Cybersecurity Compliance with FTC Safeguard Rules

December 28, 2022

The Federal Trade Commission (FTC) develops and deploys regulations and rules to thwart the onslaught of cybercrime and data security breaches. The FTC accomplishes its cybersecurity mission by imposing protective standards upon businesses that collect and store consumer data. This blog article will offer an overview of cyberfraud and the current rules governing businesses involved with collecting consumer data. The article will also present proposed solutions to protect consumer privacy and maintain the security of customer information.

What businesses do the cyber protection rules affect?

The scope of financial institutions subject to this law consists of businesses undertaking certain monetary activities rather than how others may categorize the company. These financial institutions must fall under the jurisdiction of the FTC. They cannot be subject to another regulatory authority falling under the Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. Section 6805. The companies affected by these rules include businesses engaged in transactions and customer data collection.

List of Businesses Required to Implement FTC Safeguard Rules

  • Mortgage lending
  • Payday loans
  • Financing
  • Accounting
  • Check cashing
  • Wire transfers
  • Collections
  • Credit counseling
  • Financial advising
  • Tax preparation
  • Investment advising (not registered with the SEC)
  • Credit unions (not FDIC insured)
  • Companies that bring buyers and sellers together to complete a transaction
  • Financial institutions and other businesses that record, use, and maintain information or connect to a system containing customer information, including “industrial/process controls systems, telephone switching and private branch exchange systems, and environmental controls systems”1
  • Retailers who extend layaway, deferral payment plans, or accept payment terms utilizing credit cards issued by other institutions do not fall under the provisions of these rules. However, businesses that provide credit purchases through their company’s financial services or promote their own credit cards for purchases are subject to these laws2

Whom does the law protect?

The design of the law is to protect consumer privacy and personal information. Consumers include anyone who has a customer relationship with a business entity.3

Why was this FTC network security rule enacted?

Most businesses collect customer information to process payments and complete transactions. This information is then stored and often used in subsequent purchases. These records contain nonpublic personal information about the customer. This data may take on two forms, a paper record or an electronic transcription. In either form, the records are vulnerable to discovery and digital exploitation attacks. The FTC rules seek to protect consumer privacy, personal information, and financial data from known threats.

Cybercrime losses exceeded $6.9 billion in 2021 according to the Investigation’s (FBI) Internet Crime Complaint Center (IC3).4 Since 2019, the combination of phishing, vishing, smishing, and pharming constituted the highest number of incidents among the tools employed by cybercriminals. During 2021, this combination of cyber threats accounted for 323,972 incidences5 and $44,213,023 in losses.6 Ransomware losses to infrastructure entities cost nearly $50,000,000 in 2021. Healthcare and public health sectors experienced high numbers of attacks. Even government is subject to these attacks, accounting for the fifth highest target.7 The T-Mobile confirmation of one of the largest breaches of cybersecurity occurred on August 17, 2021. The T-Mobile data breech reported the confirmed loss of the social security number, name, address, date of birth and driver’s license identification numbers–all the information needed for identity theft–for 40 million customers.8

Cyber threats are rampant. Many occur without detection for an extended time. Electronic thieves constantly work to develop new ways to steal data and derive profit from criminal activity. Most disturbing are cybercriminals posing as technical support or IT professionals, offering to resolve data breach issues in an effort to further exploit and commit additional fraud and theft. The IC3 received 23,903 complaints about Tech Support Fraud from victims in 70 countries. The losses amounted to more than $347 million in 2021.9 Below is a list of common forms of cybersecurity crimes and 2021 losses.

The Cost of Cybercrimes

Cyberfraud Loss
Email Fraud $2,395,953,296
Investment $1,455,943,193
Confidence Fraud $956,039,740
Personal Data Breach $517,021,289
Real Estate $350,328,166
Tech Support $347,657,432
Non-Payment/Non-Delivery $337,493,071
Identity Theft $278,267,918
Credit Card $172,998,385
Corporate Data Breach $151,568,225
Government Impersonation $142,643,253
Advance Fee $98,694,137
Civil $85,049,939
Spoofing $82,169,806
Other $75,837,524
Lottery/Sweepstakes/Inheritance $71,289,089
Extortion $60,577,741
Ransomware *$49,207,908
Employment $47,231,023
Phishing/Vishing/Smishing/Pharming $44,213,707
Overpayment $33,407,671
Computer Intrusion $19,603,037
Intellectual Property/Copyright/Counterfeit $16,365,011
Healthcare $7,042,942
Malware/Scareware/Virus $5,596,889
Terrorism/Threats of Violence $4,390,720
Gambling $1,940,237
Shipping $631,466
Denial of Service/TDoS $217,981
**Crimes Against Children $198,950

*Regarding ransomware adjusted losses, this number does not include estimates of lost business, time, wages, files, or equipment, or any third-party remediation services acquired by a victim. In some cases, victims do not report any loss amount to the FBI, thereby creating an artificially low overall ransomware loss rate. Lastly, the number only represents what victims report to the FBI via the IC3 and does not account for victim reporting directly to FBI field offices/agents.10
**Crimes against children incur a significantly higher cost than any financial burden.

