What does the recent amendment to the Safeguards Rule mean to your business?
11/03/2023 10:30 A.M.
3 minute read
The Federal Trade Commission announced an amendment to the Safeguards Rule in October 2023, which will require all institutions to notify the FTC within 30 days of certain security events.
The FTC defines these security events as breaches of unencrypted customer information involving 500 customers or more. Notifications must include the contact information of the reporting institution, a description of the information involved in the security event, the date of the security event, number of impacted customers, and a general description of the security event.
ACA International members that are required to adhere to the Safeguards Rule must also adhere to this new requirement as it becomes effective 180 days after publication of the rule in the Federal Register. (Does your company need to comply with the Safeguards Rule? Read this blog post from TPx to find out.)
“With the updated GLBA Safeguards rule this fall, breach communication is more important than ever and a requirement within incident response plans,” said Jonathan Goldberger, senior vice president, security practice and strategic sales for TPx.
While the Safeguards Rule was initially published in 2021, it did not include notification requirements. According to the FTC, “Receipt of these notices will enable the [c]ommission to monitor for emerging data security threats affecting financial institutions and to facilitate prompt investigative response to major security breaches.”
The updates to industry regulations help organizations put the right cybersecurity measures in place to keep data secure while increasing defensibility.
If you have already partnered with ACA’s cybersecurity partner of choice, TPx, then you are compliant with the latest update to the Safeguards Rule. TPx has incorporated this amendment into its cybersecurity program.
For ACA members that are not leveraging TPx for their cybersecurity program, you will need to make sure this requirement is reflected in your incident response plan and there is an owner on how information will be reported.
Goldberger said that some best practices for small businesses include:
- Be aware of the federal, state and sector security and privacy laws. Every state is different, and you should not make assumptions of what is applicable to your organization.
- Understand where your sensitive data resides and how it is protected. Almost all requirements regarding breach notifications are relevant to a loss of sensitive data, not just any data.
- Define who is responsible for breach communications for internal purposes, regulatory bodies, press and business partners.
- Have a template message created ahead of time.
- Don’t go it alone—hire breach counsel to protect you, your company and your customers.
To keep customer information protected, it’s critical that all ACA organizations encrypt their data when at rest or in transit. As regulatory restrictions and your business allows, Goldberger recommended deleting old customer data that is no longer needed. By taking this action, you will be mitigating your risk of a large security breach event and minimizing the scope of potential impact.
Access ACA’s Safeguards Rule Resource Center here for compliance resources and ACA’s education as well as information from TPx. Webinar recordings related to the Safeguards Rule are available at ACA’s Store by selecting the Safeguards Rule topic.
For more information on GLBA Safeguards Rule and guidance on cybersecurity, stop by the TPx booth located in ACA Central at Fall Forum in Chicago, Nov. 8-10.
Protect Yourself
It’s critical to make sure your cyber liability insurance is current, and coverage is easy and affordable for ACA members. Collectors Insurance Agency (CIA), a subsidiary of ACA, provides members exclusive access to risk management products and services tailored to each members’ specific needs. Cyber insurance is an ever-changing market and with the help of CIA’s partners Aon and Axis, they are helping members obtain the coverage they need to meet today’s and tomorrow’s challenges.
Remember, subscribe to ACA Daily and Member Alerts under your My ACA profile when logged in to acainternational.org to receive updates on the ACA Huddle.