FTC Extends Compliance Deadlines

The Federal Trade Commission (FTC) has postponed the deadline for some Safeguards Rule provisions. The new deadline for specific requirements is now June 9, 2023. The FTC cited supply chain issues and workforce shortages caused by the COVID-19 pandemic as reasons for the extension.

Although businesses now have more time, it is still crucial to continue compliance efforts. The FTC acknowledged that achieving full compliance within a year was unrealistic for many organizations, particularly auto dealers. Since these safeguards require significant work, the extra six months provide a more reasonable timeline—provided companies remain committed to their efforts. However, it’s important to remember that not having these safeguards in place still creates serious security risks.

FTC and Industry Urge Continued Compliance

The FTC continues to encourage affected organizations to make progress toward compliance. In its statement, the agency emphasized that the extension gives financial institutions additional time to ensure their information security programs align with the Safeguards Rule.

Similarly, the National Auto Dealers Association has advised its members to stay focused on meeting the requirements. Although some provisions now have a later deadline, many still require compliance by December 9, 2022.

Deadlines: What Has Changed and What Hasn’t

Extended Deadline: Now Due June 9, 2023

The following provisions have been granted an extension:

• 314.4 (a): Designate a Qualified Individual
• 314.4 (b)(1): Perform a Risk Assessment
• 314.4 (c)(1): Address Risks Identified in the Risk Assessment
• 314.4 (c)(3): Encrypt Data at Rest and in Transit
• 314.4 (c)(5): Implement Multi-Factor Authentication
• 314.4 (e): Conduct Security Awareness Training
• 314.4 (f): Oversee Service Providers
• 314.4 (h): Establish an Incident Response Plan

Unchanged Deadline: Still Due December 9, 2022

Other critical provisions must still be met by December 9, 2022. These include:

• 314.4 (c)(2): Identify and Manage Data, Personnel, Devices, Systems, and Facilities
• 314.4 (c)(4): Implement a Secure Software Development Life Cycle
• 314.4 (c)(6): Securely Dispose of Data
• 314.4 (c)(7): Implement a Change Management Process
• 314.4 (c)(8): Monitor and Log User Activity, Detect Unauthorized Access
• 314.4 (d)(1): Test and Monitor Security Controls 314.4 (d)(2): Use Continuous Monitoring or Penetration Testing
• 314.4 (g): Update Information Security Programs Based on Monitoring Results
• 314.4 (i): Submit a Written Report by a Qualified Individual (though assigning a Qualified Individual is delayed, the reporting requirement remains unchanged)

Next Steps for Businesses Affected by the Postponed FTC Safeguard Provisions

We strongly encourage businesses to remain focused on compliance, prioritizing the provisions that are still due in December. Even with the extension, organizations should not delay their efforts.

Our team is available to assist in prioritizing tasks and ensuring smooth implementation. If you have any questions or concerns, feel free to reach out.

Authoritative FTC Sources

For more details on the deadline extension, visit these official FTC resources:

• FTC Business Blog Post
• Federal Register Notice
• Concurring Statement of Commissioner Christine S. Wilson