The FTC Safeguards Rule, is a set of regulations promulgated by the Federal Trade Commission in order to protect the privacy of consumers' personal information. The Rule requires financial institutions to develop, implement, and maintain a comprehensive information security program designed to safeguard customer information.
The Safeguards Rule was first enacted in 2003, which required the FTC to issue regulations requiring financial institutions to develop and maintain safeguards to protect the confidentiality, integrity, and security of customer information.
The Safeguards Rule applies to any company that holds or uses consumer financial information. This includes companies that are subject to GLBA, as well as companies that are not subject to GLBA but that hold or use consumer financial information in connection with providing a financial product or service.
Under the rule, financial institutions must take steps to secure customer information from unauthorized access, use, or disclosure. To do this, they must conduct a risk assessment and put in place physical, technical, and administrative safeguards appropriate to their size and complexity and the sensitivity of the customer information they hold. The rule also requires firms to train their employees on their information security program and practices.
Financial institutions must review their information security program periodically to ensure that it is effective in safeguarding customer information. They must also update their program in response to changes in their business or technology.
- The FTC's Safeguards Rule applies to all entities subject to the GLBA's provisions mandating information security plans. These include banks, savings associations, credit unions, securities broker-dealers, insurance companies, and money services businesses.
- Financial institutions must appoint someone to coordinate their information security program. They should develop reasonable policies and procedures to ensure that customer information is protected from unauthorized access or use. Financial institutions should train their employees on these procedures and take steps to detect and prevent attempted or unauthorized access or use of customer information. Financial institutions should also periodically test their security measures. Lastly, they should develop an understanding of service providers' compliance with their obligations under any agreement or other arrangement they may have with a provider.
- Financial institutions must take reasonable steps to verify that customer information is protected while in transit over public networks. They should also encrypt all confidential customer information in-transit. Lastly, they should have reasonable measures in place to prevent unauthorized electronic access to customer information that is stored on their systems.
- Financial institutions must take reasonable steps to physically secure all areas where customer information is stored, such as employee offices and file cabinets. They should also have electronic access control systems in place throughout their technology stack, including in cloud tools.