Today, we want to draw your attention to the safeguards introduced by the Federal Trade Commission (FTC) and why they matter to you.
The FTC safeguards, while not applicable to all businesses, it is of critical concern If you find yourself in this category. It is essential to understand these changes and take immediate action to ensure avoiding fines of up to $100,000 per incident and prison sentences of up to five years.
What Are the FTC Safeguards?
The Federal Trade Commission has rolled out new cybersecurity safeguards, primarily aimed at businesses that handle sensitive customer data, such as financial institutions, healthcare providers, and certain service providers. These safeguards are designed to protect consumers’ personal information from data breaches and security vulnerabilities.
Who’s covered by the Safeguard Rule?
How do you know if your business is a financial institution subject to the Safeguards Rule? First, consider that the Rule defines “financial institution” in a way that’s broader than how people may use that phrase in conversation. Furthermore, what matters are the types of activities your business undertakes, not how you or others categorize your company.
Some Simple Examples of organizations that may be covered are:
- Tax Preparation Firms
- Investment advisers not required to be registered with the SEC
- Collection agencies
- Real estate appraisers
- Tax Preparers
- Mortgage brokers
- Certain Car Dealerships
- Retailers extending credit through their own credit card services
- Higher education institutions participating in federal student financial aid programs authorized under Title IV of the Higher Education Act of 1965
What do you need to do if you are covered?
We are here to guide you through the process of compliance with the new FTC safeguards. Please reach out to our team for help. For more info on what is required below is a very brief outline.
1: Designate a Qualified Individual
- In charge of overseeing/implementing information security program
- Can be employee, affiliate, or service provider of the client
- Client retains responsibility if delegated outside their organization
- https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314#p-314.4(a)
2: Perform and document risk assessment
- Must be a written assessment
- Must include criteria for evaluating risks and assessment of systems and customer information
- Requires a continuing cadence for additional assessments
- https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314#p-314.4(b)
3: apply controls
- Implement and periodically review access controls
- Deploy encryption for customer data in transit and at rest
- Annual penetration tests
- https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314#p-314.4(c)
4: Validate controls
- Regularly test and monitor controls’ effectiveness
- Information systems require continuous monitoring or annual penetration testing
- Vulnerability assessments every six months
- https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314#p-314.4(d)
5: Develop Training/Auditing Program
- Implement security awareness training explaining risk assessment findings
- Maintain sufficient staffing to run the security program
- Verify that security personnel are staying current on security threats
- https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314#p-314.4(e)
SecOps 131 – FTC Safeguards
6: Monitor Service Providers
- Engage service providers that can maintain appropriate safeguards
- Make sure service provider contracts include safeguard implementation
- Periodically assess service providers
- https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314#p-314.4(f)
7: Develop Continuous Improvement Cadence
- Evaluate information security program based on:
- Testing
- Material changes in your organization
- The results of a risk assessment
- https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314#p-314.4(g)
8: Document Incident Response Plan
- Document every incident
- Include goals, processes, and roles among several other requirements
- Review response plan after every security event
- https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314#p-314.4(h)
9: Provide Annual Reporting to Senior Leadership
- Designated Qualified Individual must provide annual report to leadership body
- Include overall status of security program and compliance
- Must also have material matters related to the information security program (assessme
This client alert is prepared for the general information of our partners. It should not be regarded as legal advice.
