Complying with the Safeguards Rule for information security.

• Author: Slatten, Pamela

Evolving technology has created the need for advanced regulations regarding the safeguarding of customer data. In 2021, the Federal Trade Commission (FTC) updated the requirements of the Standards for Safeguarding Customer Information, known as the Safeguards Rule (16 C.F.R. Part 314) under the Gramm-Leach-Bliley Act, RL. 106-102. A final rule issued on Dec. 9, 2022 (86 Fed. Reg. 70272) took effect retroactively to Jan. 10, 2022, but some provisions' requirements (listed below) were postponed and will go into effect on June 9, 2023.

The Safeguards Rule applies to all businesses significantly engaged in providing financial services, notably including professional tax preparers and CPA firms. The revised rules provide more concrete guidance for businesses while keeping pace with current technology and emerging threats. As part of the Safeguards Rule, covered financial services institutions--even sole proprietors and small firms--must develop, implement, and maintain a written information security plan that describes how the business will safeguard and protect its clients' nonpublic personal information. The plan must address administrative, technical, and physical safeguards to protect this information, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of the financial services institution.

The scope of the information security plan should be tailored to the individual firm. The plan should be appropriate for the size and complexity of the business, the nature and scope of its activities, and the sensitivity of the information involved. The plan for a sole proprietor will look different from that of a 10-person firm and vastly different from that of a multi-office operation. Exceptions from some requirements apply to firms and other covered financial services institutions that maintain customer information concerning fewer than 5,000 customers, as noted below (see 16 C.F.R. [section]314.6). Regardless of the firm's size and complexity, however, the objectives of the plan are the same: to ensure the security and confidentiality of customer information, to protect against anticipated threats to its security, and to protect against unauthorized access to it.

Nine elements of an information security plan

Creating an information security plan to meet these objectives is an involved, multistep process--more than filling out a standard checklist or boilerplate document. Section 314.4 of the Safe-guards Rule prescribes nine elements that must be included when developing, implementing, and maintaining an information security plan:

Designated individual in charge

Firms must designate a qualified individual to be responsible for overseeing, implementing, and enforcing the information security program. This individual may be either an employee or someone outside the firm; however, responsibility for compliance with the Safeguards Rule remains with the firm, and a senior member of the firm should be designated to oversee any outside party. Smaller firms may need to rely heavily on their IT vendor for a plan to secure digital information and may designate the IT vendor as the qualified individual if an owner or manager is not an optimal or suitable option.

Risk assessment

A risk assessment must identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in its unauthorized disclosure, misuse, or other compromise. The risk assessment must assess the sufficiency of any safeguards in effect to control these risks and must be periodically performed and the safeguards reassessed.

For firms...