How The New FTC Safeguards Rule Will Radically Change How Even Small Businesses Operate

Approximately 13 months ago, the FTC revised the Safeguards Rule to necessitate that even tiny firms guarantee the security of customer data. These amendments, initially planned to commence in December of 2022, are now going to be implemented beginning June 9, 2023 - and it is highly probable that your business, regardless of its size or how its technology is managed, WILL be required to put into action certain new safety measures.

Initially, the Safeguards Rule was only intended for banks and other similar financial institutions. Nonetheless, the amendments have increased the scope of the regulation, now extending to real estate appraisers, automobile dealerships and payday loan providers. Moreover, even businesses that routinely transfer money back and forth between customers and themselves have to comply with the Rule. All of these entities must create, put into effect and persistently maintain a thorough data protection system to protect the details of their clients.

Here are the requirements you must fulfill:

• Assign an experienced person to manage their data security system. It is essential to assign someone who is knowledgeable in information security to supervise their security program. This person will need to have adequate training in the field and stay updated, in addition to being responsible for making sure the information security plan is being carried out effectively. If there is no one on the team who fulfills these criteria, our organization can provide an individual for this role.
• Develop a written risk assessment. A risk assessment comprises two components: a technical scan and a questionnaire for uncovering the usual security flaws. It is often outsourced to a proper IT firm like ours and must be examined yearly (as per the law). However, in cases where the company deals with a lot of delicate data and the proprietor has a low-risk threshold, it should be assessed quarterly or even monthly. If you need to undertake this risk assessment, reach out to us.
• Monitor and keep track of who has access to sensitive customer details. For instance, don't give your whole staff access to your credit card processing system. Permit only one worker (the one who works with it regularly), and one other backup individual (maybe the proprietor) to be able to log in and access this data.
• It is essential to protect all confidential data. Generally, this is accomplished by enlisting an external IT company, unless your business is big enough to have a proficient cyber security squad that can manage it. "Confidential information" is not only limited to medical documents and credit cards but also includes customers' email addresses, phone numbers, Social Security details, driver's license particulars and birthdates. All of this can be exploited by cybercriminals with the data that you host.
• Train security personnel. It is essential to educate security personnel to comply with this legislation, as well as to maintain insurance coverage for cyber liability, crime and other insurance policies.
• Devise an incident response plan. This blueprint must be in place for what to do in the event of an IT security breach. We provide this aid to our clients, but it must be looked over by the insurance agent, leadership team, board and other stakeholders in the organization.
• Review the safety protocols of service providers on a regular basis. Additionally, companies that handle confidential data must be protected and abide by the regulations of the Safeguards Rule. To verify the implementation of these standards, you should ask vendors to show that they are in agreement with CIS or NIST security frameworks in their contracts.
• Incorporate multi-factor authentication or any other equivalent security system for people accessing customer data. This is also identified as “2FA,” which makes sure that when someone logs in to your accounts, their identification must be confirmed through another device, such as a cell phone or email.

If you want to discuss this new rule with us and how to get started with a Risk Assessment, click here to schedule a phone consultation to discuss your concerns, questions and specific situation. If you prefer, you can call us at 888-606-8805.