Compliance with the FTC Safeguard Rules Deadline – 9 New CyberSecurity Standards

 

Date: December 28, 2022
By Barry Preusz
Edited and reviewed by Michael Moorehead, Senior MIT Engineer Lead, PCSNA, CCNA, MCSA, CSIS, CSCP, CIOS, CSSS, CCAP, CLNP

 

The Federal Trade Commission (FTC) develops and deploys regulations and rules to thwart the onslaught of cybercrime and data security breaches. The FTC accomplishes its cybersecurity mission by imposing protective standards upon businesses that collect and store consumer data. This blog article will offer an overview of cyberfraud and the current rules governing businesses involved with collecting consumer data. The article will also present proposed solutions to protect consumer privacy and maintain the security of customer information.

What businesses do the cyber protection rules affect?

The scope of financial institutions subject to this law consists of businesses undertaking certain monetary activities rather than how others may categorize the company. These financial institutions must fall under the jurisdiction of the FTC. They cannot be subject to another regulatory authority falling under the Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. Section 6805. The companies affected by these rules include businesses engaged in transactions and customer data collection.

List of Businesses Required to Implement FTC Safeguard Rules

• Mortgage lending
• Payday loans
• Financing
• Accounting
• Check cashing
• Wire transfers
• Collections
• Credit counseling
• Financial advising
• Tax preparation
• Investment advising (not registered with the SEC)
• Credit unions (not FDIC insured)
• Companies that bring buyers and sellers together to complete a transaction
• Financial institutions and other businesses that record, use, and maintain information or connect to a system containing customer information, including industrial/process controls systems, telephone switching and private branch exchange systems, and environmental controls systems¹
• Retailers who extend layaway, deferral payment plans, or accept payment terms utilizing credit cards issued by other institutions do not fall under the provisions of these rules. However, businesses that provide credit purchases through their company’s financial services or promote their own credit cards for purchases are subject to these laws²

Whom does the law protect?

The design of the law is to protect consumer privacy and personal information. Consumers include anyone who has a customer relationship with a business entity.³

Why was this FTC network security rule enacted?

Most businesses collect customer information to process payments and complete transactions. This information is then stored and often used in subsequent purchases. These records contain nonpublic personal information about the customer. This data may take on two forms, a paper record or an electronic transcription. In either form, the records are vulnerable to discovery and digital exploitation attacks. The FTC rules seek to protect consumer privacy, personal information, and financial data from known threats.

Cybercrime losses exceeded $6.9 billion in 2021 according to the Investigation’s (FBI) Internet Crime Complaint Center (IC3).⁴ Since 2019, the combination of phishing, vishing, smishing, and pharming constituted the highest number of incidents among the tools employed by cybercriminals. During 2021, this combination of cyber threats accounted for 323,972 incidences⁵ and $44,213,023 in losses.⁶ Ransomware losses to infrastructure entities cost nearly $50,000,000 in 2021. Healthcare and public health sectors experienced high numbers of attacks. Even government is subject to these attacks, accounting for the fifth highest target.⁷ The T-Mobile confirmation of one of the largest breaches of cybersecurity occurred on August 17, 2021. The T-Mobile data breech reported the confirmed loss of the social security number, name, address, date of birth and driver’s license identification numbers--all the information needed for identity theft--for 40 million customers.⁸

Cyber threats are rampant. Many occur without detection for an extended time. Electronic thieves constantly work to develop new ways to steal data and derive profit from criminal activity. Most disturbing are cybercriminals posing as technical support or IT professionals, offering to resolve data breach issues in an effort to further exploit and commit additional fraud and theft. The IC3 received 23,903 complaints about Tech Support Fraud from victims in 70 countries. The losses amounted to more than $347 million in 2021.⁹ Below is a list of common forms of cybersecurity crimes and 2021 losses.

