FTC Safeguards Rule 2024

The Federal Trace Commission: FTC Safeguards Rule 2023

What is the FTC Safe Guards Rule?

The Federal Trade Commission (FTC) FTC Safeguards Rule requires companies to implement an Information Security Program (ISP) to protect consumer information. This program must include administrative, technical, and physical safeguards to ensure the confidentiality and security of consumer information. The ISP should protect against anticipated threats or hazards to the security or integrity of that information, as well as unauthorized access that could result in substantial harm or inconvenience to any customer.

In this blog post, we’ll provide an overview of the FTC Safeguards Rule and the required elements of an Information Security Program (ISP).


Required Elements of an Information Security Program

  1. Designate a Qualified Individual: Every company should designate a qualified individual to implement and supervise the company’s Information Security Program. The person doesn’t need a particular degree or title but real-world know-how suited to your circumstances. If a company hires a service provider to implement and supervise its program, it’s still the company’s responsibility to designate a senior employee to supervise that company.
  2. Conduct a risk assessment: After completing an inventory of the data, a company should conduct a risk assessment to determine foreseeable risks and threats to the security, confidentiality, and integrity of customer information. The risk assessment must be written and should include criteria for evaluating risks and threats. The Safeguards Rule requires companies to conduct periodic reassessments considering changes to their operations or the emergence of new threats.
  3. Design and implement safeguards: A company should design and implement safeguards to control the risks identified through the risk assessment. The Safeguards Rule requires companies to implement and periodically review access controls, encrypt customer information, assess apps, implement multi-factor authentication, dispose of customer information securely, anticipate and evaluate changes to the information system or network, maintain a log of authorized users’ activity, and regularly monitor and test the effectiveness of the safeguards.
  4. Train your staff: A company’s ISP is only as effective as its least vigilant staff member. Employees trained to spot risks can multiply the program’s impact. Therefore, companies should provide security awareness training to their employees, affiliates, or service providers with hands-on responsibility for carrying out the information security program.
  5. Monitor your service providers: A company should select service providers with the skills and experience to maintain appropriate safeguards. Your contracts must spell out your security expectations, build in ways to monitor your service provider’s work, and provide for periodic reassessments of their suitability for the job.
  6. Keep your information security program current: The only constant in cybersecurity is change. Companies must keep their ISP current and make changes when necessary to reflect the latest threats and countermeasures.

By implementing an ISP that meets the FTC Safeguards Rule requirements, companies can protect their customers’ data and reduce the risk of data breaches. It’s also important to regularly assess and update the ISP to stay ahead of evolving threats. Companies should also train their employees and service providers to be vigilant and prioritize data security.