The Growth of E-commerce and Information Technology

Retail e-commerce sales rose to approximately 5.2 trillion U.S. dollars globally in 2021,11 a 17.1% growth rate12. Statista studies and projects year-over-year (YOY) growth of e-commerce. In the United States, e-commerce growth projections show an increase of 56% through 2026.13 This explosive growth utilizes information technology (IT) to help businesses expand their markets while reducing transaction costs.

Business is not the only entity benefiting from using IT. Governments also benefit by allowing consumers to pay taxes and utilities, register vehicles, and request building permits online. As the use of IT grows to serve increasing business needs, the risk of cyber security threats also grows. Malware, trojans, ransomware, DDoS attacks, spam, and viruses yielded by cyber criminals are rampant. Government laws and regulations seek to reduce consumer cyber risks by requiring businesses to “employ reasonable security measures.”14 Most often, these protective security measures experience delays and implement long after significant breaches occur. Indeed, the detection of security vulnerabilities occurs after criminal exploitation, not before.

What are the FTC Safeguard Rules?

The Safeguard Rules adopted many core concepts of the New York Department of Financial Services Cybersecurity Regulation. These new measures direct businesses to reduce the vulnerability of information to cybercriminals and impose breach notification procedures.15 Legal researchers Daniel Solove and Woodrow Hartzog assert that the FTC’s privacy laws are currently equivalent to common law rather than contract law. They further suggest that these laws should enforce privacy and stand as regulatory stipulations rather than merely policy.16 The new FTC Safeguard Rule along with other government rules on cybersecurity are not without objections; some indicate that the regulations employ an inflexible “one-size-fits-all” tactic toward data security. Therefore, additional rules enacted on January 10, 2022, provide “financial institutions the flexibility to design an information security program appropriate to the size and complexity of the financial institution, the nature and scope of its activities, and the sensitivity of any customer information at issue.”17

The rules require businesses, particularly financial institutions, that record consumer information “to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards.” The security program must protect customer confidentiality and guard against unauthorized access to consumer information. The provisions provide nine standards for a rosbust information security program (ISP).

Nine Standards for CyberSecurity

  1. Appoint a qualified individual to supervise the ISP.
  2. Conduct a risk assessment.
  3. Implement security safeguards to control the identified risks, including safe information storage, encryption, multi-factor authentication, information disposal after 2-years of non-use, and maintaining a log of authorized user activity. To meet these safeguards, some IT companies offer three separate Network and Data Security Plans.
  4. Periodically monitor and test.
  5. Train staff members on security awareness. Some IT Service Companies offer FREE Cybersecurity Training.
  6. Monitor service providers.
  7. Regularly update the ISP.
  8. Develop a written incident response plan.
  9. The ISP supervisor must provide at least annually a written report to the company board of directors. The annual report must include an overall assessment of the company’s compliance, risk assessment, risk management, control decisions, test results, security events, management response, recommendations, and service provider agreements.18

When will businesses be accountable for implementing the new cybersecurity rules?

The Federal Trade Commission establishes a deadline for businesses to comply with the FTC Safeguards Rules by June 9, 2023. Announced on November 15, 2022, this date is an extension of six months over a previous deadline. The extended deadline offers businesses more time to assess their data vulnerabilities and put the nine standards of information security in place.19

Future Cybersecurity Measures

Besides the government, many individuals and organizations are active in developing solutions to global cybersecurity issues. Proposals for future measures to protect consumers from privacy and data breaches include the following six proposals.

  1. Develop cybersecurity partnerships that share information on prospective threats.20
  2. Develop a cybersecurity knowledge graph to construct a knowledge base for increased cybersecurity situation awareness and intrusion detection.21 & 22
  3. Develop a web-based blockchain-enabled cybersecurity awareness system23 & 24
  4. Employ an unsupervised deep learning technology like an Auto Encoder (AE) or a Restricted Boltzmann Machine (RBM). 25
  5. Engage governments under binding international treaties to enact and enforce cybersecurity laws, particularly China and Russia.26
  6. Stimulate regulations of cybersecurity within the European Union through the Cybersecurity Resilience Act.27

Summary

Privacy and security threats are not going away. Businesses cannot rely on government legislation to curb the tide of data security breaches. Implementation of the nine standards for consumer privacy and information security included in the FTC Safeguard Rules will help protect against known network vulnerabilities. The above proposed security measures may also contribute to stemming data theft. The starting point for most businesses is to implement a Comprehensive Network Analysis. From this point, the development of a strong security plan follows to comply with federal rules and to protect consumers.

Footnotes

LinkedIn
Facebook
X

Related Articles

cybersecurity-compliance
Read More
it-services-vs-managed-it
Read More
printer-vulnerabilities
Read More