Last Wednesday, I covered your responsibility under the Gramm-Leach-Bliley Act (“GLBA”) for implementing and following a consumer privacy policy that accurately, clearly and conspicuously describes the information sharing practices of your company. [Back to Basics, Continued-Privacy] A subsequent and constituent part of the GLBA is the FTC Safeguards Rule. This Rule implements the GLBA by adding specificity to how we are to handle customer information.

Like most of the Rules that I am covering in this Back to Basics series, this one talks in terms of developing systems appropriate to the size and complexity of your business. So, there is leeway here. But, the objective is the same regardless of the size of your business:

  • Adopt a safeguards policy that insures the security and confidentiality of customer information;
  • Protect against reasonably anticipated threats to security; and
  • Protect against unauthorized access to the information.

The FTC Rule actually gives us the elements to include in the Policy:

(i) Designate an employee to coordinate your efforts;

(ii) Perform a risk assessment of the potential for unauthorized disclosure, misuse, alteration or compromise

of confidential information within your possession;

(iii) Address a cure for the risks that you identify in the assessment;

(iv) Train your people; and

(v) Test your Policy.

This Rule is one that has probably not drawn much of your attention, even though it took effect 15 years ago. And, this is precisely why I call it to your attention.

Practice Pointer: Take the time now to dust off your Safeguards Policy to make sure that it includes the five elements above. If it does not, it's time to go back to the drawing board!