With cyberattacks and costly data breaches becoming more prevalent for businesses of all sizes, keeping customers’ information safe is more important than ever. Companies hold onto all kinds of personal data that can be used for illegal means, including social security numbers, home addresses, banking information, and more. The loss of this data puts customers at risk of identity theft and fraud, and can be extremely costly to amend.
In December 2021, the Federal Trade Commission (FTC) tightened regulations around customer data security in The Safeguards Rule. The original guidelines designed in 1999 were flexible and allowed businesses to decide for themselves how they would meet the requirements. Now, the rule has been strengthened with clearer terms of how businesses must protect, handle, process, and store confidential data.
What businesses are included in the update?
The FTC expanded the range of businesses that fall under the Safeguards Rule. By changing the definition of “financial institution,” the FTC loops in many new industries and types of businesses. Here are some of the new businesses affected by the update:
- Mortgage Lenders
- Payday Lenders
- Finance Companies
- Mortgage Brokers
- Accounting Services
- Check Cashers
- Wire Transferors
- Collection Agencies
- Credit Counselors
- Car Dealerships
- Leasing Offices
- Travel Agencies
Businesses must comply with these new industry standards of data security or they risk significant fines. The new deadline for compliance is June 9, 2023. If you’re not sure if your business will be affected, review the FTC guidelines here.
What do the new FTC Safeguard requirements include?
According to the new FTC Safeguards guidelines, a businesses’ security program must include nine elements:
- Security Policy
- Risk Assessments
- Incident Response Plan / Disaster Recovery Plan
- IT Security Policy
- Data Retention Policy
- Security Awareness Training
- Multi-Factor Authentication
- 3rd Party Vendor Management
- SOC or Vulnerability Assessment + Penetration Testing
How can you prepare your business for compliance?
Let’s break down some of the most important parts of the FTC rule, and what you can do to start preparing your business for compliance.
Designated security officer
You must designate someone within your company to be the “Qualified Individual,” or security officer. This person will be responsible for overseeing the development and execution of your information security program. They will report to your company’s board of directors. While they don’t need to have any particular certifications, they should have enough experience to handle the responsibility of securing your organization.
The FTC amendment requires organizations to encrypt all sensitive customer data, both while it’s being transferred and stored. Your organization should look for a quality encryption service for files and emails.
Tracking user activities
It’s important to have a system in place that tracks all user activities, such as when people login and log out. This way, in the event of an attack, you have a report of everyone who accessed the system and can better pinpoint the source of the breach.
Mapping customer data
The FTC is largely concerned with the security of highly-sensitive financial information such as Social Security Numbers and credit card numbers. However, you should also keep track of general contact information, which can be used in phishing scams and identity theft. Map the entire lifecycle of customer data, noting where it’s collected, transmitted, stored, and destroyed.
Continuously evaluate security
Risk assessments are one of the best methods of evaluating a company’s security infrastructure. They indicate which parts of your system are vulnerable to compromise. Under the new Safeguard rule, companies are also required to continuously monitor who has access to what information. By permitting access to data to only certain individuals, you lower the risk of sensitive data being exposed during a hack or breach.
Need help with your FTC Safeguards Rule compliance?
All of this information can seem really daunting, especially for companies who are just being looped in. However, considering the prevalence of cyber threats, this update is long overdue.
Whether you’re looking to start building your security program or you have questions about compliance, Simply Technology is here to help. We’re equipped to handle all of your IT and cybersecurity needs, and can help make sure your business is compliant with the new FTC regulations. Contact us to get started.