A little over a year ago, the FTC made several amendments to the existing Safeguards Rule requiring even very small businesses to ensure the protection of client data. These changes, set to go into effect back in December of 2022, are now going to be enforced starting June 9, 2023 – and it’s very likely that your business, regardless of how small or how your tech is being handled, WILL be required to implement certain new security protocols.
The Safeguards Rule was originally created for financial institutions. However, the new amendments broaden the definition of financial institutions to include real estate appraisers, car dealerships, payday lenders and more. The FTC goes so far as to include any business that regularly wires money to and from consumers. Not all organizations will have to comply with the Safeguards Rule. Financial Institutions collecting information on less than 5,000 consumers are exempt from the requirements of written risk assessment, incident response plan, and annual reporting to the board under the new Safeguards Rule.
But note that any organization might still need to comply in the future, given these new rules are still evolving and being enforced.
All organizations that need to comply with the rule are required to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe. There will be enforcement of the Safeguards Rule by the FTC either by enforcement action reviews or providing annual reports on the state of an organization’s cybersecurity program.
What are the New Provisions in the Safeguards Rule?
- Designate a qualified individual to oversee their information security program. That means someone at these companies need to be trained in information security, receive continuing security education, and oversee ensuring the organization is correctly executing the written information security plan. If no one on your team meets this requirement, we can provide someone.
- Develop a written risk assessment. A risk assessment is done in two parts: one, a technical scan, and two, a questionnaire designed to reveal common security loopholes. This is typically outsourced to an IT firm like ours and needs to be reviewed annually (by law), but best practices should be quarterly if not monthly in situations where a business is handling a lot of sensitive information and the tolerance for risk by the owner is low. If you need this risk assessment, contact us.
- Limit and monitor who can access sensitive customer information. For example, don’t give your entire team access to your credit card processing system. Only allow one employee (the one who works in it day in and day out), as well as one backup person (possibly you, the owner), to be able to log in and access this information.
- Encrypt all sensitive information. Again, this is typically done by an outsourced IT company like ours, unless your company is large enough to have a robust cyber security team that can handle it. “Sensitive information” is not just medical records and credit cards, but clients’ e-mail addresses, phone numbers, Social Security information, driver’s license information and birthdays. ALL of this can be used by hackers to exploit your customers using the data you host.
- Train security personnel. Employee awareness training is another key component to not only this law, but also to get and keep insurance coverage on cyber liability, crime and other insurance policies.
- Develop an incident response plan. Specifically, if (when?) you get compromised, you need to have a plan in place for how you will respond. This is also another service we offer to our clients but should be reviewed by your insurance agent, leadership team, board and other key players in the organization.
- Periodically assess the security practices of service providers. This law also requires you to ensure any companies you are doing business with – specifically ones where sensitive information is shared – to be secure and compliant. This may include requiring that vendors state in their contracts that they are adhering to the Safeguards Rule and to certain security frameworks, like CIS or NIST.
- Implement multifactor authentication or another method with equivalent protection for any individual accessing customer information. Also known as “2FA,” this process ensures anyone logging in to your accounts must authenticate that request via another device, such as a cell phone or e-mail.
If you want to discuss how this new rule works and how to get started with a Risk Assessment,
click here Discovery Call to schedule a phone consultation to discuss your concerns, questions and specific situation. If you prefer, you can call us at 909-775-5807.
