The Safeguards Rule: Stricter Measures Are Imposed to Protect Customer Information

In 2022, some of the biggest data breaches included Shien which was fined $1.9 million after 39 million customers’ personal data had been hacked. As a result, customers’ payment information was found for sale on a hacking forum. Twitter also revealed that 5.4 million user accounts were stolen including email addresses and phone numbers. 

With this said, the Federal Trade Commission (FTC) is tightening the U.S. Standards for Safeguarding Customer Information to keep up with current technology. The Safeguards Rule, which applies to how financial institutions should handle customer information is updating its guidance on how core data security principles should be followed. The new rule changes will become effective from June 2023.

How to Comply With the New Safeguards Rule Changes

The Code of Federal Regulations outlines how businesses need to meet the new requirements in order to comply with the law, which we will detail in this post.

Firstly, you will need to name a “qualified individual” whose role will be to develop the company’s information security program and oversee its execution. The qualified person will need to report to the board of directors at least once a year, notifying them of any security issues or recommended changes to the program. Your information security program will need to have technical or physical safeguards to ensure that your customer data is being collected, processed, stored, distributed, protected, and disposed of properly.

The information security program must reflect your company’s risk assessment process. This must measure reasonably foreseeable risks and outline which appropriate safeguards can be implemented to protect against the risks flagged. The risk assessment should notably identify security risks. Simply having a risk assessment is not enough according to the FTC, ongoing monitoring must be performed regularly to make sure that new risks don’t threaten your customer’s information. 

A crucial part of creating your information security program is to design robust safeguards to control any potential security threats. Safeguarding tools should be checked at least every 6 months according to the FTC, and annual penetration testing should be conducted where you try and hack through your own systems to see how difficult it is. 

There are a number of ways you can put safeguards in place like encrypting your customer information to encode sensitive data so that it is unreadable to unauthorized users. You could also develop your own apps rather than using third-party apps to limit your third-party risk exposure. Using third-party companies heightens your chances of a supply chain attack like what SolarWind experienced when fraudsters managed to find a vulnerability in the Orion system and gained access to thousands of networks including information about customers and third-party organizations. 

Another method of safeguarding your customer’s data is by setting up a multi-factor authentication system which gives customer information extra protection when being accessed. It could include password protection or require biometric characteristics such as a fingerprint or face recognition to make sure the information isn’t being accessed by unauthorized users. 

Your access controls should be reviewed and logged periodically so that you can flag any suspicious activity like people tampering with customer information. Suspicious actions could include things like unrecognised devices or IP addresses being used to access customer data.

What Do Our Experts Say About the Tightening of the Safeguards Rule?

With more than 5 billion people using the internet today, it is not surprising that the FTC has put new measures in place to try to control and regulate the processing and retention of customer information. Hackers are always finding new ways to penetrate networks, so stricter controls are vital in keeping up with ever-evolving technology. According to Gartner, in 2023, more than $188 billion is predicted to be spent on information security and risk management products and services due to the growing exposure to cyber-attacks.

It will be interesting to see once the Safeguards Rule comes into force later in the year, how the FTC is able to regulate company activity to ensure financial institutions are maintaining appropriate standards to protect customer information. 

How Can Gerrish Legal Help?

Gerrish Legal is a dynamic digital law firm. We pride ourselves on giving high-quality and expert legal advice to our valued clients. We specialise in many aspects of digital law such as GDPR, data privacy, digital and technology law, commercial law, and intellectual property. We give companies the support they need to successfully and confidently run their businesses whilst complying with legal regulations without the burdens of keeping up with ever-changing digital requirements. 

We are here to help you, get in contact with us today for more information.