Are You Subject to the FTC Safeguards Rule?
The FTC Safeguards Rule requires business to take certain precautions to protect customer data. The requirements are for financial institutions, but the FTC Safeguards Rule has a much broader definition of what is considered a financial institution than what you and I think about as a bank. If your organization is performing activities that are financial in nature, you may be subject to this rule.
Here is a list of firms that ARE subject to the rule:
· Accountants and Tax advisors
· Any business that regularly wires money to and from customers
· Any entity providing real estate settlement services
· Automobile Dealerships
· Career Counselors (who work with those in the financial industry)
· Collection Agencies
· Credit Counselors
· Investment Advisors
· Mortgage Brokers
· Personal Property or Real Estate Appraisers
· Retailers who issue their own credit cards
For a complete definition of financial institutions for the purposes of this rule, see Section 314.2(h).
I’m On the List, What Now?
Keep in mind that the goal of the FTC Safeguards Rule is to protect non-public customer information. If you are a financial institution as defined above, you’ll be expected to develop an Information Security Program and to implement reasonable protections relative to the size of your organization and the sensitivity of the financial information about your customers that you store or transmit.
Let’s Take it Step by Step
1. Information Security Program – Your Information Security Program must be written, it must identify a Qualified Individual to supervise the program, and you must conduct a written risk assessment to define what data the program is protecting and what threats it is protecting the data from.
2. Design and Implement Safeguards – Your program needs to identify what data you have, where it is located and then focus on controlling access to the data. It is important to maintain a log of who accesses the data and to routinely check for unauthorized access. You must also be sure to dispose of customer data securely.
3. Technology Considerations – Two technologies are specifically mentioned in the rule: Multi-Factor Authentication (MFA) and Data Encryption. Anyone accessing customer data needs to be using MFA when logging in. Data Encryption (for stored data and data in transit) may not be feasible for smaller firms and allowance is made within the rule for this consideration. If your firm is large and complex, Data Encryption will most likely be required.
4. Monitoring – You must regularly monitor and test the effectiveness of your safeguards. Continuous monitoring by an MSP like MTSi qualifies. You can also conduct penetration testing and vulnerability scans every six months to meet this requirement.
5. Security Awareness Training – This is a requirement and also an effective safeguard!
6. Written Incident Response Plan – You must create a written Incident Response Plan that defines how you will manage a security incident. Your plan must include roles and responsibilities, internal processes to be followed, a communications protocol for internal and external communications, a process to document and fix any identified weaknesses discovered as a result of an incident. Any incident requires a written post mortem of what happened and how the Information Security Program and Incident Response Plan will be adjusted as a result.
7. Reporting to Board – The Qualified Individual is required to report in writing to the Board of Directors at least annually.
How Can MTSi Help?
The process can seem daunting given the implementation deadline is December 9, 2022. Fortunately, MTSi has you covered when it comes to protecting your data from a major threat: cyberattack. Our team regularly implements MFA and security awareness training and we can go beyond basic protections to make sure you can protect and recover your data when needed.
Reach out to our team to learn more call us at 508.324.9475