FTC Announces BIG Changes for Business IT Security

What is the Safeguards rule?

The cyber security Safeguards Rule was created for financial institutions to abide by to ensure protection of client data. However, recent amendments made by the FTC now broaden the definition of ‘financial institution’ to encompass real estate appraisers, payday lenders, car dealerships and others (even if they are very small). The FTC even includes any business that recurrently wires money to or from consumers.

Why you should care:

The amendments to the Safeguards Rule were made almost a year ago, and went into effect December 2022. These changes will be enforced starting June 9^th, 2023, and regardless of how small your business is, or how your tech is being handled, you WILL be required to implement new security protocols.

Here’s what you MUST do:

Designate a qualified individual to oversee their information security program.

That means someone at these companies need to be trained in information security, receive continuing security education and be in charge of ensuring the organization is correctly executing the written information security plan. If no one on your team meets this requirement, we can provide someone.

Develop a written risk assessment.

A risk assessment is done in two parts: a technical scan and a questionnaire designed to reveal common security loopholes. This is typically outsourced to an IT firm like the experts here at Action DataTel, and needs to be reviewed annually (by law). Best practice is doing so quarterly if not monthly. This especially important when a business is handling a lot of sensitive information and the tolerance for risk by the owner is low. If you need this risk assessment, schedule a call with our cyber security experts here.

Limit and monitor who can access sensitive customer information.

For example, don’t give your entire team access to your credit card processing system. Only allow one employee (the one who works in it day in and day out), as well as one backup person, to be able to log in and access this information.

Encrypt all sensitive information.

This is typically done by an outsourced IT company like Action DataTel. “Sensitive information” is not just medical records and credit cards. It is also clients’ e-mail addresses, phone numbers, Social Security information, driver’s license information and birthdays. ALL of this can be used by hackers to exploit your customers using the data you host.

Train security personnel.

Employee awareness training is another key component to not only this law, but also to get and keep insurance coverage on cyber liability, crime and other insurance policies. We offer no cost cyber security awareness training to businesses in our community.

Develop an incident response plan.

Specifically, if (when?) you get compromised, you need to have a plan in place for how you will respond. We offer this service to our clients. It should be reviewed by your insurance agent, leadership team, board and other key players in the organization.

Periodically assess the security practices of service providers.

This law also requires you to ensure any companies you are doing business with to be secure and compliant. This is especially important for companies that handle sensitive information. This may include requiring that vendors state in their contracts that they are adhering to the Safeguards Rule and to certain security frameworks, like CIS or NIST.

Implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information.

Also known as “2FA,” this process ensures anyone logging in to your accounts must authenticate that request via another device, such as a cell phone or e-mail.

If you want to discuss this new rule with us and how to get started with a Risk Assessment, click here to schedule a phone consultation to discuss your concerns, questions and specific situation. If you prefer, you can call us at 541-494-2099.