Read on if you want to know how to comply with the updated Safeguards Rule 2.0 by starting with six simple steps.
Information security programs take years to build but can be breached quickly. That’s why in December 2021, the Federal Trade Commission (FTC) tightened regulations around customer data security in the Standards for Safeguarding Customer Information (The Safeguards Rule, for short.) which includes administrative technical and physical safeguards. The rule applies to all businesses subject to the federal trade commission FTC.
Enforcement of the new rules will begin on December 9, 2022. This article will explain who is subject to the FTC Safeguards Rule and five things to consider when working toward compliance.
Who does the Rule apply to?
The Safeguards Rule was initially intended to regulate “financial institutions,” – which in the original drafting of this rule, meant any organization “significantly engaged in financial activities.”
The Federal Trade Commission now defines a financial institution as any organization significantly involved in financial activities and “activities incidental to such financial activities.” Speaking generally, the FTC focuses on organizations that handle big money, extend lines of credit or major loans, connect consumers with financial institutions, or are involved with others’ ability to access money.
This seemingly small definition change is a huge deal because it now thrusts many businesses under the Safeguards umbrella. Many who did not comply will have to do so before December 9, 2022.
Not sure if your business falls under this umbrella? The FTC Safeguards Rule itself outlines some examples. Financial institutions are:
- Retailers extending credit to consumers through their in-house credit cards.
- Organizations that lease personal property nonoperatively for at least 90 days. (Think auto dealerships.)
- Personal property or real estate appraisers. (Appraisal is considered a financial activity.)
- Real estate settlement services.
- Financial career counselors who specifically work with people seeking employment with a financial organization or who were recently uprooted from a financial organization.
- Any business that prints or sells checks, regardless of frequency.
- Any business that wires money to and from consumers.
- Check-cashing businesses.
- Accountants or tax preparation firms.
- Mortgage brokers.
- Travel agencies.
- Credit counseling services.
- Investment advisory companies.
- Any company that operates as a finder, defined by the FTC, as “those who charge a fee to connect consumers who are looking for a loan to a lender.”
You can view the full explanation of “financial institutions” here.
What Are The New Cybersecurity Requirements?
- Designate a qualified individual responsible for implementing and supervising an information security program.
- Conduct a written risk assessments.*
- Plan and implement safeguards to protect against risks identified through the risk assessment.
- Conduct penetration tests and vulnerability assessments.*
- Train your staff and oversee security providers.
- Create a written incident response plan.*
- Submit annual reports to the governing body.*
* Financial institutions that maintain customer information concerning fewer than 5000 consumers are exempt from this requirement.
Do I need to comply?
If you work with consumer data (full name, social security number, address, income, etc.), chances are you need to comply. Especially if you are familiar with form W-12
It doesn’t matter if you think you’re “too small” or have “anti-virus protection” in place. It also doesn’t matter where you store your customer data.
The FTC doesn’t care if you have the budget for it, either.
What if I don’t comply?
If you are required to comply and are not in compliance by the deadline, you risk exposure to lawsuits and potential fines. FTC enforcement actions are possible (although unlikely) and can be up to $46K per violation.
More likely issues, though, would be consumer class action lawsuits as the FTC considers a violation to constitute deceptive trade practices. The first class action lawsuit against an auto dealership was filed in February 2022 (only one month after the revised rules went into effect).
Six Steps You Can Use To Comply With The Standards for Safeguarding Customer Information Today
Aside from creating a new definition of a financial institution, the FTC increased its requirements for building an information security program from five recommendations to nine requirements.
If your organization is subject to the Safeguards Rule, here are five simple steps to position your business for compliance.
Appoint a “Qualified Individual.”
The rule includes designating someone within your organization as the “Qualified Individual.” This person will oversee the development and execution of your organization’s info security program. They will also be required (by the FTC) to report to your company’s board of directors.
The FTC says that this person does not need to have any particular certifications but should be well experienced to handle securing an organization of your size and structure.
Even if your company outsources data privacy and security support to a service provider, you will still need to designate an internally Qualified Individual. You should have at least one individual in your organization who is vigilant about protecting the data.
Perform a Risk Assessment
Formulating an effective information security program requires knowing your information and how/where it is stored. Perform a Risk Assessment to review internal and external security factors and the confidentiality and integrity of customer information.
Get In The Habit of Constantly Reviewing Access Controls
The Safeguards Rule now requires companies to be in a state of periodic reevaluation over who in the organization has access to what information and for how long. This helps lower the risk of breaches by only giving access to data on a need-to-know basis. Not allowing everyone access to all data lowers the risk of sensitive data being exposed during a hack or breach.
Monitor your vendors/service providers
The FTC urges organizations to reevaluate their in-house applications or third-party partners to ensure they follow the requirements outlined in the Safeguards Rule. A breach targeted at a third party or by an unprepared in-house application can have staggering effects on the customer data it’s designed to protect. Any service provider with potential access to your customer data should have the skills and experience to maintain the same safeguards as your employees.
Train your employees
Training your employees is a crucial requirement in the Standards for Safeguarding Customer Information. You can implement as many security controls as possible, but your risk increases if they’re difficult to grasp or a hassle. Employee participation is how your organization stays secure and afloat.
Have a written incident response plan
The incident response plan must cover the plan’s goals, including all internal processes for responding to security incidents and a clear definition of roles and responsibilities. The plan must describe the means to exchange information within and outside the organization and contain a list of requirements to remediate every identified weakness in information systems. The incident response plan must outline how to document and report security incidents and give clear instructions on evaluating and revising the plan after a security incident.
How much does it cost to comply with the safeguard rule?
Each company is different, and The Safeguards Rule requirements change based on the number of consumer records you have. And the cost of compliance changes based on the size of your organization. However, the requirements that must be met do not change. For auto dealerships, the NADA has an annual cost between $160k and $277k per year. For smaller organizations, the cost of compliance is expected to be between $1.5k and $6k per location per month. While this cost may differ for your organization, expect compliance costs to increase over what you currently spend.
What is your next step?
The earlier you implement these changes, the better off your business will be. Take action now to get in front of the revised rules. You’ll provide stronger measures to protect your customers’ data and your organization against potential violations, fines, and lawsuits. Start now to ensure you and your service providers comply with the
December 9, 2022 June 9, 2023 deadline.
Schedule a free 15-minute phone call with us, where we will cover the basics of your requirements under the FTC Safeguards Rule and what you need to do to comply.
How ZZ Servers Can Help
Have a question about implementing the new safeguard or want to talk to a member of our dedicated team of cyber security professionals? Contact us today for a free consultation. As always, we’re here to help.