FTC Offers Guidance on How to Protect Customer Information

To help businesses understand and comply with its May 2002 Financial Information Safeguards Rule, the Federal Trade Commission has issued a new "Facts for Business" publication, Financial Institutions and Customer Data: Complying with the Safeguards Rule.

In this new publication, the FTC emphasizes that strong security practices are not only required by law, but also make good business sense. Institutions that show customers they care by protecting them against identity theft and fraud will garner consumer confidence.

The Safeguards Rule requires that financial institutions under the FTC's jurisdiction ensure the security and confidentiality of personal information collected from their customers, such as names, addresses, phone numbers, bank and credit card account information, credit history, and Social Security numbers. The Rule is posted at www.ftc.gov/privacy/glbact, and businesses can determine if they are covered by checking section 313.3(k) of the FTC's Privacy Rule.

Financial institutions subject to the Rule are required to develop a written information security plan that describes, among other things, the specific ways their employees should protect consumer information. The plan must be appropriate to the business's size and complexity, the nature and scope of its activities, and the sensitivity of the information its employees encounter, and must be regularly monitored.

When implementing the Safeguards Rule, a company must consider all areas of its operation, including three that are particularly important to information security: employee management and training; information systems; and managing system failures.

To implement a solid plan, the FTC suggests that companies covered by the Rule train employees about basic security measures such as: locking rooms and/or filing cabinets where records are kept, using strong password-activated screen savers (passwords should be at least eight characters long and should contain both letters and numbers), changing passwords frequently, and reporting any fraudulent attempt to obtain customer information to the appropriate law enforcement agencies. Companies may also want to check the references of any potential employees who would have access to customer information, and ask each new employee to sign an agreement to follow the confidentiality and security standards for handling that information.

The Safeguards Rule also requires financial institutions to maintain security within their information systems - which include network and software design as well as  information processing, storage, transmission, retrieval, and disposal. To accomplish this, the new publication suggests that companies should consider, among other things: storing all records in a secure area, providing for secure data transmission, and disposing of customer information in a secure manner. Similarly, in order to prevent and manage system failures, the new publication suggests that companies should respond to any security breach in a timely manner; regularly update firewalls and antivirus software; and install patches to repair software vulnerabilities.

The FTC provides additional guidance at www.ftc.gov/privacy/glbact and on its new Internet security Web site, www.ftc.gov/infosecurity.

To obtain additional consumer information or copies of this publication, visit http://www.ftc.gov/bcp/menu-media.htm The FTC works for the consumer to prevent fraudulent, deceptive and unfair business practices in the marketplace and to provide information to help consumers spot, stop and avoid them. To file a complaint or to get free information on consumer issues, visit http://www.ftc.gov or call toll-free, 1-877-FTC-HELP (1-877-382-4357); TTY 1-866-653-4261. The FTC enters Internet, telemarketing, identity theft and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies worldwide.