Under this Financial Privacy Rule, the FTC as well as other agencies who enforce the rule, regulate how companies can collect and share customer information. They also regulate the Safeguard Rule, which is another provision designed to hinder unlawful access to customer information, that requires all financial institutions to establish and maintain safeguards to protect sensitive customer data from being illegally accessed under false pretenses by companies or individuals.
These rules apply to businesses of all sizes that are significantly engaged in providing financial services or products, including mortgage brokers, nonbank lenders, real estate or personal property appraisers. Additionally, companies covered by the rule are also responsible for taking measures to make sure their service providers, as well as their associates, also protect customer data in their custody.
Under the Safeguard Rule, companies must write out a security information plan that details their initiative to protect customer data. This company plan must be relative to the company's essence and the extent of business as well as the size of the company and the quality of the customer data it collects.
According to the Financial Privacy Rules, a company's plan must:
- Assess the regulations of customer privacy for each applicable area of the company's dealings, and examine how effective the current safeguards are for managing these risks.
- Develop and apply a protection program and monitor it often to ensure it is effective.
- Appoint the proper employees to organize their information security plan.
- Delegate service providers that can sustain the proper safeguards as well as manage the handling of customer data.
- Assess and modify the plan so that it remains relevant to the situation, including changes in the outcomes of tests for security and supervision or changes in the company's dealings.
- Securing Consumer Information
The Safeguard Rule also requires companies to examine the risk to customer information in every area of their operation, including information systems, identifying and governing system failures, and employee management training, and then address these risks accordingly.
Some safeguards the FTC suggests companies could implement include:
- Check references as well as the background of employees before hiring employees who will be able to access customer information
- Continuously remind all employees of the company's policies as well as the legal requirements to keep customer information confidential and safe.
- When security policies are violated, impose disciplinary measures to correct it.
- When transmitting sensitive financial data, information contained on credit cards, be sure to use a secure connection, such as Secure Socket Layer (SSL) so that the information is secure while in transit.
- Utilize anti-spyware and anti-virus software that updates regularly.
- Maintain updated firewalls, especially when using internet connections that utilize broadband or when enabling your employees to access the company's network from off-site locations.
- Utilize updated security software to warn you of intrusions.
- Utilize screensavers that lock employees' computers after they have been inactive for a while so that no one can gain entry to the computer without a password.
- Caution customers against providing sensitive data, such as account numbers, via emails or pop-up messages that prompt them to do so.
- Alert customers if their personal data is at risk of identity theft or other related harm as a result of a serious breach.
- Notify law enforcement of any breach that may involve unlawful behavior or if there is proof that the infringement has caused identity theft and more.
Law enforcement action can be taken against companies that violate consumer's privacy rights or falsely misleads consumers by neglecting to sustain the protection of customer data, which has resulted in considerable harm. The FTC also enforces other federal laws regarding customer confidentiality and security.