The Cost of Cybercrimes

*Regarding ransomware adjusted losses, this number does not include estimates of lost business, time, wages, files, or equipment, or any third-party remediation services acquired by a victim. In some cases, victims do not report any loss amount to the FBI, thereby creating an artificially low overall ransomware loss rate. Lastly, the number only represents what victims report to the FBI via the IC3 and does not account for victim reporting directly to FBI field offices/agents.¹⁰
**Crimes against children incur a significantly higher cost than any financial burden.

The Growth of E-commerce and Information Technology

Retail e-commerce sales rose to approximately 5.2 trillion U.S. dollars globally in 2021,¹¹ a 17.1% growth rate¹². Statista studies and projects year-over-year (YOY) growth of e-commerce. In the United States, e-commerce growth projections show an increase of 56% through 2026.¹³ This explosive growth utilizes information technology (IT) to help businesses expand their markets while reducing transaction costs.

Business is not the only entity benefiting from using IT. Governments also benefit by allowing consumers to pay taxes and utilities, register vehicles, and request building permits online. As the use of IT grows to serve increasing business needs, the risk of cyber security threats also grows. Malware, trojans, ransomware, DDoS attacks, spam, and viruses yielded by cyber criminals are rampant. Government laws and regulations seek to reduce consumer cyber risks by requiring businesses to “employ reasonable security measures.”¹⁴ Most often, these protective security measures experience delays and implement long after significant breaches occur. Indeed, the detection of security vulnerabilities occurs after criminal exploitation, not before.

What are the FTC Safeguard Rules?

The Safeguard Rules adopted many core concepts of the New York Department of Financial Services Cybersecurity Regulation. These new measures direct businesses to reduce the vulnerability of information to cybercriminals and impose breach notification procedures.¹⁵ Legal researchers Daniel Solove and Woodrow Hartzog assert that the FTC’s privacy laws are currently equivalent to common law rather than contract law. They further suggest that these laws should enforce privacy and stand as regulatory stipulations rather than merely policy.¹⁶ The new FTC Safeguard Rule along with other government rules on cybersecurity are not without objections; some indicate that the regulations employ an inflexible “one-size-fits-all” tactic toward data security. Therefore, additional rules enacted on January 10, 2022, provide financial institutions the flexibility to design an information security program appropriate to the size and complexity of the financial institution, the nature and scope of its activities, and the sensitivity of any customer information at issue.¹⁷

The rules require businesses, particularly financial institutions, that record consumer information to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards. The security program must protect customer confidentiality and guard against unauthorized access to consumer information. The provisions provide nine standards for a rosbust information security program (ISP).

Nine Standards for CyberSecurity

1. Appoint a qualified individual to supervise the ISP.
2. Conduct a risk assessment.
3. Implement security safeguards to control the identified risks, including safe information storage, encryption, multi-factor authentication, information disposal after 2-years of non-use, and maintaining a log of authorized user activity. To meet these safeguards, some IT companies offer three separate Network and Data Security Plans.
4. Periodically monitor and test.
5. Train staff members on security awareness. Some IT Service Companies offer FREE Cybersecurity Training.
6. Monitor service providers.
7. Regularly update the ISP.
8. Develop a written incident response plan.
9. The ISP supervisor must provide at least annually a written report to the company board of directors. The annual report must include an overall assessment of the company’s compliance, risk assessment, risk management, control decisions, test results, security events, management response, recommendations, and service provider agreements.¹⁸

When will businesses be accountable for implementing the new cybersecurity rules?

The Federal Trade Commission establishes a deadline for businesses to comply with the FTC Safeguards Rules by June 9, 2023. Announced on November 15, 2022, this date is an extension of six months over a previous deadline. The extended deadline offers businesses more time to assess their data vulnerabilities and put the nine standards of information security in place.¹⁹

Future Cybersecurity Measures

Besides the government, many individuals and organizations are active in developing solutions to global cybersecurity issues. Proposals for future measures to protect consumers from privacy and data breaches include the following six proposals.

