FTC extends deadline by six months for compliance with some changes to financial data security rules

March 21, 2023  |  Nahla Davies

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

In a highly connected, internet-powered world, transactions take place online, in person, and even somewhere in between. Given the frequency of digital information exchange on our devices, including smartphones and smart home gadgets, cybersecurity has never been more important for protecting sensitive customer information. In response, the US Federal Trade Commission has rolled out updated measures to ensure that customers’ details are fully protected. 

Due to supply chain issues and qualified employee shortages, however, the FTC has granted a six-month extension on the original deadline, so businesses and financial institutions now have more time to complete the required changes. This article will look at the updated federal data security measures and how they will impact businesses. 

Updated federal data security measures

In November, the United States Federal Trade Commission announced that it would grant a six-month extension for companies that have yet to update their security measures in compliance with updated FTC standards. 

The new deadline for businesses and financial institutions to implement the required changes will be June 9, 2023. By that point, all businesses must have updated their policies and procedures in keeping with the Financial Data Security Rule, also known as the Safeguards Rule.

Initial changes to the Safeguards Rule

Initially, the Federal Trade Commission approved changes to the Safeguards Rule in October 2021. These changes included updated criteria for financial institutions, providing more specific requirements about which safeguards they must include in their information security programs. 

Some of these updates to the Safeguards Rule were implemented 30 days after the rule was published in the Federal Register, while other specific criteria were on track to be implemented on December 9, 2022. 

Why has the deadline been extended?

The deadline has been extended to June 2023 due to reports presenting compelling arguments for postponing the required implementation. The Small Business Administration’s Office of Advocacy, for example, filed a letter addressed to the FTC. The letter stated that several factors would bar companies from effectively implementing these updated security requirements in the allotted time. 

Between supply chain issues that could cause delays in transporting essential equipment for the requisite security system upgrades, and a widespread shortage of qualified information security experts who could implement the changes on time, the letter from the SBA convincingly spelled out why businesses would need more time to complete the security system upgrades in compliance with FTC rules. 

The global COVID-19 pandemic further exacerbated these issues, making it difficult for small-scale businesses and financial institutions to meet the deadlines. The FTC voted unanimously to approve this deadline extension.

Reasons for FTC data security rule updates

The changes to the Financial Data Security Rule are meant to ensure that financial institutions put sufficient security measures in place to keep their customers’ personal information safe from any hacking attempts. Boosting the data security of financial institutions is vital to strengthening the overall cybersecurity of the country’s interconnected financial networks. 

Given the increasing rates of identity theft and financial fraud attempts, this is an essential form of protection. In 2021, for instance, the FTC encountered almost 390,000 reports of credit card fraud alone, making this the most common type of financial fraud in the United States. Since credit card fraud can often be enacted during unsecured store transactions, the FTC is determined to bolster security measures at every level. 

The FTC Safeguards Rule updates apply to in-person businesses, financial institutions, and online platforms, including the more recent cryptocurrency industry. Since 2009, more than 6,600 distinct cryptocurrencies have been released. With such a sustained influx of different cryptocurrencies, regulations have been slow to catch up in comparison to other trading platforms such as forex or options trading. Now the FTC is working to ensure that online and cryptocurrency transactions are sufficiently secure. 

What does this mean for businesses?

Businesses and financial institutions will need to get busy implementing the necessary changes. For example, companies may need to update their software to remain in compliance with the updated FTC rules. 

This process can take time, as companies will need to search for highly capable technical writers to document the software adjustments. According to Shaun Connell, technical writers and documentation creators must be involved in the software update project from the start. So to meet the June deadline, businesses will need to make this security update a top priority. 

Who does it affect?

Banks are not affected by The Safeguards Rule, but any other non-banking financial institutions, including motor vehicle dealers, payday lenders, and mortgage brokers, will need to update their security protocols by the deadline. 

Depending on the specific institution and its pre-existing security setup, businesses may need to create, enact, and upkeep a strong security system that will protect their customers’ sensitive information, such as financial details, home address, personal preferences, and even name, age, and gender. 

Cybercriminals can use any and all of this information to steal customers’ identities, so setting up a comprehensive security protocol will ensure that customers’ details are safe throughout every transaction.

Specific provisions under the extended deadline

Not all the updated criteria of the Safeguards Rule are affected by this six-month-long extended deadline. The specific provisions that businesses and financial institutions must enact by June 9, 2023, are as follows:

  • Appoint a highly qualified individual to oversee the new information security program.
  • Encrypt all sensitive information that passes through a business’s servers and systems. 
  • Appoint and train security personnel who can manage and oversee the updated security systems and enact any security protocols in case of a cybersecurity breach. 
  • Craft an incident response plan so that clear protocols are established. 
  • Write a comprehensive risk assessment of their current security system. 
  • Enact ongoing monitoring of who has access to sensitive customer details within the company.
  • Limit who has access to sensitive customer details within the company. 
  • Set up multi-factor authentication for any company member who attempts to access customer data. Or, instead of multi-factor authentication, another authentication system that provides equal protection can be implemented. 
  • Conduct periodic assessments of the security practices used by their service providers to ensure added layers of security between businesses as well. 

These measures may require significant lead times to be well-established and running effectively by the June deadline. But once they are set up, they should provide significant additional security for all business-to-customer interactions. 

Government policies to prevent cybersecurity threats

At the core of these required security protocol updates is protection for customers. These necessary government policies have individual consumers’ security in mind and rely on multiple layers of cooperation and adjustment to keep sensitive data safe. Businesses and financial institutions will have to cooperate with the widespread Safeguards Rule implementation to fulfill federal trade commission standards designed to prevent cybersecurity threats from taking effect.

Share this with others

Get price Free trial