As former President Ronald Regan once said, the scariest words you’ll ever hear are “We’re from the government, and we’re here to help.”
In the case of the new FTC Safeguards Rule, the government is trying to help by forcing nearly all businesses to implement and maintain a strong cyber security program to protect the consumer information these companies hold. This is definitely not a bad thing, when you consider how many companies have consumer’s personally identifiable information, and if this were to get into the hands of cybercriminals, it could be detrimental to the consumer and to the company's reputation. All businesses should take this seriously with or without a government mandate.
Sadly, most small businesses either don’t take cyber security seriously enough or believe they are doing enough to prevent a cyber-attack even though they aren’t. This is why the government is stepping in and creating laws (the GLBA Act) to enforce better security protocols.
What Is The New FTC Gramm-Leach-Bliley Act Safeguards Rule And Who Does It Apply To?
In April 2022, the FTC published a compliance guide titled “FTC Safeguards Rule: What Your Business Needs to Know” to ensure all companies that fall under the Safeguards Rule maintain the safeguards to protect customer information.
While you might think your business is “too small” to comply or doesn’t hold data “that a hacker would want,” you’d be shocked to discover otherwise.
Hacking groups use automated bots to randomly carry out their attacks – and small businesses are their #1 target due to the gross negligence and inadequate protections they have. In other words, they are the low-hanging fruit. While it’s imperative that CPAs, financial institutions and credit unions comply, the FTC expanded the definition of a financial institution to include the below. This is NOT a complete list:
- Printers that print checks or other financial documents.
- Automotive dealers who provide financing for car purchases.
- Any organization that accepts credit or loans for the goods and services they sell, whether or not the credit is granted.
- Companies that do tax preparation or credit counseling of any kind.
- Real estate settlements, services or appraisals.
- Career counselors that provide services to people employed by or recently displaced from a financial organization.
As you can see, the companies that must comply are growing rapidly. Which means, if you handle any kind of consumer financial data or personally identifiable information, you need to make sure you are complying with these new standards.
What You Need To Do Now
The rule requires you to implement a “reasonable” information security program. Reasonable depends on many factors, including the type of PII you handle, the industry you are in, and the risks present within your company. To create a reasonable information security program, you should first designate a qualified individual to implement and supervise your IT security program. This person will be responsible for ensuring your company is taking reasonable precautions to comply with the new security standards.
Second, the Safeguards Rule requires you to conduct a risk assessment to identify the risks present in your company and create an effective security program to minimize those risks. From there, you would work with your IT company (us!) to roll out a plan to secure and protect the data you have by putting in place access controls, encryption, data backups, 2FA and several other protections.
Cyber security is not something you do once – it’s an ongoing effort of protection as new threats evolve. If you want to see where your organization stands on cyber security, click here to sign up for a quick discovery call. This is the first step toward compliance and will give you the information you need to know about your own security stance.