1. Develop cybersecurity partnerships that share information on prospective threats.²⁰
2. Develop a cybersecurity knowledge graph to construct a knowledge base for increased cybersecurity situation awareness and intrusion detection.^{21 & 22}
3. Develop a web-based blockchain-enabled cybersecurity awareness system^{23 & 24}
4. Employ an unsupervised deep learning technology like an Auto Encoder (AE) or a Restricted Boltzmann Machine (RBM). ²⁵
5. Engage governments under binding international treaties to enact and enforce cybersecurity laws, particularly China and Russia.²⁶
6. Stimulate regulations of cybersecurity within the European Union through the Cybersecurity Resilience Act.²⁷

Summary

Privacy and security threats are not going away. Businesses cannot rely on government legislation to curb the tide of data security breaches. Implementation of the nine standards for consumer privacy and information security included in the FTC Safeguard Rules will help protect against known network vulnerabilities. The above proposed security measures may also contribute to stemming data theft. The starting point for most businesses is to implement a Comprehensive Network Analysis. From this point, the development of a strong security plan follows to comply with federal rules and to protect consumers.

Footnotes

• ¹FTC Safeguards Rule: What Your Business Needs to Know. Federal Trade Commission, May 2022. Glossary, Financial institution. Accessed 14 Dec. 2022. https://www.ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know#Information_system.
• ²Code of Federal Regulations Title 16. Standards for Safeguarding Customer Information. National Archives. 16 CFR Part 314, Section 314.2(h) Amended 12/19/2022. Accessed 23 Dec. 2022. www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314#314.2
• ³Code of Federal Regulations Title 16, Section 314.1(b). www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314#314.2
• ⁴Abbate, Paul. Internet Crime Report 2021. Federal Bureau of Investigation. 2021, Page 18. Accessed 16 Dec. 2022. www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf.
• ⁵Abbate, Internet Crime Report 2021, 8.
• ⁶Abbate, Internet Crime Report 2021, 23.
• ⁷Abbate, Internet Crime Report 2021, 15.
• ⁸Sievert, Mike. The cyberattack against T Mobile and our customers: What happened, and what we are doing about it. (2021). Accessed 22 Dec. 2022. www.t-mobile.com/news/network/cyberattack-against-tmobile-and-our-customers
• ⁹Abbate, Internet Crime Report 2021, 17.
• ¹⁰Abbate, Internet Crime Report 2021, 23.
• ¹¹Chevalier, Stephanie. Global Retail E-commerce Sales 2014-2026. Statista, 21 Sept. 2022, Accessed 15 Dec. 2022. www.statista.com/statistics/379046/worldwide-retail-e-commerce-sales.
• ¹²Gaubys, Justas. Global Retail E-commerce Sales 2014-2026. Global Ecommerce Sales Growth (2021–2026) [Oct 2022 Update]. Accessed 15 Dec. 2022. www.oberlo.com/statistics/global-ecommerce-sales-growth.
• ¹³Chevalier, 1.
• ¹⁴Breaux, Travis D., and David L. Baumer. Legally ‘reasonable’ security requirements: A 10-year FTC retrospective. Computers & Security 30.4 (2011): 178-193. Accessed 14 Dec. 2022. www.sciencedirect.com/science/article/pii/S0167404810001124.
• ¹⁵Casey, Brian T., Augustinos, Theodore P., and Cox, Alexander R. New Federal Trade Commission’s Safeguards Rule Is a Game-Changer for Extended Warranty and GAP Waiver Industries. Accessed 14 Dec. 2022. heinonline.org/HOL/LandingPage?handle=hein.journals/blj139&div=85&id=&page=.
