By K. Dailey Wilson*
You have likely heard about the recent amendments to the federal Safeguards Rule. But you probably breathed a sigh of relief because, technically speaking, the Safeguards Rule does not apply to rent-to-own providers, as they are not “financial institutions” as defined by the Rule.
Unfortunately, however, this does not mean that the federal regulators are not interested in your data security practices. In fact, the Federal Trade Commission (FTC), the same agency that regulates the rent-to-own industry, took two unfairness actions in October against companies in the non-financial services industry for data security failures.
On October 24, the FTC took action against Drizly, LLC, a mobile alcohol delivery platform, for failing to use reasonable information security practices. Drizly allegedly used obsolete password encryption technology, failed to employ appropriate access controls, and failed to remediate risks to data identified following a previous security breach. On October 31, the FTC took action against Chegg, Inc., an education technology provider, for lax data security practices. Like Drizly, the FTC alleged that Chegg failed to address risks identified through a prior data security incident. Chegg also allegedly did not require employees to use multifactor authentication to access systems containing customer information, failed to encrypt customer information adequately, and failed to monitor its systems for security threats.
A review of the consent orders in these two actions indicates that the FTC expects non-financial institutions to take steps to adequately secure customer data, including the following:
- Implementation of an Information Security Program. Companies should implement a comprehensive information security program designed to protect against security events.
- Adoption of Multifactor Authentication. Any information system containing customer information should be accessible only through multifactor authentication, such as requiring users to provide both a password and a code generated from a token.
- Encryption of Customer Information. Customer information should be encrypted not only in transit but also at rest using the most up-to-date encryption methods.
- Implementation of Access Controls. Only those who need customer information should be permitted to access it. Permissions should be revoked when the need for the information no longer exists.
- Adoption of a Change Management Program. Companies should implement policies and procedures to evaluate the company’s data security programs and processes following data security events, changes in software and hardware used by the company, and changes in information technology.
- Timely Disposal of Customer Information. Customer information should be disposed of as soon as it is no longer necessary for business operations or for other legal or regulatory purposes.
Given the heightened regulatory interest in data security, RTO providers should review their existing data security practices to confirm that they address the requirements highlighted in the recent consent orders involving non-financial services providers. Your customer information is your most valuable asset – taking the necessary steps to protect that information is paramount.
* K. Dailey Wilson is a senior associate in the Tennessee office of Hudson Cook, LLP. She can be reached at (423) 490-7567 or by email at dwilson@hudco.com.
This article is sponsored content and was written with the support of Hudson Cook, LLP. To have your company featured in an article, please email us at advertising@rtohq.org.
