We know, we know . . . you’re not a bank. But here’s the thing. If you’re one of the many professions covered by the Federal Trade Commission’s revised Standards for Safeguarding Customer Information (FTC Safeguards Rule) under the Gramm-Leach-Bliley Act, the government is, in fact, regarding you as a “financial institution.” The quicker you realize it, the better.
Don’t Know Much About (the) History
Here’s what happened. The original Rule went into effect in 2003, but times change fast, don’t they? Businesses started to rely on technology and digital data more and more; however, those same businesses weren’t always keeping up with technical safeguards appropriate to the amount and sensitivity of the digital data they store. This put people’s sensitive data, or customer information, at risk.
What does this have to do with the Federal Trade Commission, you ask? Part of the FTC’s mission is “protecting the public from deceptive or unfair business practices.” In other words, businesses have a duty to protect the security, confidentiality, and integrity of their customers’ data.
The result is a strengthened Rule (published at the end of 2022 but with two different enforcement dates in 2023) with a broader scope, more stringent requirements, and more written proof required for compliance.
So, Who’s In Scope?
So how do you know if you’re a “financial institution”? Well, you can try to work your way through Section 314.1(b) of the Rule, or you can go to a helpful guide the FTC produced as a resource: FTC Safeguards Rule: What Your Business Needs to Know. The list in the guide is long but not exhaustive:
mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors that aren’t required to register with the SEC, finders
You can’t be catty with this. You can’t say, “Oh, I don’t see my profession there; I’m good.” The key point is, if you have access to your clients’ personal financial information, you need to pay attention.
Wait, Schools are Financial Institutions?
If they participate in federal student financial aid (Title IV), yep.
As a matter of fact, we at Sterling Ideas are partnering with the following organizations to help career college owners and directors who now find their institutions subject to the Safeguards Rule. We’re providing these association names in case you are a school owner and want to join like-minded individuals who understand the challenges facing you.
- CECU | Career Education Colleges and Universities
- Florida Association of Postsecondary Schools and Colleges
- American Association of Cosmetology Schools | AACS
- Northwest Career Colleges Federation
OK, OK. What are the Requirements?
What does the FTC Safeguards Rule require? Uh, a lot.
Essentially, you need to implement and maintain a solid information security program, and that has many components. We’ve written other blog posts about it. Here’s one that can help a little: Compliance with the FTC Safeguards Rule l Sterling Ideas.
If you want a more thorough explanation, I encourage you to do two things:
- Read the Safeguards Rule for yourself. (Use that link in the first paragraph above.)
- Then book an appointment with me, and I’ll put it into English for you. (Just kidding, FTC! You did a fine) Here’s the link to get on my schedule – Book time with JoAnn Gardner: Free FTC Safeguards Rule Consultation
Who? Me Worry?
You might be wondering, “Do I really need to worry about this?” If you’re in scope of this Rule, the short answer is yes. The FTC takes protecting customer information seriously, and non-compliance can lead to hefty penalties and a whole mess of trouble.
Plus, it’s just the right thing to do. Cyberattacks are on the rise, and I don’t see that changing anytime soon, unfortunately. It’s important to secure your IT environment to protect your clients’ sensitive information.
Figure It Out
Commit to figuring out whether the revised FTC Safeguards Rule applies to you. If it does, start working on your information security program right away. After all, the enforcement deadlines have passed; you’re already supposed to be complying.
Commit to protecting your clients and your business.
So, are we talkin’ to you? We sure are.
Let me know how my team and I can help.
-JoAnn