As you may have already heard, the Federal Trade Commission has postponed the deadline for some of the FTC safeguard provisions. The extension moves the deadline for certain components of the rule until June 9, 2023. The FTC is citing supply chain issues and personnel shortages carried over from the Covid-19 pandemic as reasons for the delay.
Although more time has been provided to complete some of these safeguards, it is important to continue compliance efforts. The FTC has recognized in the current environment, it was an unrealistic expectation for auto dealers to achieve full compliance within the time frame of one year – because so much work is required. The additional six months are more realistic, provided efforts are continuous. It is also important to note that the absence of these safeguards still poses a significant security risk for organizations.
The FTC is urging those impacted to continue efforts towards compliance, stating: “Delaying the effective date of these portions of the amended Safeguards Rule will allow financial institutions additional time to effectively and efficiently bring their information security programs into compliance with the Rule.” The National Auto Dealers Association has also issued a notice, urging its members to continue in their efforts.
Based on the brief statement the FTC released, it appears the requirements listed directly below are the only ones that have been granted an extension. This still leaves a significant number of requirements with their deadlines unchanged that must be completed by December 9th.
Deadline changed to June 9, 2023:
314.4 (a) Designate a Qualified Individual
314.4 (b)(1) Perform a Risk Assessment
314.4 (c)(1) Address Risks Identified in Risk Assessment
314.4(c)(3) Encrypt Data at Rest and in Transit
314.4(c)(5) Multi-Factor Authentication
314.4(e) Security Awareness Training
314.4(f) Oversee Service Providers
314.4(h) Establish an IR Plan
Deadline unchanged, December 9, 2022:
314.4(c)(2) Identify and Manage Data, Personnel, Devices, Systems, and Facilities
314.4(c)(4) Software Development Life Cycle
314.4(c)(6) Securely Dispose of Data
314.4(c)(7) Change Management
314.4(c)(8) Log Activity of Authorized Users and Detect Unauthorized Access
314.4(d)(1) Test or Otherwise Monitor Effectiveness of Controls
314.4(d)(2) Continuous Monitoring or Penetration Testing
314.4(g) Update Information Security Program Based on Results of Testing and Monitoring from Part (d)
314.4(i) Written Report by Qualified Individual (assigning a Qualified Individual is delayed, but there is currently no mention of delaying the requirement for an annual report).
Our Recommended Course of Action
We urge all our clients to remain diligent in their efforts towards full compliance with all parts of the rule, prioritizing those that remain with the December 9th deadline. We are here to aid in that prioritization and will shift our focus accordingly. We are also available to answer any questions or concerns you may have.
Some FTC Safeguard Provision Deadlines Postponed
The following information regarding the extension is available from authoritative FTC sources:
FTC Business Blog Post: https://www.ftc.gov/business-guidance/blog/2022/11/compliance-deadline-certain-revised-ftc-safeguards-rule-provisions-extended-june-2023
Federal Register Notice: https://www.ftc.gov/legal-library/browse/federal-register-notices/16-cfr-part-314-standards-safeguarding-customer-information
Concurring Statement of Commissioner Christine S. Wilson: https://www.ftc.gov/legal-library/browse/cases-proceedings/public-statements/concurring-statement-commissioner-wilson-regarding-effective-date-certain-provisions-recently
