Sedona Technologies Insights

Understanding FTC's Safeguards Rule for Dealers

Written by Adam at Sedona Safeguard | Apr 17, 2024 7:09:49 PM

The purpose of the Federal Trade Commission’s Standards for Safeguarding Customer Information – the Safeguards Rule, for short – is to ensure that entities covered by the Rule maintain safeguards to protect the security of customer information. The Safeguards Rule took effect in 2003, but after public comment, the FTC amended it in 2021 to make sure the Rule keeps pace with current technology. While preserving the flexibility of the original Safeguards Rule, the revised Rule provides more concrete guidance for businesses. It reflects core data security principles that all covered companies need to implement.

Why is this relevant to dealers?

For dealers, especially those that connect customers with lenders (also known as "finders" a subset of "Financial Institutions"), there is a series of requirements around managing the data security of non-public customer information. Specifically, the Safeguards Rule requires companies to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information.

What does the Safeguards Rule require companies to do?
The Rule defines customer information to mean “any record containing non-public personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.” The Rule covers information about your own customers and information about customers of other institutions that have provided that data to you.

What does a reasonable information security program look like?
The Safeguards Rule identifies nine elements that your company’s information security program must include:

  1. Designate a Qualified Individual to Implement and Supervise Your Company’s Information Security Program
  2. Conduct a Risk Assessment
  3. Design and Implement Safeguards to Control the Risks Identified Through your Risk Assessment
  4. Regularly Monitor and Test the Effectiveness of Your Safeguards
  5. Train Your Staff
  6. Monitor Your Service Providers
  7. Keep Your Information Security Program Current
  8. Create a Written Incident Response Plan
  9. Require Your Qualified Individual to Report to Your Board of Directors
The FTC has a great explanation of each of these nine elements in its

 

 article, "FTC Safeguards Rule: What Your Business Needs to Know". For More information, please read the aforementioned article by the FTC.
View full post