FTC Safeguards Rule - FAQ's

Yes, unless you retain information on less than 5000 consumers. If that exception is met, you are still required to comply with the Safeguards Rule, but will not need a written risk assessment, continuous monitoring, annual penetration testing, vulnerability scans, a written incident response plan, or a written annual report to the Board of Directors.

They would not be excluded. “Customer information means any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.”  Name, address, etc.

According to the FTC, the qualified individual must oversee and implement the information security program. The person designated to coordinate the information security program need only be “qualified.” No particular level of education, experience, or certification is prescribed by the Rule. Accordingly, financial institutions may designate any qualified individual who is appropriate for their business. Only if the complexity or size of their information systems require the services of an expert will the financial institution need to hire such an individual.

All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have laws requiring private businesses to notify individuals of security breaches of information involving personally identifiable information. The requirements will vary by state.

Your reporting to your Board of Directors should be a risk assessment.  At a minimum it should list any results and remediation steps taken as a result of your penetration testing.  It should also list any vendors who have gaps in their responses to your questionnaire.

Yes, you can download a copy of the NADA’s “Dealer Guide to the FTC Safeguards Rule” here.  This document includes best practices and sample documents.

Yes, Physical and electronic information and documents from out-of-state consumers must be safeguarded. The information and documents must be protected via the physical, administrative, and technical safeguards outlined in the Safeguards Rule.

The Safeguards Rule states you must: Develop, implement, and maintain procedures for the secure disposal of customer information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the customer to which it relates, unless such information is necessary for business operations or for other legitimate business purposes, is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained. Please consult your attorney for record retention requirements for specific documents and data.  The systems that are retaining those scan documents must also pass your vendor surveys.

The Safeguards Rule states you must: implement multi-factor authentication for any individual accessing any information system, unless your Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls. The Safeguards Rules also states you must: Oversee service providers by (1) taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; (2) requiring your service providers by contract to implement and maintain such safeguards; and (3) periodically assessing your service provider based on the risk they present and the continued adequacy of their safeguards.

Implement your own documented training programs or look for a third party provider.  IN addition you must record when your employees last took the training and they will need to be trained annually. This report of employees and training will need to be part of your Board of Directors reporting. Please contact sales@700credit.com to learn more about the 700Credit LMS.