The FTC’s Standards for Safeguarding Customer Information, known as the Safeguards Rule, requires that entities that handle consumer data follow specific guidelines to protect that information. Here’s what your business needs to know and do NOW as the December 9, 2022, deadline quickly approaches:
- The Safeguards Rule declares 13 types of businesses to be “financial institutions,” a classification more broadly defined by the types of activities a business engages in, not necessarily the traditional description. Newly named financial institutions include Certified Public Accountants, mortgage brokers, automobile dealers, property appraisers, career counselors who work with clients in the finance industry, and even retailers that issue store credit cards.
- Your business must appoint a qualified individual to implement and supervise your information security process. Such an employee with the necessary qualifications can be quite expensive, although some larger companies will certainly choose this option. Fortunately, the FTC does state that this role may be filled by an outside contractor, and a best-in-class security provider will offer the services of a CSO (Chief Security Officer), who will guide your compliancy process.
- You must carry out initial and ongoing risk assessments, identifying vulnerabilities to be addressed. We conduct an initial assessment for all managed clients, and the information we provide helps clients focus on areas of weakness as well as budget for necessary improvements.
- Safeguards must be in place to manage risk, and the FTC has outlined 8 required steps. These compliancy requirements include customer data access control review, data encryption, how data is stored and moved, assessment of all apps in usage, multi-factor authentication for data access, secure customer data disposal, log maintenance of all activity, and monitoring and testing of safeguards.
- Routine staff training must be implemented and reviewed periodically. Security tools and plans provide crucial barriers to hackers and other malicious intent, but any company is vulnerable if its staff falls prey to phishing attempts or social engineering. Regular training ensures that your employees remain alert.
- Any service providers you do business with must have the same safeguards in place that you are required to have. These vendors, including outside payroll processors, banks, and HR providers, must be monitored and held to the same standards.
- As quickly as the threat landscape changes, your Information Security Program must be kept current at all times. This means that vulnerabilities must be addressed quickly, updates applied in a timely manner, and change logs maintained regularly.
- Your business must have a written Incident Response Plan, identifying the individuals on a response team and detailing a formal plan for resolution in the event of an actual security incident. If you need help or don’t know where to start, we have the team and resources to help you.
- Your Qualified Individual must provide an annual report to your Board of Directors and/or senior management on the current status of your security system. This report must address risk assessment and management, service provider arrangements, test results, any security events and responses, and recommendations for change.
While these requirements will mean changes for many businesses, they will necessarily improve security functions as well. Any security event will affect a company both financially and reputationally, often becoming a catalyst for business failure. Almost every business, including those not under these FTC regulations, should examine its security procedures and implement tools and systems that will minimize risk. As for these new requirements, the deadline is quickly approaching, and SIP Oasis has a dedicated team of IT security professionals who can help you maintain compliancy. Learn more at https://www.sipoasis.com/new-cybersecurity-crisis/.
