How FTC Safeguards Rule Impacts Small Business Operations

A year ago, the FTC made several amendments to the Safeguards Rule, requiring even tiny businesses to protect client data. These changes, set to go into effect back in December of 2022, are now going to be enforced starting June 9, 2023 – and it's very likely that your business, regardless of how small or how your tech is being handled, WILL be required to implement specific new security protocols.

The Safeguards Rule was initially created for financial institutions. However, the new amendments broadened financial institutions' definition to include real estate appraisers, car dealerships, and payday lenders. In addition, the FTC goes so far as to have any business that regularly wires money to and from consumers. These organizations must develop, implement and maintain a comprehensive security program to protect their customers' information.

Here are the provisions you must implement:

• Designate a qualified individual to oversee their information security program. That means someone at these companies needs to be trained in information security, receive continuing security education, and ensure the organization correctly executes the written information security plan. We can provide someone if no one on your team meets this requirement.
• Develop a written risk assessment. A risk assessment is done in two parts: one, a technical scan, and two, a questionnaire designed to reveal common security loopholes. This is typically outsourced to an IT firm like ours and needs to be reviewed annually (by law). Still, best practices should be quarterly, if not monthly, when a business is handling sensitive information and the tolerance for risk by the owner is low. If you need this risk assessment, contact us.
• Limit and monitor who can access sensitive customer information. For example, don't give your entire team access to your credit card processing system. Instead, only allow one employee (the one who works in it day in and day out) and one backup person (possibly you, the owner) to log in and access this information.
• Encrypt all sensitive information. Again, this is typically done by an outsourced IT company like ours unless your company is large enough to have a robust cybersecurity team that can handle it. "Sensitive information" is not just medical records and credit cards but clients' e-mail addresses, phone numbers, Social Security information, driver's license information, and birthdays. Hackers can use all this to exploit your customers using the data you host.
• Train security personnel. Employee awareness training is another critical component to not only this law but also to get and keep insurance coverage on cyber liability, crime, and other insurance policies.
• Develop an incident response plan. Specifically, if (when?) you get compromised, you need to have a plan for how you will respond. This is another service we offer to our clients but should be reviewed by your insurance agent, leadership team, board, and other key players in the organization.
• Periodically assess the security practices of service providers. This law also requires you to ensure that any companies you are doing business with – specifically those where sensitive information is shared – are secure and compliant. This may include requiring that vendors state in their contracts that they are adhering to the Safeguards Rule and specific security frameworks, like CIS or NIST.
• Implement multifactor authentication or another method with equivalent protection for anyone accessing customer information. Also known as "2FA," this process ensures anyone logging in to your accounts must authenticate that request via another device, such as a cell phone or e-mail.

If you want to discuss this new Rule with us and how to get started with a Risk Assessment, click here to schedule a phone consultation to discuss your concerns, questions, and specific situation. Then, if you prefer, you can call us at (262) 942-8572.