How The New FTC Safeguards Rule Will Impact Even Very Small Businesses in 2023
A Blog Post from Meeting Tree Computer
A little over a year ago, the FTC made several changes to the existing Safeguards Rule. Starting June 9th, 2023, they will require every business to protect client data. Considering the scope of the changes, it’s very likely that your business, too, will be required to implement new security protocols.
The Safeguards Rule was originally created for (larger) financial institutions. However, in the new amendments, the FTC goes so far as to include any business that regularly wires money to and from consumers. To help you determine if your company will have to comply with the changes, Section 314.2(h) lists 13 examples of the kinds of entities that are financial institutions under the Rule. If you fall into any of these categories, you’ll be required to develop, implement and maintain a comprehensive security program to keep your customers’ information safe.
This is what you need to know:
Designate a qualified individual to oversee your information security program. That means someone at your company needs to be trained in information security, receive continuing security education, and ensure that your team is correctly executing the written information security plan. Don’t worry; they do not have to do this solo. Your IT support partner (we) can provide someone to help.
Conduct a (written) risk assessment. A risk assessment evaluates an organization’s vulnerabilities and threats to identify the risks it faces. It is done in two parts: one, a technical scan, and two, a questionnaire designed to reveal common security loopholes and includes recommendations for mitigating those.
An assessment like this is typically outsourced to an IT firm and needs to be reviewed annually (by law), but depending on the type and amount of sensitive data you handle and your risk tolerance level, can be conducted quarterly if not monthly.
Limit and monitor who can access sensitive customer information. For example, as best practice, you shouldn’t give your entire team access to your credit card processing system. Instead, only allow one employee (the one who works in it day in and day out), as well as one backup person (possibly you, the owner), to be able to log in and access this information.
Encrypt all sensitive information. Again, this is typically done by an outsourced IT company unless your company is large enough to have a robust cybersecurity team that can handle it. “Sensitive information” is not just medical records and credit cards but clients’ e-mail addresses, phone numbers, Social Security information, driver’s license information, and birthdays. ALL of this can be exploited and used against you by hackers.
Provide ongoing training. Employee awareness training is a key component of not only this law and the security of your business but also getting and keeping insurance coverage on cyber liability, crime, and other insurance policies.
Develop an incident response plan. Remember this Benjamin Franklin Quote: “By failing to prepare, you are preparing to fail”. Nothing is more important than having a solid plan in place for when, not if, your business gets breached. You need to have a plan in place for how you will respond. Making important decisions that could make or break your business when you’re stressed and frustrated is beyond overwhelming when you have never before considered possible scenarios and solutions. Your IT partner can help you create a plan (a service we offer to our clients), but it should be reviewed by your insurance agent, leadership team, board, and other key players in the organization.
Periodically assess the security practices of service providers. This one is not easy, but the new law requires you to ensure that any companies you are doing business with – specifically those where sensitive information is shared – are secure and compliant. Start this process by requiring that vendors state in their contracts, or BAA (Business Associates Agreement), that they are adhering to the Safeguards Rule and certain security frameworks, like CIS or NIST.
If you need a BAA template, let us know. We’d be happy to share ours.
Implement multifactor authentication or another method with equivalent protection for anyone accessing customer information. Also known as “2FA,” this process ensures anyone logging in to your accounts must authenticate that request via another device, such as a cell phone or e-mail.
Although the new rule does make some exemptions for organizations that hold data for less than 5,000 consumers (total, not annual), ALL FTC-compliant organizations that hold data for even one customer must implement data security controls within the Rule, such as encryption, multi-factor authentication, and access controls by June 9th, 2023.
There is still time to get ready. If you want to discuss this new rule with us and how to implement these changes, call Meeting Tree Computer at 845-303-2598 or contact us here.
We can help make these tasks a lot less daunting.