Protecting Your Customers’ Info: Understanding The ‘Safeguards Rule’ - Engine Builder Magazine

Protecting Your Customers’ Info: Understanding The ‘Safeguards Rule’

By now, most shops should have implemented their information security programs and taken steps to ensure compliance with the Safeguards Rule. If you have not, we recommend taking steps to get in compliance immediately. If you have, it’s still important to periodically review and assess your program to ensure you remain in compliance.


President Clinton signed the Gramm-Leach-Bliley Act (“GLB Act”) into law on November 12, 1999. In addition to reforming the financial services industry, the GLB Act included provisions for how “financial institutions” should share and protect their customers’ non-public personal information.

As a result of its passage, the GLB Act required the FTC and other government agencies that regulate financial institutions to implement regulations to carry out the GLB Act’s provisions. The regulations required all covered businesses to be in full compliance by July 1, 2001.

The FTC first issued the Privacy of Consumer Financial Information Rule (“Privacy Rule”) to address provisions in the GLB Act about how customer information is shared. The Privacy Rule defines “consumers” and “customers” and deals with how you share information about customers who obtain or apply for credit or lease products from you.

Following the Privacy Rule, the FTC then enacted the Safeguards Rule to address provisions in the GLB Act regarding how customer information is protected. The Safeguards Rule deals with how you protect information about your finance and lease customers.

The objective of the Safeguards Rule is to:

1. Ensure the security and confidentiality of customer information

2. Protect against any anticipated threats or hazards to the security or integrity of such information.

3. Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer

Who Must Comply?

The definition of “financial institution” includes many businesses that may not normally describe themselves that way. In fact, the Safeguards Rule applies to all businesses, regardless of size, that are “significantly engaged” in providing financial products or services.

While the FTC has never defined the phrase “significantly engaged,” you should consider yourself “significantly engaged” in financial activities for purposes of the Safeguard Rule if you regularly provide installment sale and/or lease financing to consumers, even if you immediately assign sales and lease contracts to bank or finance company.

In order to understand the objectives of the Safeguards Rule, it’s important to recognize why the GLB Act required the FTC and other government agencies to enact rules to protect sensitive customer information.

Identify theft and customer data breaches are now common place, with stories found frequently in the news. In one case several years ago, an employee of a software vendor, who provided services to the three national credit agencies, sold customer information to identity thieves. At last report authorities knew of at least 30,000 victims and an estimated $2.7 million in losses.

Consider the amount of current and historical customer data your business has accumulated over the years. It could be stored in paper format in a file drawer, or digital format on a computer hard drive. Now consider how safe and secure that information is.

Assess Your Compliance

The Safeguards Rule requires companies to develop and implement an information security program. As part of the program, each company must:

• Have a written information security plan that describes the actions and steps your business will take to protect customer information. The Safeguards Rule specifies that the size of your plan should be appropriate to your operation’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information at issue.

• Designate one or more employees to coordinate your security plan. These employee(s) should be documented in your written security plan, and aware that they have been so designated. In addition, it is recommended you update the written plan coordinators names in the security plan as personnel changes.

• Identify and assess the risks to customer information in each relevant area of your organization’s operation. In addition, you should evaluate the effectiveness of current safeguards for controlling these risks at reasonable intervals.

• Routinely monitor and test their information security program.

• Select appropriate service providers and require them, by contract, to implement safeguards that are appropriate to their organization in protecting consumer information.

• Evaluate all aspects of your program from time to time, to make appropriate adjustments and to explain why you believed the adjustments were appropriate.

Securing Your Information

The Safeguards Rule requires that you consider risks to customer information in all areas of your operation, with special emphasis on three critical areas: Employee Training and Management; Information Systems; and Detecting and Managing System Failures. The full Safeguards Rule, referenced at the end of this column explains the complete content and practices to be implemented.

Employee Training And Management

The success or failure of your information security program depends largely on the employees who implement it. Some best practices to consider:

• Check references prior to hiring employees who will have access to customer information.

• Ask every new employee to sign an agreement to follow your organization’s confidentiality and security standards for handling customer information.

• Train employees to take basic steps to maintain the security, confidentiality and integrity of customer information, such as:

– Locking rooms and file cabinets where paper records are kept.

– Using strong passwords, at least eight characters long.

– Encrypting sensitive customer information when it is transmitted electronically over networks or stored online.

– Referring calls or other requests for customer information to designated individuals who have had safeguards training.

• Regularly instruct and remind all employees of your organization’s policy – and the legal requirement – to keep customer information secure and confidential. You may want to provide employees with a detailed description of the kind of customer information you handle (name, address, account number, and any other relevant information) and post reminders about their responsibility for security in areas where such information is stored.

• Limit access to customer information to employees who have a business reason for seeing it. For example, grant access to customer information files to employees who respond to customer inquiries, but only to the extent they need it to do their job.

Information Systems

Information systems include network and software design, and information processing, storage, transmission, retrieval, and disposal. Below are some suggestions on how to maintain security throughout the life cycle of customer information – that is, from data entry to data disposal:

• Store records in a secure area. Make sure only authorized employees have access to the area. For example:

– Store paper records in a room, cabinet, or other container that is locked when unattended.

