If you’ve paid attention to the news over the past few years, you’ve undoubtedly heard about data breaches that have exposed consumer data, such as names, addresses, social security numbers and bank account information, to unauthorized parties. And it’s not getting any better: cyber security threats are on the rise, contributing to a loss of both consumer trust and business revenue.

In an effort to protect consumer information, the FTC recently amended its Safeguards Rule to keep up with technological advances. The revisions went into effect June 9, 2023, providing updated guidance on data security and expanding the definition of “financial institution.”

Organizations that were not subject to the Rule in the past may fall under it now, and even organizations that were aware of their obligations under the Rule in the past may not yet be in compliance with all the new requirements.

Who the FTC Safeguards Rule applies to

The text of the Rule defines “financial institution” as “any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities.” Some of the examples given in the Rule include:

  • Real estate appraisers
  • Businesses that print and sell checks for consumers
  • Mortgage brokers
  • Credit counselors and other financial advisors
  • Businesses that operate a travel agency in connection with financial services
  • Automobile dealerships
  • Check cashers
  • Tax preparation firms
  • Collection agencies

It is crucial to note that “customer information” includes information about an organization’s customers and any information shared with it by other financial institutions, such as credit reporting agencies or mortgage brokers. Companies that maintain customer information for fewer than 5,000 consumers may be exempt from some (but not necessarily all) provisions of the Rule.

What the FTC Safeguards Rule requires

The Rule requires any organization that handles customer financial data to provide strict safeguards around sensitive customer information. The Rule also requires that organizations make their information-sharing practices available to consumers and inform them they have the right to prevent their information from being shared with third parties.

Organizations are required to designate a qualified individual to implement and supervise the company’s information security program; conduct a risk assessment; design administrative, technical, and physical safeguards; implement and monitor those safeguards; train staff appropriately; monitor service providers; create a written response plan; and keep the security program current.

Risks of non-compliance

The FTC can impose fines of up to $100,000 per violation, with an additional $10,000 levied against officers and directors. In addition, companies that fail to adequately protect customer data open themselves up to the possibility of civil lawsuits from consumers, which could result in additional financial and reputational damage.

How BPM can help

Despite the potential for stiff fines and penalties and the risk to their reputation, many companies are not yet in compliance. In many cases, they are simply not aware that they are subject to the new requirements. In other cases, they lack the knowledge or resources to comply.

BPM can help. We are proud to partner with Secentric to provide our clients with cybersecurity policies that keep them and their customers safe with a selection of service plans designed for every budget and level of need.  However big or small your company is, we can help you keep sensitive information safe, prevent data breaches, avoid penalties and fines, and protect your hard-won reputation.  To learn more about our FTC Safeguards Security Program, click here.


Related Insights