Explained: FTC Safeguards Rule Compliance Deadline Delayed

Avatar photo
Steven Brown

Many companies are facing personnel shortages and supply chain issues that make the December 2022 FTC Safeguard Rule compliance deadline difficult. In response to the current situation and industry lobbying, the FTC extended the compliance deadline to June 9, 2023. While companies might be breathing a sigh of relief, they shouldn’t ignore the vital safety requirements the entire Safeguards Rule covers. Portions of the rule will soon apply to auto dealership cybersecurity and mortgage broker cybersecurity.

Mortgage Brokers and Auto Dealerships Can Now Wait Until June to Implement the Entire FTC’s Safeguards Rule – But Should They?

Sixty-four percent of companies worldwide have experienced at least one form of a cyberattack. As attacks become increasingly prevalent, responsible companies must take every precaution. The average data breach cost in 2022 for U.S. businesses is $9.44 million. While becoming compliant may seem like a hassle, paying a ransom, costly restorations to networks, or expensive lawyers and PR firms to repair your reputation could bring a business to its knees.

Auto dealerships, mortgage lenders, financial planners, and many other businesses considered “financial institutions” by the FTC have been scrambling to become compliant and avoid financial penalties. The provisions in the FTC Safeguards rule are critical safety measures every business should implement. Don’t let the extended deadline become an excuse to postpone necessary actions that keep your and your customers’ data safe. It takes time to implement the compliance requirements so start preparing now. The sooner your organization becomes compliant, the safer your data and your customers are.

The FTC Safeguards Rule Strengthens Data Security Safeguards

Companies covered by the Safeguards Rule must put provisions in place to protect customers’ personal information. Without these provisions, companies and their customers are vulnerable to security breaches and the potential for hackers to access sensitive data and allow it to end up in the wrong hands.

Last year the FTC updated the Safeguards Rule and shared a publication, FTC Safeguards Rule: What Your Business Needs to Know, with detailed requirements for covered businesses.

The six-month extension applies to the following provisions:

  • Designate a qualified individual to oversee their information security program.
  • Develop a written risk assessment.
  • Limit and monitor who can access sensitive customer information,
  • Encrypt all sensitive information.
  • Train security personnel.
  • Develop an incident response plan.
  • Periodically assess the security practices of service providers.
  • Implement multi-factor authentication or another method with equivalent protection for anyone accessing customer information.

Detailed information about all the provisions can be found on the Federal Register Notice, and the FTC website also offers additional resources on the Safeguards Rule and Data Security. Each provision is an integral part of protecting sensitive information.

Cybersecurity threats are real, and breaches happen to businesses of all sizes. Taking protective measures now could prevent unimaginable damage to your business later.

If your company struggles to comply with the new rule, Airiam can help. We offer a free FTC safeguards assessment to help determine where your company stands regarding the law and protecting customer information. It can be challenging to accomplish compliance solely with an in-house team. Airiam’s experts work with organizations to determine where they need outside assistance to ensure compliance. Reach out to us if you’d like to discuss how the FTC Safeguards Rule impacts your business and what you need to do to avoid fines and potential breaches of sensitive data.

New Resources In Your Inbox

Get our latest cybersecurity resources, content, tips and trends.

Other resources that might be of interest to you.

What Is a Chief Resilience Officer? (And What Do They Do?)

We can’t stress enough to our clients that it’s not a matter of if but when they’ll face a cyberattack. It’s not just large companies that face threats—small and medium companies face risks too. Smaller organizations often lack staff and security resou
Avatar photo
Conor Quinlan
>>Read More

Multi-Factor Authentication (MFA) Keeps the Cybergoblins Away

Here’s a cybersecurity trick or treat for you. It’s Halloween. You hear the doorbell ring. Would you answer your door without looking to see who’s on the other side? Would you leave your door unlocked, knowing the night will be filled with strangers lo
Avatar photo
Andrew Betts
>>Read More

Why SMEs Need to Be Prepared for Ransomware Attacks

Preparing for Ransomware Attacks It seems like ransomware attacks have been continually in the news for the last several years. While we may be inundated with media reports of ransomware attacks targeting critical U.S. infrastructure or government agen
Vivian Lee
>>Read More