Black hood in background with orange and blue waves for the FTC Safeguards Rule

The Federal Trade Commission has extended by six months the deadline for some of the changes financial institutions must put in place to protect their customers’ personal information for data security safeguards. The deadline for complying with some of the updated requirements of the Safeguards Rule is now June 9, 2023. The Federal Trade Commission’s (FTC) Safeguards Rule requires non-banking financial institutions to follow detailed security procedures to further protect sensitive customer information from data breaches and cyberattacks.

The updated June 9, 2023, deadline includes the following items:

  • Designate a qualified individual to oversee their information security program
  • Develop a written risk assessment
  • Limit and monitor who can access sensitive customer information
  • Encrypt all sensitive information
  • Train security personnel
  • Develop an incident response plan
  • Periodically assess the security practices of service providers
  • Implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information
What is the Safeguards rule?

The Federal Trade Commission published the Final Rule to amend the Standards for Safeguarding Customer Information 16 CFR Part 314, called the Safeguards Rule. The Final Rule became effective January 10, 2022, requiring non-banking financial institutions to be cybersecurity compliant. This rule oversees how financial institutions protect customer data.

How do I know if I am affected by this rule?

The Safeguards Rule requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe. The Final Rule exempts financial institutions that collect information on fewer than 5,000 consumers from the requirements of a written risk assessment, incident response plan, and annual reporting to the Board of Directors.

What are the requirements that my business needs to be in compliance by December 9, 2022?

Under the amended Safeguards Rule, which is mandated by Congress under the Gramm-Leach-Bliley Act, non-banking financial institutions will be expected to:

  • Require your qualified individual to report in writing, regularly and at least annually, to your board of directors or equivalent governing body
  • Develop, implement, and maintain a comprehensive information security program
  • Provide periodic reports to boards of directors or governing bodies
  • Ensure the security and confidentiality of customer information
  • Protect against any anticipated threats or hazards to the security or integrity of such information
  • Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer
  • Identify and manage the data, personnel, devices, systems, and facilities that enable you to achieve business purposes in accordance with their relative importance to business objectives and your risk strategy
  • Adopt procedures for change management
  • Implement policies, procedures, and controls designed to monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users
  • Regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures, including those to detect actual and attempted attacks on, or intrusions into, information systems
  • Continuous monitoring or periodic penetration testing and vulnerability assessments
How can LaScala help?

Since 2016, LaScala has been utilizing the security compliance framework required to achieve the Federal Trade Commission’s Safeguard Rule for auto dealerships. Services provided by LaScala include:

  • Develop risk assessments/gap analysis/incident response plans
  • Provide a “Qualified Individual” (Compliance Officer) to oversee the Safeguard Rule initiative
  • Develop a System Security Plan and Plan of Action & Milestones (POAM) to track compliant and resolve non-compliant controls
  • Annual penetration testing
  • Implement multi-factor authentication and enterprise password vaults
  • Data encryption at rest and in-transit
  • Ongoing maintenance of the Safeguard Rule including monitoring and vulnerability scanning
  • Security awareness training for dealership employees
  • Infrastructure upgrades
  • Review access controls
  • Maintain data retention policy

Auto dealerships and financial institutions are currently clients of LaScala for both Managed and Co-Managed IT and Security.

Contact [email protected] to discuss security compliance for your business.