Are You Ready for the Updated FTC Safeguards Rule?

For businesses across a wide range of industries, it’s never been more important to ensure their data security programs are aligned with the Federal Trade Commission’s (FTC) rigorous requirements for safeguarding customer information. Otherwise, these organizations may be subject to various costly and disruptive sanctions.

But there’s no reason to panic. Businesses that fall under the requirement can begin implementing a compliant and sound information security program by first educating themselves on the nuances of the updated Standards for Safeguarding Customer Information Rule. Then, by working with their existing technology vendors, businesses can confidently ensure their current platforms adhere to the FTC’s requirements for safeguarding customer data.

What is the FTC Safeguards Rule?

The FTC Safeguards Rule has been in place since 2002. It requires financial institutions under the commission’s purview to develop, implement and maintain a comprehensive security program to keep their customers’ information safe.

However, the commission issued a revised version of its rule in December 2021 that brings non-banking financial institutions within its scope, including automotive dealers, mortgage brokers, accountants, travel agencies, retailers that extend credit, and other “finders” (companies that bring together buyers and sellers that negotiate and agree on a product or service with financial activities). Companies violating the rule can potentially be subject to fees and penalties.

The final rule went into effect on January 10, 2022, and was initially planned to be enforceable starting December 9, 2022. However, the FTC has extended the deadline to June 9, 2023, to give companies more time to review their security measures.

Who does the FTC Safeguards Rule affect?

All organizations that maintain more than 5,000 customer records and have a “continuing relationship” with their customers (composed of providing one or more financial products or services used for personal, family or household purposes) are required to adhere to the rule. Examples of a continuing relationship include those where a customer has a credit or investment account, obtains a loan, or purchases insurance from the firm.

In addition, organizations that fit the finder definition are also considered non-bank financial institutions under the rule. The role of finder refers to the act of bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate. This regularly applies to dealers of automobiles and other motor vehicles—such as RVs, boats and ATVs—but it can potentially apply to other retailers that extend credit to consumers.

What steps should businesses take to comply?

To comply with the new rule, affected businesses are required to maintain a rigorous information security program that covers eight critical areas. These businesses must:

  • Implement and periodically review access controls
  • Know what customer information is kept and where it’s maintained 
  • Encrypt customer data both while it’s housed in business systems and in transit
  • Assess all applications
  • Implement multi-factor authentication for anyone accessing customer information on business systems
  • Dispose of customer information securely
  • Anticipate and evaluate changes to business information systems and networks
  • Maintain a log of authorized users’ activity and monitor for unauthorized access

However, it’s important to note that for businesses to substantially comply with the rule, they not only have to comprehensively analyze their own systems against these requirements, but they also need to ensure each of their vendors that touch customer data meet the same requirements.

Organizations under the rule should act quickly to implement these steps, as the extended enforcement date for the revised Safeguards Rule is June 9, 2023. We encourage all affected businesses to consult their legal and IT departments for guidance.

Is your customer information secure?

Even if your business is currently outside this regulation’s parameters, it’s an excellent opportunity to review how you safeguard sensitive customer data. After all, according to two studies, almost half of surveyed customers are willing to spend 20% more on companies they trust, while 84% are more loyal to companies with strong security controls. There are simply too many options for consumers to stick around with companies that aren’t safeguarding their data.

Contracts and agreements undergird how companies interact with customers and vendors, and they’re filled with proprietary and personal information. These documents are a natural starting point for reviewing your current security controls. DocuSign takes security and privacy extremely seriously by ensuring our platform complies with stringent security certifications and globally recognized standards while providing a range of tools to help gain more control and visibility over these agreements.

Safeguarding customer data can be achieved with advanced document management technology. For example, using leading administrative tools, organizations can quickly implement and adjust access controls to specific agreements based on business needs. Likewise, internal and external access to agreements can be controlled and authenticated using various multi-factor authentication methods, including single sign-on (SSO), SMS authentication and knowledge-based identity verification.

Secure data retention and disposal can be managed through document retention and retrieval solutions, while organizations can maintain vigilant monitoring of authorized and unauthorized access with round-the-clock, automated logging of agreement activity.

This information should not be interpreted as legal advice. If your business is impacted by the FTC Safeguards Rule, or even if you’re unsure, we strongly encourage you to consult your legal and IT department.

For more information, register now for our webinar: “The Updated FTC Safeguards Rule - What it is and what you need to know” happening on May 11 at 10 am PT.

To learn more about how DocuSign can help your organization achieve its security goals and safeguard customer information in its contracts and agreements, reach out to your DocuSign representative or contact sales today.

Published