Cybersecurity risks are a serious threat to mergers and acquisitions that demand careful assessment of the safety measures target companies employ to protect internal systems and data. However, in today’s environment, where companies increasingly rely on third parties for critical business functions, such as payroll, inventory control and sales and marketing, it is even more crucial that those assessments extend to business partners and service vendors. The more businesses outsource, the more data they share and the greater the risk of a potential security breach.
Effective June 9, 2023, certain businesses engaged in financial services activities must comply with the Federal Trade Commission’s Standards for Safeguarding Customer Information Rule (Safeguard Rule), which requires the development, implementation and maintenance of appropriate policies, systems and other defenses to protect customers’ personal information from cyberattacks and other threats. However, many businesses remain unaware that they fall under these far-reaching regulations and are unsure of what they must do to come into compliance.
Who Must Comply with the Safeguard Rule?
Congress introduced the Standards Rule in 1999 as a part of the Gramm-Leach-Bliley Act, which aimed to reform the financial services industry and protect the privacy of consumers’ “nonpublic personal information” (NPI). The law broadly defines financial institutions to include those entities significantly engaged in activities that are “financial in nature or incidental to such financial activities,” including lending, exchanging, transferring, investing and safeguarding money and securities; providing financial, investment and economic advisory services; brokering and servicing loans; providing real estate settlement services; debt collecting and bringing together buyers and sellers of any product or service for transactions that are covered by the rule. Under this definition, the law applies to the following types of non-banking financial businesses:
- Accounting and Tax-Preparation Firms
- Car Dealerships that Lease Automobiles for Periods Longer than 90 days
- Check Cashing Companies
- Check Printing Companies
- Collection Agencies
- Credit Counselors
- Credit Unions that are not federally insured
- Finance Companies
- Financial Advisors
- Finders that bring together buyers and sellers who then negotiate and consummate transactions
- Insurance Companies
- Investment Advisors
- Mortgage Brokers and Lenders
- Pay-Day Lenders
- Payroll-Services Providers
- Real Estate Appraisers and Settlement Companies
- Real Estate Settlement Companies
- Retailers that extend credit to customers via store credit cards
- Travel Agencies operating in connection with a financial services firm
- Wire Transferors and other Wire Services Businesses
How Can My Business Comply with the Safeguard Rule?
At the crux of the Safeguard Rule is the importance of securing and protecting sensitive customer data against threats and unauthorized access that could cause substantial harm to those customers. By adopting these measures, businesses may build trust with their customers and minimize their potential risks of legal action and reputational damage.
While the required level of compliance will depend on a variety of factors, including the size and complexity of the business and the extent of customer data it collects, all businesses must meet the following minimum requirements.
- Designate a qualified person to manage and regularly assess the company’s information security program (ISP)
- Develop a written risk assessment of systems and methods for collecting, storing and sharing customer data
- Design, implement and periodically review safeguards to minimize assessed risks
- Employ systems and policies for encrypting customer data
- Draft and send to customers a written policy of information-sharing practices
- Train employees on security-awareness policies and protocols
- Limit who has access to customer information
- Implement multi-factor authentication (MFA) and keep a log of authorized users’ activity
- Assess and regularly monitor the third-party service providers and their ability to protect and store customer data sufficiently
- Draft a plan for responding to security events
Businesses that fail to comply with these rules risk FTC investigations, legal action and steep penalties of as much as $11,000 per day per breach as well as an additional consent violation penalty that can be as high as $43,000 per day. To avoid these charges and the probability of irreparable reputational damage, organizations should instead meet with their trusted advisors to ensure they comply with the rules of the law.
For more information, please contact: