FTC Safeguards Rule: Who Is a “Qualified Individual”?

With the FTC Safeguards Rule set to go into full effect on December 7, 2022, business owners need to find a “Qualified Individual” to oversee their customer data, if they meet the criteria of a financial institution. This could mean your business, even if you are not a bank, and if you are an owner or CEO, you could find yourself personally liable for failing to meet FTC standards.

We like to call FTC Safeguards a stimulus plan for security consultants. A majority of small businesses cannot comply with the new regulations without professional help. You can choose to hire someone full time, but most businesses can get everything they need with the help of a Virtual CISO.

FTC Safeguards Rule: Who Is Affected, When Does It Start?

The revised FTC Safeguards Rule takes effect on December 7, 2022, and impacts any business defined as a financial institution by the Federal Trade Commission. That obviously includes banks, but it also includes mortgage brokers, car dealers, tax preparers, retailers who issue their own credit cards and real estate appraisers, among others. If you collect personal information that is directly used in financial transactions, that can be used to facilitate transactions or that can be used to bring buyers and sellers together, you are a financial institution in the eyes of the United States government.

Who Is a Qualified Individual Under the FTC Safeguards Rule?

The Safeguards Rule mandates that a “Qualified Individual” oversees information security programs and reporting, but offers no hard definition of who a Qualified Individual is. There are no defined experience, degree or accreditation requirements. This was done to provide flexibility, but it will lead to confusion for business owners.

In this situation, the government will decide whether your Qualified Individual is qualified enough. Unless you have a background in data security, that’s not you. It’s also not your niece who just graduated college and really knows her way around computers.

The rule was kept vague because there is no one-size-fits-all cybersecurity solution. Should the FTC ever investigate your operations, which is a near guarantee if you suffer a data breach, they will want to know if your Qualified Individual has the right experience for the size and type of business that you run. You need someone who federal authorities will recognize as competent and capable, which means someone experienced in handling the kinds of data you collect and store at a scale similar to your business. A midsize chain of auto dealers will need someone experienced in managing a large volume of sensitive financial data, while a solo real estate appraiser needs someone familiar with the risks to small businesses. You will be safe with an Overqualified Individual, but you will pay a premium for that level of experience. It is far riskier to take a chance on an Underqualified Individual based solely on price, if they cannot demonstrate a level of experience that satisfies the FTC.

Is it Better to Hire or Outsource a Qualified Individual?

Small businesses can realize significant benefits from hiring a Virtual CISO or fractional CISO to oversee FTC Safeguards compliance. Virtual CISOs who specialize in compliance will have greater experience dealing with FTC requirements and, potentially, investigations, compared with a full-time CISO. If you only have a few employees, don’t develop your own technology and don’t rely heavily on third-party vendors, outsourcing a CISO will give you a much greater depth of experience at a much more affordable price.

If you develop software, process a significant number of financial transactions or plan to raise capital for your business in the next 18 to 24 months, hiring a full-time Chief Information Security Officer (CISO) is your best move, because that person will focus solely on your business and its needs.

Most businesses will fall somewhere between these two possibilities. Any company that builds software to collect or store personal information or that processes a significant number of financial transactions daily should opt for a full-time CISO. Outside of those situations, businesses should consider the tradeoff between the cost of a full-time CISO and the experiential advantages of a fractional CISO.

Protect Now will help you analyze your Safeguards Rule compliance needs and find the solution that fits your business. Contact us online or call us at 1-800-658-8311 to speak to a cyber security expert.