FTC Safeguards Rule Deadline Extension | Blumira Insights

Note: The FTC has provided documentation around what requirements are included in the six-month extension, but what’s less clear is which requirements are not included. Here, we’ve provided our interpretation on the extended deadline, based on FTC documentation and expert knowledge. Blumira is not acting in any advisory capacity and any impacted companies should seek legal counsel if they need clarification on what requirements may be delayed.

On November 15, 2022, the Federal Trade Commission (FTC) announced a six-month extension for companies to comply with certain updated requirements of the Gramm-Leach-Bliley Act’s Safeguards Rule, a set of data security provisions covered financial institutions must implement to protect their customers’ personal information. The new deadline for a subset of the rule requirements is June 9, 2023.

The FTC announced updates to the Safeguards Rule in October 2021. While many provisions of the updated rule became operational 30 days after publication in the Federal Register, other sections were due to go into effect on December 9, 2022. 

Which Requirements Have An Extended Deadline?  

Specifically, the provisions affected by the six-month extension include the following requirements:

• Designate a qualified individual to oversee their information security program
• Develop a written risk assessment
• Limit and monitor who can access sensitive customer information
• Encrypt all sensitive information 
• Train security personnel 
• Develop an incident response plan 
• Periodically assess the security practices of service providers
• Implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information

Although the FTC doesn’t specify that the following two requirements are affected by the extension, common sense would dictate that they are also delayed. It’s impossible to require a qualified individual to report to a board of directors without first appointing a qualified individual, for example. 

• Require your Qualified Individual to report to your Board of Directors
• Design and implement safeguards to control the risks identified in your risk assessment

This means that only the sections listed above are delayed until June 2023. 

What Doesn’t Fall Under The Extended Deadline? 

According to our interpretation, these requirements still have the deadline of December 9, 2022:

• Know what you have and where you have it (Data and systems inventory)
• Review security of in-house and third party apps
• Dispose of customer information securely
• Anticipate and evaluate changes to your information systems
• Maintain a log of user activity and monitor for unauthorized access
• Regularly monitor and test the effectiveness of your safeguards (Vulnerability scanning and penetration testing)
• Train all staff with access to consumer data on how to detect and avoid threats
• Keep your information security program current

Some of the requirements are closely related, making it difficult to complete one without the other. For example, the FTC Safeguards rule requires that you develop an information security program. This requirement has not changed, but some elements of the security program — for example, designating a qualified individual to oversee the program — have been extended, which is a bit contradictory as an information security program should ideally be developed in partnership with the individual who will manage it. Strictly from a compliance standpoint, only some elements of the information security program need to be implemented by December 9th, and the company would have another 6 months to train and install a person into a supervisory role. 

Other items that have not been delayed and are due by December 9, 2022 are to perform a data and systems inventory, and pentest and vulnerability scans. Data and systems inventory should be a high priority for existing IT staff, as this information would be critical in implementing both delayed and non-delayed requirements. Inventories would also need to be in place to properly engage with pentest services, as well as to set the scope for periodic internal and external vulnerability assessments. A data and systems inventory is one of the first items to be developed for any information security program, so this should be started without delay.

Other effective and important security controls that are not delayed include audit log monitoring and retention, and employee security awareness training. There are many suitable vendors on the marketplace that are prepared to help you comply with the FTC Safeguards Rule. Blumira can help with audit log monitoring, supporting over 75 products on the market, including Windows workstations and servers, all major firewall brands, and both Office 365 and Google Workspace.

Organizations that need to comply with the FTC Safeguards Rule should push forward with implementing all aspects of the rule as soon as possible. A quality implementation that provides meaningful protection of protected consumer financial data will take time, and some elements of the rule are still due by December 9th.

How Blumira Helps You Comply With The FTC Safeguard Rule

Blumira’s cloud-based SIEM platform helps auto dealers, mortgage brokers, tax preparers, and other FTC-compliant organizations meet the monitoring and detection requirement with:

• User activity monitoring – Blumira helps you detect signs of attacker behavior, sending real-time alerts in under 50 seconds with instructions on how to respond faster
• Audit trails of log history – Blumira gives you up to a year of data retention immediately available for investigation and incident response assistance
• Access to a 24/7 security team – For any urgent priority issue, Blumira’s team is available to help you with security questions and guided response

Blumira can help support many other FTC security requirements, including:

• Incident response plan – Blumira’s SIEM provides historical reports on system data so you can dig deeper into analyzing security incidents. Our playbooks and findings data cut down on manual investigation for faster incident response.
• Customer information access controls – Connect Blumira to your systems to log user access activity and permissions changes.
• Data encryption – All logs collected from your systems are encrypted within Blumira’s platform. Our platform also identifies legacy protocols in your traffic to further reduce risk.
• Pen-testing and vulnerability assessments – Blumira alerts you to attacks that most SIEMs cannot (like AS-REP Roasting), and gives you guidance on testing that our SIEM can detect attacker behavior so you can easily pass your yearly pentest.

Download our free checklist to learn options for satisfying the requirements of the Safeguard Rule.