The document outlines regulations from the FTC regarding the implementation of security measures for financial institutions as mandated by the Gramm-Leach-Bliley Act. It emphasizes the need for comprehensive information security programs, risk assessment, and appropriate safeguards to protect customer information. Non-compliance can lead to significant fines, highlighting the importance of proper documentation, employee training, and effective management of service providers.

1. Safeguard Rule-Resources, Risks,
Compliance, and Consequences

2.  The views expressed in this presentation
are those of the speaker and not
necessarily those of the Commission or
any individual Commissioner.
 For more detailed information, visit the
FTC’s homepage at www.ftc.gov.

3.  Implements the security provisions of the
Gramm-Leach-Bliley Act of 1999.
 Took effect May 23, 2003, with an extra
year to conform third-party service
provider contracts entered into prior to
June 24, 2002.
 Has flexible standard, but imposes
certain basic requirements. See 67 Fed.
Reg. 36484.

4.  Each financial institution must develop,
implement and maintain a comprehensive
information security program that is written in
readily accessible part(s);
 The program must contain administrative,
technical and physical safeguards that are
appropriate to:
 the size and complexity of the financial institution;
 the nature and scope of its activities; and
 the sensitivity its customer information.

5.  Designate one or more employees to
coordinate its program;
 Assess risks to the security of customer
information;
 Design and implement safeguards to address
risks, and test and monitor their effectiveness
over time;
 Oversee service providers; and
 Adjust the program to address developments.
* Fines of up to $3500 for failure to draft an IT Security Plan.
This is on top of any fines for the violations themselves

6. To assess risks and design safeguards, a
financial institution must consider all
relevant areas of its operation, including:
1. Employee training and management;
2. Information systems, including network and
software design, as well as information
processing, storage, transmission and
disposal;
3. Detecting, preventing and responding to
attacks, intrusions, or other systems failures.

7.  Take reasonable steps to select and retain
service providers that are capable of
maintaining appropriate safeguards for the
customer information at issue; and
 Require service providers by contract to
implement and maintain such safeguards.
*Service providers are companies that handle or have
access to customer information in the course of
providing services directly to a financial institution.

8.  Applies to financial institutions under the
FTC’s jurisdiction;
 Includes financial institutions that receive
customer information from another
financial institution.
 This includes anyone who helps to
arrange credit (including RV Dealers,
The Finance Department, and the
persons filling out/handling Credit Apps)

9.  Any institution the business of which is
engaging in financial activities as
described in section 4(k) of the Bank
Holding Company Act of 1956. An
institution that is significantly engaged in
financial activities is a financial
institution.
 This last piece is what includes us

10.  Lending, exchanging, transferring, investing for
others, or safeguarding money or securities.
[4(k)(4)(A)]
 An activity that the Federal Reserve Board has
determined to be closely related to banking.
[4(k)(4)(F); 12 C.F.R. 225.28]
 Extending credit and servicing loans
 Collection agency services
 Anactivity that a bank holding company may
engage in outside the U.S. [4(k)(4)(G); 12 C.F.R.
211.5].

11.  Mortgage broker
 Check casher
 Pay-day lender
 Credit counseling service
 Retailer that issues its own credit card
 Auto/RV dealers that lease and/or
finance

12.  “Customer information,” which means:
1. Nonpublic personal information concerning its
own customers; and
2. Nonpublic personal information that it receives
from a financial institution about the customers of
another financial institution;
3. This would include credit applications, copies of
drivers license, social security number, Tax ID #,
proof of income, and anything else that is not
normally available to the public.
 NOTE: Customer information includes information
handled by affiliates.

13.  Ifa financial institution shares customer
information with its affiliates, it must ensure that
the affiliates have adequate safeguards in
place.
 Affiliate means any company that controls, is
controlled by, or is under common control with
another company.
 See Privacy Rule, section 313.3(a).

14.  Both Rules implement section 501 of the GLBA.
 The Safeguards Rule uses Privacy Rule
definitions, but defines new terms “customer
information” and “service provider.”
 The Privacy Rule focuses on Privacy Notices,
Opt Out rights and limits on use and disclosure;
the Safeguards Rule focuses on security.

15.  Top ThreeReasons Dealerships are NOT
in compliance
1. “Won’t happen to me”
2. “We do that”
3. “We’ve already done enough”

16.  We can’t afford to risk anything when the
fines are $11,000 per occurrence per day.
This does not mean per visit, but per
piece of information.
 For example 15 deal jackets with credit
information left on a desk would be:
15 fines X $11,000 per fine = $165,000
Enforced by the FTC

17.  Theyusually conduct inspections around
the opening, closing and lunch hrs of
businesses. Why do you think this is?
 Whywould they want to inspect a
company like Camping World?

18.  ChoicePoint, Inc.
 January 30, 2006 (complaint)
 FCRA violation (Fair Credit Reporting Act)
 Unfair or deceptive acts or practices
 Civil penalty $10 million
 Consumer redress $5 million

19.  Top Three Risk Areas
1. Lack of documentation
2. Uncontrolled computer access
3. Lack of training

20.  Documentation
 ISP (Information Security Plan) in writing
 Administrative, technical, and physical
safeguards
 Service provider addendums
 Monitoring efforts
 Training efforts

21.  Training and Management
 Reporting violations
 Sharing logins
 Passwords on monitor
 “Clean desk” rule
 New employee orientation
 Management seriousness

22.  DMS
 Specific separate logins
 Rights and profiles
 Automatic log-off
 Passwords
 Remote access
 CRM

23.  Network/PC
 Specific logins
 Passwords
 Network access
 Monitoring
 Controlled external storage
 Windows lock/automatic logoff

24.  Internet
 Restricted access
 Filtering and monitoring
 E commerce
 Web-based e-mail accounts
 Written Internet Usage Policy

25.  E-mail
 Controlled account
 Retention (sent and deleted)
 Passwords
 Monitoring
 Backup

26. 1. Store documents and electronic back ups in a
secure/locked room in locked file cabinets
2. Limit access and keys to those who need it.
3. Put working deals back when you are done with
them.
4. Log off or lock your computer if you leave your
desk.
5. Finance and Salesmanagers lock working deals
in a file cabinet you leave your desk (even for a
brief Hello or Turn Over)
6. Have a proper storage/disposal process for
dead deals. DO NOT throw them in the
garbage!
7. Report any suspicious person or activity to a
supervisor

27.  Eleven Quick Checks
1. Dumpster diving
2. Repair orders/history in service
3. Ask newest salesperson who’s the ISP Coordinator
4. Check around terminals for login info
5. Check for unprotected terminals
6. Ask ISP Coordinator for current service providers
7. Check for access to web-based e-mail accounts
8. Check for the current list of DMS access
9. Ask the accounting office to unlock a computer
10. Ask 5 people when they last changed their
password
11. Look on Salespeople's’ desks and in unlocked
drawers for customer/consumer protected info.