shape
shape
shape
shape
shape
shape
3 August 2023 / Scott J. Best

New FTC Safeguard Rules: Staying Compliant in the World of Collections

Data security is one topic that is top of mind in today’s business environment, as there are daily news stories about cyberattacks which result in the exposure of personally identifying information, such as Social Security Numbers, birthdays, and addresses. Further exposure occurs when sending information via email, which, while convenient and fast, is not always secure. 
 
In an attempt to ensure that confidential and sensitive personal and financial information is maintained and secured, the Federal Trade Commission (FTC) has established many standards, and corresponding requirements, for various industries, most specifically financial institutions. Since the Safeguards Rule was first implemented in 2003 under the Gramm-Leach-Bliley Act, there have been significant changes in cybersecurity as well as the nature, frequency, and ferocity of cyberattacks. In an attempt to better secure consumer information, the FTC implemented new rules which went into effect in June of this year.
 

The new FTC Safeguard Rules set forth several requirements which need to be complied with. Those requirements include:

  1. Encryption of all customer information held or transmitted by the business.
  2. Restrict access to allow only access to authorized persons and limit information available to be reviewed to that information necessary to perform their duties or functions.  Multi-factor Authentication should be used.
  3. Designating a specific qualified employee to oversee and implement an information security program.
  4. Adopt procedures for evaluating and testing the security of external applications and devices used to transmit, access, or store consumer information.
  5. Staff must be trained, and retrained, on security awareness and there must be policies and procedures designed to monitor and log activities of authorized users and whether there has been unauthorized users and/or tampering of consumer information.
  6. Perform regular security assessments of security practices and procedures testing information security and access, confidentiality, and the integrity of the system.
  7. Develop a response plan if and when a security breach occurs.
  8. If the business maintains data on more than 5,000 consumers, there must be continuous monitoring and periodic assessments to detect changes and monitor for vulnerabilities.
  9. Data disposal procedures must be created to ensure secure disposal of consumer personal identifying information within two years of last providing products or services to the consumer.
 
Additionally, and perhaps more importantly, these changes will not only apply to what have historically been viewed as financial institutions. Instead, the updated Safeguard Rules will apply to any business engaged “in an activity that is financial in nature or incidental to” financial activities. Businesses now subject to the new requirements include but are not limited to, mortgage lenders and brokers, payday lenders, collection agencies, motor vehicle dealers, tax preparation firms, credit counselors, financial and investment advisors, non-federally insured credit unions, and a business that regularly wires money to and from consumers. While the new rules expanded who is required to comply with the Safeguards Rule, businesses with less than 5,000 consumers are exempt from some provisions of the updated Rule. However, it is recommended that all businesses take steps necessary to ensure consumer data and information is protected, and may be required by state-specific laws.
 
Failure to comply with the new standards can result in fines up to $100,000 per violation and potential lawsuits related to a data breach. If you are subject to the new Safeguard Rules, and are not in compliance with the updated rules, it is recommended you do so without delay.
Our team is constantly monitoring these changes. If you have any questions on this topic, please contact attorney Scott Best at any time.
 
This blog is not a solicitation for business and it is not intended to constitute legal advice on specific matters, create an attorney-client relationship or be legally binding in any way.

Related News

Insights / 30 June 2026

Ohio Court Confirms a Power of Attorney Cannot Use an Elderly Person's Money for Personal Expenses

A power of attorney is not permitted to treat an elderly person's money like a personal bank account. Ohio law recognizes that older adults are particularly vulnerable to abuse, neglect, and financial exploitation.
Read More
Insights / 30 June 2026

Rebutting Attacks on Alternate Service in Michigan - What Creditors Need To Know

Currently making the rounds on the internet are false motions to quash service/motions to dismiss based on alleged lack of service in Michigan cases, which debtors are filing with courts with increased frequency on a reflexive, mechanical basis. Detroit Attorney Jeffrey Bearss shares the following in response.
Read More
Alerts / 29 June 2026

Philadelphia County Commences Credit Card Conciliation Program

Following programs established by the Courts of Common Pleas in Luzerne, Lancaster and Blair Counties to handle increasing volumes of cases involving consumer credit card debt...
Read More

Join Our Email List

Get the latest articles and news delivered to your email inbox!
Subscribe

Contact Scott

Join Our Email List