The Rule defines customer information to mean “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.” (The definition of “ nonpublic personal information ” in Section 314.2(l) further explains what is – and isn’t – included.) The Rule covers information about your own customers and information about customers of other financial institutions that have provided that data to you. The Safeguards Rule requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information. What does the Safeguards Rule require companies to do? As your operations evolve, consult the definition of financial institution periodically to see if your business could be covered now. Even if your company wasn’t covered by the original Rule, your business operations have probably undergone substantial transformation in the past two decades. Here is another key consideration for your business. Section 314.2(h) of the Rule lists four examples of businesses that aren’t a “financial institution.” In addition, the FTC has exempted from certain provisions of the Rule financial institutions that “maintain customer information concerning fewer than five thousand consumers.” Those are companies that bring together buyers and sellers and then the parties themselves negotiate and consummate the transaction. The 2021 amendments to the Safeguards Rule add a new example of a financial institution – finders. To help you determine if your company is covered, Section 314.2(h) of the Rule lists 13 examples of the kinds of entities that are financial institutions under the Rule, including mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors that aren’t required to register with the SEC. Furthermore, what matters are the types of activities your business undertakes, not how you or others categorize your company. How do you know if your business is a financial institution subject to the Safeguards Rule? First, consider that the Rule defines “ financial institution ” in a way that’s broader than how people may use that phrase in conversation. According to Section 314.1(b), an entity is a “financial institution” if it’s engaged in an activity that is “financial in nature” or is “incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C § 1843(k). The Safeguards Rule applies to financial institutions subject to the FTC’s jurisdiction and that aren’t subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. In reviewing your obligations under the Safeguards Rule, consider these key compliance questions. Your best source of information is the text of the Safeguards Rule itself. This publication serves as the small entity compliance guide under the Small Business Regulatory Enforcement Fairness Act. It reflects core data security principles that all covered companies need to implement. While preserving the flexibility of the original Safeguards Rule, the revised Rule provides more concrete guidance for businesses. The Safeguards Rule took effect in 2003, but after public comment, the FTC amended it in 2021 to make sure the Rule keeps pace with current technology.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |