Privacy Concerns Are Not Just for Goliath Anymore

May 10, 2023

Twenty years ago, the Federal Trade Commission (FTC) developed a set of five loose guidelines for securing personal data—specifically aimed at large financial institutions. With increased scrutiny for protecting personal data, the FTC modified the guidelines and published a more detailed list of privacy practices, titled, Standards for Safeguarding Customer Information (16 CFR Part 314) in December 2021. Along with more detailed requirements for securing personal data, the definition of “financial institution” was expanded to include many non-traditional businesses that now qualify as financial institutions.

 

The changed rules now impact a different set of organizations than the original rules targeted, including medium-sized businesses that are not traditionally considered financial institutions. There is an exclusion for small businesses that maintain fewer than five thousand customer records. One effect of the rule change is the imposition of privacy regulations on organizations that do not qualify for state-specific or international privacy rules. Because the FTC moved the start of enforcement out to June 2023, the scope of organizations that qualify for compliance continues to be refined.

 

 

Who Is Impacted by Safeguards?

The new rules target organizations that have not been perceived as financial institutions, yet they handle and store personal data collected during financial transactions. Under the new rules, the following types of organizations are expected to comply:

  • Community banks
  • Real Estate and Property Appraisers
  • Check Printers
  • Travel Agencies
  • Colleges and Universities
  • Automobile Dealers
  • Mortgage Lenders
  • Payday Lenders
  • Finance Companies

  • Mortgage Brokers
  • Account Servicers
  • Check Cashers
  • Wire Transferors
  • Collection Agencies
  • Credit Counselors and other Financial Advisors
  • Tax Preparation Firms
  • Non-federally Insured Credit Unions
  • Investment Advisors (not required to register with the SEC)

Some traditional financial institutions are exempt from these regulations:

 

  • Banks and Savings and Loans Associations, which are subject to the data security and privacy standards set out by the Gramm-Leach-Bliley Act (GLBA)
  • Stockbrokers, Dealers, and Investment Advisors registered with the Security and Exchange Commission (SEC)
  • Insurance Companies, which must follow the relevant state insurance laws
  • Federal Credit Unions, which are regulated by the National Credit Union Administration (NCUA)
  • Organizations regulated by the Farm Credit Administration (FCA) or Commodity Futures Trading Commission (CFTC)

 

 

What Are the Primary Rules Enforced Through the Safeguards?

 

Safeguards Rule Expanded Description
Review access controls Set a formal cadence for periodically reviewing existing access controls, actively plan remediation steps, and document new requirements
Compile a data inventory Understanding where personal data is stored across the enterprise is a critical step in developing a plan to protect it
Encrypt customer data After identifying where personal data is collected, processed, and stored, apply encryption to those storage locations where personal data is found
Assess security of applications Inventory applications and determine which systems access personal data. Assess access to these applications, ensuring that only the right people have access to this data
Implement multi-factor authentication Secure access to network, applications, and data through the implementation of multi-factor authentication
Dispose of stale customer data Remove stale data that contains personal information based on the organization’s retention policy
Evaluate all system or network changes Develop a process to evaluate all system and network changes to ensure that personal data is not exposed with the change
Monitor access to customer data Implement a process that proactively monitors users that access personal data that is protected under the Safeguards Rule
Assess Safeguards Regularly review, monitor, and assess the success of the Safeguards program--identifying issues and determining remediation activities

 

 

How Do Impacted Organizations Work Toward Compliance?

Privacy regulations are constantly changing and impacting the way organizations secure their personal data. Remember: data privacy compliance is a journey, not a destination. For organizations that are new to privacy compliance, building a roadmap should be the first step in beginning the journey.

 

First Steps:

  • Delegate a qualified individual to oversee the Information Security program.
  • Discover, locate and classify all personal data.
  • Perform a risk assessment.

 

Steps to Maturity:

  • Limit and monitor who can access sensitive customer information.
  • Choose an encryption tool based on actual need (results from discovery).
  • Implement multi-factor authentication.

 

 

Tool To Consider for Compliance Kickoff

It is common for organizations that qualify for compliance with the Safeguards Rule to collect, process, and store personal data for years and become unaware of where personal data is kept. Understanding where the regulatory data is located should be one of the first steps toward compliance. Many data discovery tools are built to support large organizations, like banks and insurance companies, and come with a price tag that is beyond reach for smaller firms.

 

Data discovery tools have evolved over the past decade to pinpoint business need and scale. These tools can provide visibility across enterprise data storage--increasing the organization’s security posture and remaining within a reachable budget for medium-sized organizations.

 

If you have questions about the Safeguards requirements and how they might affect your organization, click here to learn more about our offerings or drop us a line.

Howard Bayerle
SENIOR CONSULTANT DATA GOVERNANCE, PRIVACY AND PROTECTION | OPTIV
Howard Bayerle has over 20 years’ experience in both consulting and enterprise data management. His experience ranges from working with medium sized businesses to Fortune 500 corporations. Howard has a passion for helping organizations establish good governance that returns quality data and identifies security needs.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.