The FTC’s expanded safeguard rules will require companies to notify customers and the FTC of cyber breaches that were previously exempt from reporting requirements. Previously, only banks were required to notify customers of violations, but now entities that engage in activities similar to banks will be subject to the same requirements. This means that businesses such as car dealerships and check cashing services may be subject to additional reporting requirements if they do not adequately protect customer data. If your business provides lending services to consumers, you should consult with an attorney to understand your responsibilities under this new law.
Starting in 2021, the Federal Trade Commission (“FTC”) is taking additional steps to protect U.S. consumer data and privacy through the expansion of the “Safeguards Rule.” Safeguard Rules stand for FTC standards for protecting customer information. look 16 CFR § 314. These standards are based on Sections 501 and 505(b) of the Graham Leach-Bliley Act (“GLBA”), a federal law enacted in 1999 to reform the financial industry and impose requirements to protect customers. 2) is implemented through. Data and privacy. Historically, the GLBA was understood to apply specifically to banks. The types of businesses affected have been expanded by redefining the term “financial institution” to include businesses that provide certain bank-like services to the general public. Title 16 of the Code of Federal Regulations, Section 314.2(h) defines “financial institution” as follows:[a]A financial entity engaged in activities of a financial nature, or activities incidental to such financial activities, as described in Section 4(k) of the Bank Corporation Stock Ownership Act of 1956, 12 USC 1843(k). institution. Financial institutions are institutions that significantly engage in activities incidental to such financial activities. ”
What businesses are now subject to the safeguard rules? The rules now include unexpected business activities. Fortunately, examples listed in 16 CFR 314.2(h)(2) include:
1) Retailers that extend credit by issuing their own credit cards to consumers.
2) Car dealership.
3) Personal property or real estate appraiser.
4) Career counselors who specialize in providing career counseling services to individuals currently employed by, or recently retired from, financial institutions.
5) Businesses that print and sell checks to consumers.
6) Businesses that regularly send money to and from consumers.
7) Check cashers or businesses that print and sell checks to consumers.
8) Accountant or tax preparation services.
9) Business of operating a travel agency related to financial services
10) Businesses providing real estate settlement services
11) Mortgage Brokers.
12) Investment advisory firms and credit counseling services.
13) A company that acts as an intermediary in bringing together one or more buyers and sellers of products or services for transactions that are negotiated and completed by the parties themselves.
One key element of the Safeguards Rule is that all financial institutions, including expanded scope entities, will be required to report data security incidents, which are defined as “notification events” under the rule. . Businesses covered by this rule must report when they access information on more than 500 consumers. This is down from the previous standard of 1,000 people. Companies need to understand the answers to two questions. One is whether your business falls under the expanded definition of a “financial institution.” If so, when does your company need to notify her FTC and customers?
Affected businesses must notify the FTC and consumers of database breaches when a “notification event” occurs. A “notification event,” as defined in 16 CFR 314.2(m) of the Safeguards Regulation, is “the acquisition of unencrypted consumer information without the permission of the individual to whom the information pertains.” If an unauthorized person gains access to the encryption key, the information is considered unencrypted. For example, if someone hacks your email and uses your saved passwords, they can automatically gain access to various websites where sensitive information is stored, such as payroll. Or if someone hacks your email and your login name and passcode are the same as his SharePoint login where your company’s encrypted data is stored. Saved. Customer information subject to the safeguard rule includes “any record containing nonpublic personal information” such as account numbers, social security numbers, home address information, or “personally identifiable financial information.” 16 CFR 314.2(d). In an ironic shift of responsibility, fraudulent acquisitions take place. Presumed unless the affected financial institution can provide reliable evidence that the unauthorized acquisition or access of the consumer information did not occur, or could not reasonably be expected.
Not all infringements require notification. Notification events are triggered only when customer information is retrieved by someone who does not have permission to retrieve the information. No notification is required if the trigger is an employee’s misuse of information. Storing data in an encrypted format also changes notification requirements.No notification is required even if customer information is encrypted. offered Encryption keys are not accessed by unauthorized individuals. Companies subject to the safeguard rule must report the triggering notification event to her FTC within December 2018. 30 days From the date of discovery. Discovery means the first day an employee, officer or other representative of a company becomes aware of it. Reports must be submitted via electronic form on the FTC website. All submitted reports will be published publicly and in an online searchable database.
What happens if companies don’t comply? When it comes to enforcement and compliance with safeguard rules, the FTC takes violations very seriously. FTC could impose fines of up to $100,000 for each violation Directors and business officers may be subject to individual fines. Responsibility extends beyond paying fines and fines to the FTC. Affected consumers and employees can sue companies directly for data privacy violations. It can also damage a company’s reputation, impacting a company’s profitability and growth potential.
Like other parts of the U.S. government, the FTC is tightening its requirements and wants consumers to have more protection and visibility against unauthorized access to their information. There is no excuse for ignoring FTC safeguard rules. If your business may be subject to the revised safeguard regulations, you should consult the appropriate experts as soon as possible, with the assistance of an attorney. Our experts can help you remediate your business to reduce risk and costs and implement a compliant information security program.
business reality: The cost of compliance is much lower than the cost of penalties, fines and litigation for non-compliance.
[View source.]