Small businesses that provide financial services are about to find the Federal Government looking very closely at their operations. The Federal Trade Commission, or FTC, which exists to protect consumers from predatory or unfair business practices, will fully implement changes to its Safeguards Rule on December 7, 2022. These changes are substantive and so are the fines for non-compliance, which can be as high as $43,972 per violation per day.
Who is affected by the FTC Safeguards Rule?
Businesses defined by the FTC as “financial institutions” must comply with the rules. Before you say, “I’m ok, because I’m not a bank,” take a look at the businesses that the FTC plans to regulate:
- Auto dealers (except those that provide in-house financing with zero reliance on external banks)
- Real estate appraisers
- Tax preparers
- Payday lenders
- Check cashers
- Wire transfer services
- Collection agencies
- Credit counselors
- Investment advisors (unregistered with the SEC)
- Credit unions (non FDIC insured)
These are some of the businesses that will be subject to the new rules. In short, if you handle money or facilitate financial transactions, the FTC expects you to comply with its new Safeguards Rule.
How can businesses comply with the Safeguards Rule?
There are two primary needs to satisfy under the Safeguards Rule that may send small-business owners looking for a Virtual CISO or cyber security specialist.
- You must appoint a Qualified Individual to oversee your business’ compliance and to report to your Board of Directors. This needs to happen at least annually and must include the specific data points discussed below.
- You must have a written security plan. This plan must contain the following elements:
- An assessment of all current systems and protocols for handling customer data.
- A written record of which employees have access to customer data. This should be reviewed several times a year with the goal of minimizing the number of people with data access.
- An inventory of the data you collect and where it is stored.
- Robust encryption for any data sent from your business to third parties, as well as robust encryption for any data your business stores.
- Regular review of any business-developed apps, forms or programs that collect or transmit data.
- Implementation of multi-factor authorization for every employee who can access customer information on your systems.
- A plan to securely dispose of customer information upon the customer’s request or when it is no longer needed. Any data that has not been used in more than 2 years must be securely destroyed.
- A log of authorized user activity on your systems and a monitoring system that alerts on any unauthorized access.
- Regular reviews of systems and third-party providers to ensure that their systems are secure and compliant.
- A training program, using methods known to be effective, to prevent phishing attacks and data breaches.
Can businesses manage FTC Safeguard Rule compliance on their own?
If you want to add a couple of full-time staffers to meet your compliance needs, that is an option. Most small businesses do not have the budget for full-time compliance specialists. Most small-business owners and employees lack the experience to know what FTC will consider “effective,” “secure” or “compliant.”
You can run yourself ragged trying to keep up with these rules, or you can partner with a compliance specialist like Protect Now. We will conduct all needed assessments, formalize your plan and help you maintain compliance moving forward. To learn more, please contact us online or call us at (800) 658-8311