– Store electronic customer information on a secure server that is accessible only with a password – or has other security protections – and is kept in a physically-secure area.

– Don’t store sensitive customer data on a machine with an Internet connection.

– Maintain secure backup media and keep archived data secure, for example, by storing off-line or in a physically secure area.

• Provide for secure data transmission (with clear instructions and simple security tools) when you collect or transmit customer information. Specifically:

– If you collect information directly from consumers, make secure transmission automatic. Caution customers against transmitting sensitive data, like account numbers, via electronic mail.

– If you must transmit sensitive data by electronic mail, ensure that such messages are password protected so that only authorized employees have access.

• Dispose of customer information in a secure manner and, where applicable, consistent with the FTC’s Disposal Rule (the FTC?disposal rule can be found at: For example:

– Hire or designate a records retention manager to supervise the disposal of records containing nonpublic personal information.

– Shred or recycle customer information recorded on paper and store it in a secure area until a recycling service picks it up, and promptly dispose of outdated customer information.

• Use appropriate oversight or audit procedures to detect the improper disclosure or theft of customer information.

Managing System Failures

Effective security management includes the prevention, detection and response to attacks, intrusions or other system failures. Consider the following suggestions:

• Maintain up-to-date and appropriate programs and controls by:

– Following a written contingency plan to address any breaches of your physical, administrative or technical safeguards.

– Checking with software vendors regularly to obtain and install patches that resolve software vulnerabilities.

– Using anti-virus software that updates automatically.

– Maintaining up-to-date firewalls, particularly if you use broadband Internet access or allow employees to connect to your network from home or other off-site locations.

– Providing central management of security tools for your employees and passing along updates about any security risks or breaches.

• Take steps to preserve the security, confidentiality and integrity of customer information in the event of a computer or other technological failure. For example, back up all customer data regularly.

• Maintain systems and procedures to ensure that access to nonpublic consumer information is granted only to legitimate and valid users.

• Notify customers promptly if their nonpublic personal information is subject to loss, damage or unauthorized access.

This article was provided courtesy of Zurich, a provider of  a wide range of commercial business insurance products and risk management solutions. For more information about Zurich’s products and Risk Engineering services, visit

You May Also Like

The Road to AAPEX Season 2, Ep 1

Last year, the idea was simple: Find a junker, fix it up with the best from the automotive aftermarket, and drive it to Las Vegas for AAPEX 2022. This year, it’s anything but simple. The automotive aftermarket is at the crossroads of change. Electric vehicles, driver assistance systems, autonomous vehicles, sustainability—it’s a shifting landscape. This

Last year, the idea was simple: Find a junker, fix it up with the best from the automotive aftermarket, and drive it to Las Vegas for AAPEX 2022. This year, it’s anything but simple.

The automotive aftermarket is at the crossroads of change. Electric vehicles, driver assistance systems, autonomous vehicles, sustainability—it’s a shifting landscape. This year, the Big Bosses at AAPEX, Bill Hanvey, president and CEO of Auto Care Association, and Paul McCarthy, president and CEO of MEMA Aftermarket, offered a challenge. Babcox Media’s Joe Keene, an ASE-certified technician, couldn’t refuse: Find and fix a rare Lincoln Blackwood and drive it down the Lincoln Highway to AAPEX 2023.

What’s a Ford Sidevalve Engine?

It looks like an ordinary inline 4-cylinder flathead engine. Essentially it is, but it has quite a cult following here in the UK.

The Drag & Drive Revolution

Following that first drag-and-drive event back in 2005, spinoffs of Drag Week have been happening all over the country, and the world, both large and small. In recent years, the trend has been completely blowing up!

The Evolution of Pro Mod Diesels

The advancements within the performance diesel world over the past 20 years have been nothing short of phenomenal. In fact, within just the last five to 10 years, that progress has been even more rapid and impressive, but few progressions have been more astonishing than those within the Pro Mod Diesel realm.

Top Fuel and Funny Car Engines

They’re the pinnacle of drag racing, and the engine builders, crew chiefs and teams who make these cars function at peak performance all season long are looking at every single area of the engine and the car to make it down the track as fast as possible.

Other Posts

Race Oils

Choosing the correct performance racing oil is essential to ensure optimal performance and longevity of your engine.

Facts About Engine Bearings

The experts all agree that cleanliness is the most important factor during installation, and the lack thereof is the most common problem that leads to bearing failure. But measuring is just as critical.

Does Connecting Rod Length Matter?

Over the years, we’ve gotten asked numerous times about connecting rod length and the impact that has on an engine’s horsepower and durability. As it turns out, this question is often overthought. It’s not so much the connecting rod length that matters as much as it is the correct piston pin height. The connecting rod

LTR Engine Build

This Late Model Engines build is centered around Concept Performance’s new LTR block, which is the first aftermarket as-cast aluminum Gen V LT block.