Equipment vendors soon will be held to the same standards as banks when it comes to protecting consumer and employee information.
Changes to the Federal Trade Commission’s Safeguard Rule will expand the definition of a financial institution to include equipment vendors. The rule change, set to take effect June 9, has spurred the need for in-house audits of cybersecurity processes and procedures.
First instituted in 1999 through the Gramm-Leach-Bliley Act (GLBA), the rule regulates how financial institutions share and secure consumer information, Kevin Landers, president at Rocketwise, said at Equipment Finance Connect in Charlotte Tuesday.
“The goal of the GLBA was to modernize finance industry and bring some of those regulations up to par,” Landers said. “And in doing so, they made the FTC responsible for implementing those modernizations.”
Now, in the first major GLBA revision, the definition of a financial institution is set to expand to include equipment dealers, Landers said.
The Safeguard Rule “established what really comes down to parameters for good customer data hygiene,” Landers said. “It also came along with some punitive consequences for those who fail to adhere to those parameters.”
Enforcement to be reactive, not proactive
Equipment vendors will be required to develop, implement and maintain a comprehensive information security program to protect consumer information from unauthorized access, Landers said, noting that fines for noncompliance range from $10,000 to $100,000 per violation.
The FTC will not actively police the regulation, Landers said. Rather, the regulator will come knocking if companies experience a data breach and levy fines after the fact.
“The reality is, [enforcement] is going to be reactive, not proactive,” Landers said. “After there’s an event, the regulators are going to come in and put everything under the microscope.”