The Federal Trade Commission (FTC) increased the regulations regarding customer data security in the updated Standards for Safeguarding Customer Information (commonly referred to as The Safeguards Rule for short.) The FTC Safeguards Rule now requires non-banking financial institutions, including automobile dealers, payday lenders, and mortgage brokers, to develop, implement, and maintain a comprehensive security program to keep their customers’ data safe.
Enforcement of the new regulations begins on June 9, 2023. The leaders of any business or organization must understand who is subject to the new FTC Safeguards Rule.
Significant Changes Are Coming
The original Safeguards Rule was somewhat flexible and, for the most part, allowed organizations to decide how they would fulfill the requirements. In December 2021, the FTC issued more detailed standards for how financial institutions must protect customer data. Companies now risk significant fines and possible jail time for failing to comply with industry-standard data security methods.
In addition, the FTC expanded the range of entities that must comply with the Safeguards Rule. The FTC has changed the definition of “financial institution” to include many new types of industries and businesses, including travel agencies, auto dealerships, and more. Your organization or business may now be considered a “financial institution” under the revised definition.
You may BE CONSIDERED A “financial Institution”
With the revised rules, the Federal Trade Commission defined financial institutions as any organization significantly involved in financial activities and “activities incidental to such financial activities.” Generally speaking, the FTC focuses on organizations that handle large amounts of money, provide significant loans, extend lines of credit, connect their customers with other financial institutions, or are involved with customers’ ability to access money in some way.
Although this change may appear minor, it’s a big deal. It means many more businesses will fall under the Safeguards definition. Organizations that didn’t have to comply before must now do so by June 9, 2023
If you need to check if your business falls in this category, the FTC Safeguards Rule itself outlines numerous examples. Businesses now considered financial institutions include but are not limited to the following:
- Real estate or personal property appraisers
- Any business that prints or sells checks
- Cash-checking businesses
- Accountants and tax preparation firms
- Mortgage brokers
- Travel agencies
- Credit counseling services
- Investment advisory companies
- Retailers that extend credit to customers through in-house credit cards
- Organizations that lease personal property for at least 90 days (such as car dealerships)
Increased Security Safeguards
The FTC has also increased its requirements for securing data systems. These common-sense requirements are designed to protect sensitive financial and customer data from breaches and cybersecurity hackers. They include the following:
- The designation of a qualified employee to oversee the information security program
- The development of a written risk assessment
- Establishment of limits and monitoring of who can access sensitive customer information
- Encryption of all sensitive information
- Training of employees on security procedures
- Development of an incident response plan
- Periodic assessments of the security practices of service providers
- Implementation of multi-factor authentication or another method with equivalent protection for anyone who accesses customer data.
5 Steps to Take Immediately
1. Appoint YOUR “Qualified Individual”
Part of the FTC’s amendments includes designating someone within your organization as the “Qualified Individual.” This person will oversee the development and execution of your organization’s information security program. They must also report to your company’s board of directors. The FTC says that this individual does not need to have any particular certifications but should have sufficient experience to secure an organization of your structure and size.
Even if your organization chooses to outsource data privacy and security support to a managed service provider, you must designate an internal employee as a Qualified Individual. With increasing rates of large-scale data breaches and harmful hacks, there must be at least one individual in your company who is vigilant about protecting customer and employee data.
2. Obtain Encryption Service For Emails, Files, and Apps
The Safeguards Amendment requires organizations to encrypt all sensitive customer data. This is a broad requirement, as sensitive data can move in many ways and for many reasons. Data encryption for email and files is critical to protecting sensitive information.
3. Develop the Habit of Constantly Reviewing Access Controls
Sensitive data is safer when only those who need the information have access. The Safeguards Rule requires organizations to be in a state of periodic reevaluation regarding who has access to what types of information and for how long. Only allowing access to data on a need-to-know basis lowers the risk of data breaches.
4. Assess Your Partners and Applications
The FTC urges all organizations to reevaluate their in-house applications and third-party partners to ensure that they comply with the new requirements outlined in the Safeguards Rule. A data breach targeted at a third-party partner or in-house application can have staggering effects on your sensitive client data.
5. Choose Secure, User-Friendly Software
Your employees are critical to your organization’s security. Training your employees is a requirement in the revised Safeguards Rule. The designated Qualified Individual can implement as many security precautions as possible, but your risk potential skyrockets if they’re hard to understand or use. Choosing user-friendly software that’s easy to use helps ensure internal compliance and protect against data breaches.
How Can Fortify IT Solutions Help?
It’s essential to take steps now to ensure your organization complies with the updated FTC Safeguards Rule. Fortify IT Solutions has years of experience developing policies, procedures, and assessments to improve organizational security. We can provide ongoing maintenance, penetration tests, risk assessments, training, and more. Contact us online or call 856-512-1949 to schedule an appointment with one of our expert project managers.
We look forward to connecting with you and showing you how we can bring you the IT services you need and the expertise you deserve.