New FTC Safeguards Rule: What Insurance Agencies Need To Know
Another day, another regulation.
To keep pace with the ever-changing cybersecurity landscape, the Federal Trade Commission recently updated their Gramm-Leach-Bliley era 2003 Safeguards Rule. The new Standards for Safeguarding Customer Information are far more in-depth, and do a great job of bringing this regulation to the modern era.
Now, I know what you’re thinking: Does the FTC Safeguards rule even apply to Agencies? Well, that ultimately depends on what types of services your Agency provides. But before we make a decision, let’s review what’s involved.
Key Aspects of the new FTC Safeguards Rule:
Determine Applicability and Scope of the Safeguards Rule (Section 314.2(h)):
- Understand whether your insurance agency qualifies as a covered entity under the FTC Safeguards Rule. The definition is quite vague, so I’d recommend erring on the side of caution.
- Identify the types of non-public personal information (NPI) that your agency handles, including customer details, financial records, and medical information.
- Ensure compliance with the rule’s requirements based on the size, nature, and scope of your agency’s operations.
Conduct A Risk Assessment (Section 314.4(b)):
- Your Information Security Program should be based on an assessment of foreseeable risks.
- Your risk assessment should include recommendations and requirements for mitigating discovered risks.
Develop a Comprehensive Information Security Program (Section 314.3(a)):
- Establish an information security program specifically tailored to your insurance agency’s unique needs, risks, and compliance obligations.
- Conduct a comprehensive risk assessment to identify vulnerabilities in your agency’s systems, networks, and processes.
Implement robust security measures, including data access controls, encryption protocols, secure transmission methods, and secure storage of customer data.
Appoint a Dedicated Data Protection Officer (DPO) or Team (Section 314.4(a)):
- Designate a competent individual or team responsible for overseeing the implementation and enforcement of your agency’s information security program.
- Ensure the DPO or team possesses expertise in data protection, privacy regulations, and the insurance industry’s specific requirements.
- Provide the necessary authority and resources to the DPO or team to effectively address data security concerns and communicate with stakeholders.
Design and Implement Safeguards and Controls (Section 314.4(c)):
- Apply the Principles of Least Privilege.
Implement encryption and multi-factor authentication. - Establish policies for data retention and destruction.
Regularly Test and Monitor Your Security Controls (Section 314.4(d)):
- Implement solutions that deliver continuous monitoring.
- Monitor for new vulnerabilities in the environment.
- Consider the need for penetration testing.
Train Employees on Data Security Best Practices (Section 314.4(e)):
- Develop and implement a comprehensive training program to educate employees on data security best practices.
- Cover topics such as secure data handling, password management, phishing awareness, and incident reporting procedures.
- Conduct regular training sessions and reinforce good security practices throughout the agency.
Implement Vendor Management Practices (Section 314.4(f)):
- Evaluate the security practices of third-party vendors and service providers who have access to customer data or handle sensitive information.
- Implement stringent vendor management procedures, including due diligence assessments, contractual obligations, and ongoing monitoring of vendor compliance.
- Regularly review and update agreements with vendors to ensure they align with the FTC Safeguards Rule’s requirements.
Establish Incident Response and Data Breach Notification Procedures (Section 314.4(h)):
- Develop an incident response plan that outlines the steps to be taken in the event of a data breach or security incident.
- Ensure the plan covers incident detection, containment, investigation, mitigation, and recovery.
- Familiarize yourself with relevant breach notification laws and establish procedures to comply with reporting obligations in the event of a breach.
Report Your Cybersecurity Status and Progress At Least Annually (Section 314.4(i)):
- Your Data Protection Officer or Team should provide written updates to the Governing Body at least annually.
- These updates should include the overall status of the Information Security Program (implementation, compliance, and effectiveness).
- Material milestones and deficiencies should also be reported.
Regularly Assess and Update Your Information Security Program (Section 314.4(g)):
- Conduct periodic reviews and assessments of your information security program to identify and address emerging risks, technological advancements, and changes in regulatory requirements.
- Stay updated on best practices and industry standards for data security and privacy in the insurance industry.
- Continuously improve your program based on lessons learned from incidents, audits, and feedback from employees and stakeholders.
As you can see, these new Standards for Safeguarding Customer Information closely resemble other industry regulations, such as NAIC Insurance Data Security Model Law and NY’s 23 NYCRR 500 (watch our recent webinar on the 23 NYCRR 500 changes) so we should already be well on our way to meeting these new requirements. So while the FTC Safeguards rule may or not apply to your Agency, I would strongly encourage you to bake these requirements into your existing Cybersecurity Program. It will be minimal effort for the reward of knowing there’s one less thing you have to worry about.
How Kite Technology Can Help
Ready to take proactive steps in ensuring your agency’s compliance with industry cybersecurity regulations? Let Kite Technology be your trusted partner in this journey. With our expertise in insurance industry regulations and cybersecurity, we are well-equipped to guide you through the evaluation process and implement a tailored Cybersecurity Program for your agency. Contact us today to discuss your specific needs and goals. Together, we’ll fortify your data protection measures and ensure your agency remains secure and compliant.
Jason Gobbel
Chief Solutions Officer
Kite Technology Group