Information Security Program / FTC Safeguards / Gramm-Leach-Bliley Act Compliance

Reference:

FTC Safeguards Rule: What Your Business Needs to Know

The deadline to comply has been extended to June 2023 for most of the provisions in the Safeguards Rule. Launch Labs will implement multi-factor authentication by the new deadline.

• The act applies to Financial Institutions, though in a broad way

  • including mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors that aren’t required to register with the SEC

  • Also “Finders”: companies that bring together buyers and sellers and then the parties themselves negotiate and consummate the transaction

    • As such, dealerships issuing credit are now included

• to ensure the security and confidentiality of customer information;

• to protect against anticipated threats or hazards to the security or integrity of that information; and

• to protect against unauthorized access to that information that could result in substantial harm or inconvenience to any customer.

Although Launch Labs is not a covered business type, we service businesses that are. As such we will comply in all the ways that are feasible for a given industry.

• Designate a Qualified Individual to implement and supervise your company’s information security program

  • Garrett

• Conduct a risk assessment and Design and implement safeguards to control the risks identified through your risk assessment

  • what information you have and where it’s stored

    • Ignite has customer names, addresses, email addresses, and phone numbers. The data is stored within databases and database backups

  • foreseeable risks and threats

    • database access is only available to a small number of engineers, access is controlled using secure shell (SSH) and firewall connections that are only open to the engineer’s individual IP address and closed after the connection ends

      • Shell access is covered under multi-factor authentication (MFA)

    • the Ignite web application itself provides no way to bulk export customer data across multiple accounts

      • Ignite web application will implement multi-factor authentication on or before December 9, 2022 June 2023.

    • Customer data within the web application is encrypted in transit to user’s browsers using Transport Layer Security (TLS) / Secure Sockets Layer (SSL)

      • FTC Guidance specifically calls for encryption implementation where feasible. In the case of transmission of customer data to dealership CRMs this is currently not feasible as dealership CRM’s do not support encryption of ADF formatted leads. Launch Labs plans to review this annually and will implement encrypted ADF leads if and when CRM’s add support for them

    • Customer Data Disposal

      • Customer data is automatically disposed of on a rolling basis. Ignite retains customer data only as long as is necessary to perform its functions and all customer data is destroyed within 90 days of any client off boarding

    • Launch Labs will review this plan annually and update according to any changes in our network or applications

    • Ignite maintains user access logs in log files and database tables

• Regularly monitor and test the effectiveness of your safeguards

  • Ignite is continuously monitored for suspicious requests the requests are either blocked or the application is otherwise updated to ignore them

  • Launch Labs staff receives training on security safeguards

  • Launch Labs works with reputable, and experienced service providers

  • This security program will be evaluated annually and updated as needed

  • Launch Labs maintains a written incident response plan

  • Garrett Roach will report to company leadership, as needed, related to this plan