• ¹⁶Solove, Daniel J., and Woodrow Hartzog. The FTC and the new common law of privacy. Colum. L. Rev. 114 (2014): 583. Accessed 14 Dec. 2022. heinonline.org/HOL/LandingPage?handle=hein.journals/clr114&div=19&id=&page=.
• ¹⁷Federal Trade Commission. Standards for safeguarding customer information; final rule. 16 CFR Part 314. Federal Register, May (2002). Accessed 14 Dec. 2022. www.federalregister.gov/documents/2021/12/09/2021-25736/standards-for-safeguarding-customer-information.
• ¹⁸FTC Safeguards Rule: What Your Business Needs to Know. Federal Trade Commission. May, 2022. Glossary, Financial institution.
• ¹⁹FTC Extends Deadline by Six Months for Compliance With Some Changes to Financial Data Security Rule. Federal Trade Commission, 15 Nov. 2022, Accessed 23 Dec. 2022. www.ftc.gov/news-events/news/press-releases/2022/11/ftc-extends-deadline-six-months-compliance-some-changes-financial-data-security-rule.
• ²⁰Rodin, Deborah Norris. The cybersecurity partnership: A proposal for cyberthreat information sharing between contractors and the federal government. Public Contract Law Journal 44.3 (2015): 505-528. Accessed 16 Dec. 2022. www.jstor.org/stable/26419479.
• ²¹Yan, Jia; Yulu, Qi; Huaijun, Shang; Rong, Jiang; Aiping, Li. A practical approach to constructing a knowledge graph for cybersecurity. Engineering 4.1 (2018): 53-60. Accessed 16 Dec. 2022. www.sciencedirect.com/science/article/pii/S2095809918301097.
• ²²Wang, Xiaodi, and Jiayong Liu. A novel feature integration and entity boundary detection for named entity recognition in cybersecurity. Knowledge-Based Systems (2022): 110114. Accessed 16 Dec. 2022. www.sciencedirect.com/science/article/abs/pii/S0950705122012102
• ²³Razaque, A.; Al Ajlan, A.; Melaoune, N.; Alotaibi, M.; Alotaibi, B.; Dias, I.; Oad, A.; Hariri, S.; Zhao, C. Avoidance of Cybersecurity Threats with the Deployment of a Web-Based Blockchain-Enabled Cybersecurity Awareness System. Appl. Sci. 2021, 11, 7880. Accessed 16 Dec. 2022. www.mdpi.com/2076-3417/11/17/7880.
• ²⁴Lucio, Yeisón Isaac, Siler Amador Donado, and Katerine Márceles. Architecture of an intelligent cybersecurity Framework based on Blockchain technology for IIoT. SYSTEMS ENGINEERING 24.2-2022. Accessed 16 Dec. 2022. revistaingenieria.univalle.edu.co/index.php/ingenieria_y_competitividad/article/download/11761/14962/45117.
• ²⁵M. Z. Alom and T. M. Taha, Network intrusion detection for cyber security using unsupervised deep learning approaches, 2017 IEEE National Aerospace and Electronics Conference (NAECON), 2017, pp. 63-69, doi: 10.1109/NAECON.2017.8268746. Accessed 16 Dec. 2022. ieeexplore.ieee.org/abstract/document/8268746.
• ²⁶Alom, Md Zahangir, and Tarek M. Taha. Network intrusion detection for cyber security using unsupervised deep learning approaches. 2017 IEEE national aerospace and electronics conference (NAECON). IEEE, 2017. Accessed 16 Dec. 2022. www.cambridge.org/core/journals/leiden-journal-of-international-law/article/abs/from-cyber-norms-to-cyber-rules-reengaging-states-as-lawmakers/63A45029B685C11BBD9512AC0459FAE5.
• ²⁷Ludvigsen, Kaspar Rosager, and Shishir Nagaraja. The Opportunity to Regulate Cybersecurity in the EU (and the World): Recommendations for the Cybersecurity Resilience Act. arXiv preprint arXiv:2205.13196 (2022). Accessed 16 Dec. 2022. pureportal.strath.ac.uk/en/publications/the-opportunity-to-regulate-cybersecurity-in-the-eu-and-the-world.