The FTC Safeguards Rule may be completely new to you or maybe you have some familiarity. Either way, you probably have questions and are wondering what you need to know. Here are a few answers to frequent questions.
The FTC Safeguards Rule “requires covered financial institutions to develop, implement and maintain an information security program with administrative, technical and physical safeguards designed to protect customer information.”
In other words, tax preparers must implement cyber security plans to protect client data, with a looming deadline of mid-2023. Failure to do so may result in an FTC investigation. Learn how to comply with these rules and read more guidance on data security in IRS Publication 4557, Safeguarding Taxpayer Data.
On June 9, 2023, the FTC will start enforcing the Safeguards Rule to ensure that entities covered by the rule maintain safeguards to protect the security of customer information.
The FTC notes that even if your business wasn’t covered by the original version of the rule, your business operations have likely evolved and changed over the past 20 years. Your business as it stands today may meet the current definition of a financial institution.
All companies interact with personally identifiable information, so understanding these new requirements is critical.
There are nine new requirements outlined in the FTC Safeguards Rule that affected organizations must comply with:
Your company needs to appoint a “qualified individual” who will implement and supervise your information security program. It can be someone who works for you or an outside person. No particular degree is required. The person needs to be familiar with your “real world” operations of how you store and process information in the business.
To formulate and execute an effective information security program, you need to know what information you have and how/where it is stored. The risk assessment should look at both internal and external security factors as well as the confidentiality and integrity of your customers’ information.
*If you hold financial information for fewer than 5,000 consumers, you are not obligated to perform a risk assessment.
This process involves eight steps, outlined below:
This can be achieved either by continuously monitoring your environment or by conducting a penetration testing and vulnerability assessment every six months.
Provide all your employees with continuous security awareness training.
Any service provider who may have access to your customer data should have the skills and experience to maintain the same level of safeguards as if they were your employee.
You should re-evaluate your security program whenever you experience a change in your business (replacing employees, changing software vendors, adding staff, etc.)
Have you ever experienced a fire drill? An IR plan is like a written version of a fire drill. This document will outline the steps you need to take should you have a security event.
*If you hold financial information for fewer than 5,000 consumers, you are not obligated to keep an IR plan.
Regardless of whether your qualified individual is on your staff or is an outsourced entity, that role needs to submit regular annual reporting to your board of directors or governing body.
*If your company doesn’t have a board or governing body, the report should go to a senior person (usually the owner of the company.)
You could take the easy route and ignore the new requirements, but it could ultimately endanger your company. Here’s what could happen if your company experiences a data breach, according to the FTC:
If you’re worried about the new FTC Safeguards Rule and how it will affect your company, we can help.
We’re hosting informational webinars on the subject and we can help outsource your information security needs. Book a meeting with us to schedule a risk assessment, or contact us with any questions you may have about the FTC Safeguards Rule or any other IT concerns.
Entrust your business to a team of reliable and responsive experts: You won’t regret it.
Cybersecurity Guide for Law Firms
The Cost of Cybercrime: Understanding the Financial and Reputational Risks
Common Cybersecurity Struggles for Law Firms
Enter your details below and we will contact you within 1 business day.
"*" indicates required fields