Phone: 630-495-2282 Fax: 630-495-2260 Map/Directions

FTC's Safeguards Rule governs treatment of personal information

November 24, 2010

As part of its implementation of the Gramm-Leach-Bliley Act, the Federal Trade Commission has issued a rule to require financial institutions under its jurisdiction to safeguard customer records and information. The Safeguards Rule applies to organizations that are significantly engaged in providing financial products and services to consumers, such as non-bank lenders and personal property appraisers. The Safeguards Rule requires financial institutions to develop a written information security plan that describes their program to protect customer information.

All programs must be appropriate to the financial institution's size and complexity. Security plans must:

• Designate the employee(s) to coordinate the safeguards; 
• Identify and assess the risks to customer information in each relevant area of the company's operation, and evaluate the effectiveness of current safeguards for controlling those risks; 
• Design a safeguards program, and detail plans to monitor it; 
• Select appropriate service providers and require them (by contract) to implement the safeguards; and 
• Evaluate the program and explain adjustments in light of changes to its business arrangements or the results of its security tests.

Experts suggest that three areas of operation present special challenges and risks to information security: 1. Employee training and management; 2. Information systems, including network and software design, and information processing, storage, transmission and retrieval; 3. Security management, including the prevention, detection and response to attacks, intrusions and other system failures.

The Safeguards Rule can be reviewed on the FTC Web site, To determine if a company is considered a financial institution, check Section 313.3(k) of the FTC Privacy Rule and related materials at glbact/index.html/ Many financial institutions' transactions with customers involve the collection of personal information such as names, addresses and phone numbers; bank and credit card account numbers; income and credit histories; and Social Security numbers.

The Gramm-Leach-Bliley Act, which took effect July 1, 2001, requires financial institutions to take steps to ensure the security and confidentiality of that kind of customer data that they collect.