The Startling Truth About the New FTC Safeguards Rule Impacting Almost Every Small Business Today

As famously quoted by former President Ronald Reagan, the most terrifying words one can hear are, "We're from the government, and we're here to help." In this particular case, the government's attempt to assist involves imposing the requirement for nearly all businesses to establish and maintain robust cybersecurity programs to safeguard customer information. Although this initiative is commendable, businesses should take it seriously even without government mandates.

Unfortunately, the majority of small businesses do not prioritize cybersecurity adequately. They mistakenly believe they are taking sufficient measures to prevent cyberattacks when they are not. Consequently, the government has intervened by creating laws, such as the GLBA Act, to enforce improved security protocols.

What is the New FTC Gramm-Leach-Bliley Act Safeguards Rule, and who does it apply to?

In April 2022, the FTC released a publication titled "FTC Safeguards Rule: What Your Business Needs to Know." This document serves as a compliance guide, ensuring that all companies falling under the Safeguards Rule maintain security safeguards to protect customer information. Despite assuming that their business is "too small" to comply or lacks data "of interest to hackers," many are in for a shock when they discover that they are mistaken on both counts.

Hacking groups employ automated bots to carry out attacks randomly, and small businesses are their primary targets due to their negligence and inadequate protection. Such businesses are considered easy prey. Consequently, compliance is not limited to obvious organizations such as CPAs, financial institutions, and credit unions. The scope extends to various organizations, some of which include printers handling financial documents, automotive dealers offering financing, businesses accepting credit or loans, tax preparation or credit counseling firms, real estate settlement services, and career counselors serving individuals employed by or recently displaced from financial organizations. The list is not exhaustive. Essentially, any organization handling financial data or personally identifiable information must ensure compliance with these new standards.

What should you do now?

The rule mandates the implementation of a "reasonable" information security program. But what does that entail? Firstly, you need to appoint a qualified individual to oversee and manage your IT security program. This responsibility cannot be outsourced. While it is advisable to seek guidance from professional IT firms like ours, the ultimate accountability rests with you. The designated person does not necessarily need an IT or cybersecurity background, but they will be responsible for ensuring that your company takes reasonable precautions to comply with the new security standards.

Secondly, the Safeguards Rule necessitates conducting a risk assessment to initiate an effective security program. Subsequently, you would collaborate with your chosen IT company (such as us!) to implement measures such as access controls, encryption, data backups, two-factor authentication (2FA), and other protections to secure and safeguard your data.

Cybersecurity is not a one-time endeavor; it requires ongoing efforts to protect against evolving threats. To determine your organization's current cybersecurity posture, we invite you to sign up for a quick, easy, and completely free Cyber Security Risk Assessment. This assessment serves as the initial step toward compliance and provides crucial insights into your security status.