Is Your Business Compliant With the New FTC Safeguards Rule?

The Gramm-Leach-Bliley Act (GLBA), first enacted in 1999, changed the way financial institutions handle private customer information. In 2021, changes were approved to one section of GLBA known as the Safeguards Rule. This rule states that non-banking financial institutions must have comprehensive security programs that keep customer information safe. Companies had until June 9, 2023, to comply with the updated requirements.

As more businesses embrace digital transformation, personal information (PI) is more likely to be stored in the cloud or on an onsite server. In the event of a data breach, this PI could be leaked. This damages customer relationships, exposes businesses to fines and litigation, and can negatively affect your bottom line. Specializing in managed IT services, Tekie Geek helps businesses in New York and New Jersey comply with the FTC Safeguards Rule and improve data security.

Understanding the FTC Safeguards Rule

The revised Safeguards Rule requires any business or organization that handles customer financial data and engages in transactions that use personal customer information to develop, deploy and maintain a comprehensive cybersecurity program to keep customer financial data safe. Federal Trade Commission (FTC) has outlined key requirements for compliance, including:

• Data security measures: Companies must encrypt customer information, implement data access controls, securely dispose of PI, and maintain user activity logs.
• Employee training and awareness: Staff must receive regular training, so they know how to identify and report potential security threats.
• Incident response planning: Businesses must have a written plan detailing how they will handle security threats.
• Third-party vendor management: Service providers must be carefully vetted to ensure they meet your security requirements.
• Periodic assessment and adjustment: Companies must conduct regular risk assessments, review access controls, and test safeguards through continuous monitoring.

Businesses that fail to comply with the FTC Safeguards Rule may face fines and penalties, as well as risk potential lawsuits.

What Types of Businesses Are Affected?

The Safeguards Rule applies to businesses under the FTC’s jurisdiction. In general, that means non-banking financial institutions, including:

• Car, boat, and RV dealers
• Collection agencies
• Credit counselors and financial advisors
• Finance companies
• Mortgage lenders and brokers
• Payday lenders
• Real estate or personal property appraisers
• Tax preparation firms
• Travel agencies

Although these businesses are not banks, they provide financial products or services to individuals.

How Can Small to Mid-Sized Businesses Assure Compliance?

All affected businesses must maintain a comprehensive information security program. Of course, compliance can be a challenge for businesses that don’t have sufficient in-house IT resources. Tekie Geek’s outsourced IT services can help small to mid-sized businesses comply with the new rules, even if they do not have an IT staff of their own. We work with companies throughout New York and New Jersey.

Ensuring Compliance

Ensuring compliance with these FTC regulations requires a thorough security risk assessment. Begin by reviewing your current data security practices and identifying potential gaps in compliance. Develop an action plan for bringing your policies into compliance. Designate a qualified individual to manage your security plan and allocate the necessary time and resources. Create a clear timeline for implementing the necessary security measures.

Implementing Data Security Measures

The FTC requires businesses to implement safeguards that address any risk identified in your initial assessment. This includes:

• Encryption and data protection technologies
• Secure network infrastructure
• Access controls and authentication mechanisms
• Regular data backups and secure storage

Employee Training and Awareness

Although you should have a qualified individual supervising your information security program, such as a chief information security officer (CISO), you still need to train the rest of your staff. Anyone who handles PI must be educated in the fundamentals of data security. Implement an initial training program and regular refresher workshops to keep staff up to date. This reinforces a culture of data protection across the entire organization.

Incident Response Planning

Your written incident response plan must outline how you will respond to a security threat such as a ransomware or phishing attack. The plan must detail:

• An internal response process with clear roles and responsibilities
• How you will share information about the incident within and outside the organization
• Documentation procedures
• Steps to mitigate any weaknesses you identify after an incident

Managing Third-Party Vendors

Whenever a company partners with an outside service provider, it must assess the vendor’s security practices to ensure they align with the company’s internal policies. Vendor security agreements must include provisions for ongoing monitoring and auditing.

Periodic Assessment and Adjustment

Risks to PI are always changing, so the FTC Safeguards Rule requires affected businesses to perform periodic assessments to see if they need to change or update procedures and user policies. Create a schedule for conducting regular security audits so you can adapt to evolving threats and changing regulations. Additionally, your organization’s qualified individual must report on your information security program, in writing, to your board of directors at least once per year.

Consequences of Non-Compliance

Failure to comply with FTC regulations exposes your business to several risks, including:

• Financial penalties
• Legal consequences
• Reputational damage and loss of customer trust

Proactive, comprehensive compliance efforts are the best solution for mitigating risks and protecting yourself and your customers.

Find Expert IT Help From Tekie Geek

The FTC Safeguards Rule is designed to protect both businesses and their customers. If you’re struggling to stay up to date on regulatory guidelines, Tekie Geek is here to help. Serving businesses in New York and New Jersey, we offer data protection and secure backup solutions to help you stay in compliance and protect your reputation. Our team also provides:

• Co-managed IT
• Cloud computing solutions
• Unified communications tools

For more information about the FTC Safeguards Rule and Tekie Geek’s business continuity services, contact us today.

‍