business, or when there are circumstances, you know or have reason to know may have a material impact on your information security program. 
5. 314.4(e) Security Awareness Training. Employees must be trained to take a proactive approach in identifying threats to the information systems through their daily activities. 
6. 314.4(f)(3) Monitor Service Providers (Third-party Risk Management). Select service providers that have the skills, experience, and feasibility to maintain appropriate safeguards and through the contracting process ensure service providers implement and maintain safeguards. 
   1. Periodically assess your third-party service providers based on the risk they present and the effectiveness of their safeguards 
7. 314.4(g) Maintain and Optimize Your Security Plan. Adjust your security plan based on changes to personnel, technology, and the outcome of risk assessments.  
8. 314.4(h) Develop a Written Incident Response Plan. This should define the processes and procedures to respond and recover from a security event. 
   1. This should cover the goals of the plan, internal response processes, role and responsibility definitions, communications plan for internal and external purposes, remediation processes, documentation of security events and the reevaluation of the plan. 
9. 314.4(i) Report to the Board of Directors. In writing, regularly and at least annually, communicate on the program’s activities and updates to the board of directors or equivalent governing body to ensure they are aware.  
   1. This will include the status of the overall program and the compliance with the Safeguards Rule. 

How FortifyData Helps Companies Meet the Safeguards Rule 

FortifyData can assess, contextualize and prioritize the cybersecurity risk of a company subject to the rule, to also include service providers (third parties).  

Our platform can conduct the risk assessments for both the company and the service providers (third parties) to meet the Safeguard Rule and the benefits are: 

• 314.4(b) Conducting assessments of the Company, including all Subsidiaries or Business Units and present the findings on a continuous or scheduled interval basis. This includes external, internal and cloud configuration/posture.  
  • This meets the continuous monitoring requirement or every six-month interval for vulnerability assessments 
  • This provides both a unified/centralized view of risk with the ability to manage it at the Subsidiary or Business Unit level should the company be structured that way. Understand which parts of the company or business units need more help than others in managing cyber risk. 
  • Continuous or semi-annual vulnerability assessments will improve an annual penetration testing engagement by continuously managing the vulnerabilities the pentest team would have found and exploited. 

• 314.4(d)(2)Monitor and periodically test the effectiveness of your safeguards 
  • Continuous or periodic vulnerability assessments meets the requirement to identify the vulnerabilities that could be used in “an actual or attempted attack or intrusion into information systems”. 
  • For “material changes to operations” (personnel, technology or security events) it is required to conduct a vulnerability assessment to identify risks associated from those events. 

• 314.4(f)(3) Monitor service providers (third parties). 
  • We can conduct assessments of services provides for “periodically assessing service providers based on the risk they present and the continued adequacy of their safeguards”. 

• 314.4(g) Evaluate and adjust your security plan. 
  • Based on the findings of the vulnerability assessments, either continuously, periodically or result of material changes you can remediate the findings which may need to be adjusted in the information security program and the risk assessment. 

Enforcement 

Expect the consideration for fines, penalties, litigation risks or other administrative actions will arise from not just the data breach, but if it is determined that a company in-scope for the FTC Safeguards rule is not in compliance.  

As it relates to Auto Dealerships, and applicable to other entities, fines and penalties can range from: 

• $11,000 per day per occurrence of a breach  
• The FTC can also seek damages that can total up to $43,000 per day per violation 

• Potential to face long term consent decrees and/or extensive injunctive relief that can cripple business operations 
• Non-compliance with the Safeguards Rule creates liability for litigation from the FTC and other entities including victims

References: 

• Code of Federal Regulations Part 314 – Standards for Safeguarding Customer Information 
• Code of Federal Regulations Part 314, Section 4 – Elements of an Information Security Plan 
• Department of Education, Office of Federal Student Aid – Enforcement of Cybersecurity Requirements under the Gramm-Leach-Bliley Act 
• Bloomberg Law – FTC Updates Data Security Expectations for Non-Banks 

• National Association of Realtors – FTC Issues New Requirements for Non-Banking Financial Institutions 
• National Automobile Dealers Association – FTC Issues Guidance on the Revised Safeguards Rule: The Time for Dealers to Act is Now