The Updated FTC Safeguards Rule: What You Need To Know

Note: Strive IT is a technology consulting firm.  We are not a law firm, nor do we represent or speak on behalf of the Federal Trade Commission (FTC).  What follows is not legal advice, but our interpretation of what we have read regarding recent current events.  Please consult with your own attorney before making any decisions related to this content.

What is the FTC Safeguards rule and why should I care?

The FTC Safeguards Rule has been around since 2003, but it mostly only applied to banks and other traditional financial institutions.  It was designed to help protect consumers financial and health information getting compromised due to inadequate cybersecurity (among other things).

Then, in 2021, the FTC revised it in two important ways, both of which went live Jun 9th, 2023.

  1. The cybersecurity requirements were strengthened to keep up with the modern threat landscape.
  2. The definition of “financial institutions” to include all businesses that are “engaging in an activity that is financial in nature”.

That is a big expansion of the number and type of businesses that now must maintain compliance.  Here is a partial list of the industries it includes:

  • Auto dealerships
  • CPA’s and tax preparation firms
  • Mortgage lenders & brokers
  • Schools and Universities
  • Financial aid services
  • Payday lenders
  • Financial advisors
  • Finance career counselors
  • Travel agencies
  • Real estate appraisers
  • Account servicers
  • Check cashers
  • Wire transferors
  • Collection agencies
  • Credit counselors and other financial advisors
  • Non-federally insured credit unions
  • Investment advisors not registered with the SEC

Basically, if your business deals with other people’s non-public financial information, you should check with your attorney and ask whether you are subject to these regulations.

My business is in the new list.  Now what?

If your business falls under the new regulations, then you should start moving quickly!  The new regulations passed two years ago, and the deadline has already been extended once, and the final deadline has passed.  The FTC now makes the assumption that everyone has had enough time to get into compliance.

To attain and maintain compliance you will need to create a Written Information Security Plan (WISP) that includes the following:

  1. Put someone in charge. This is called the Qualified Individual.  You can outsource the planning and implementation of this process to an external IT company, but your company retains full responsibility for making sure everything is completed.
  2. Document what you have and where you have it. Maintain a list of all hardware, software, users, accounts, and vendors.  Also, document the customer data you have and where it is all stored.  Only once you do this can you determine how to protect it all.
  3. Conduct a risk assessment. Now that you know what you have, figure out what the foreseeable risks and threats are to each item in that list. Write down this risk assessment, and make sure you’re documenting your evaluation criteria.
  4. Design Safeguards. Now that you know what you have and what the risks are, you are ready to protect against those risks. Your protection plan should include the following:
    • Determine who has access to your customer information and whether they need it.
    • Encrypt all customer information, whether it is stored on your systems, traveling through your network, or going out on the internet. This includes backups.
    • Implement multi-factor authentication (MFA) for everyone. Ensure it protects your email, software that accesses customer data, and logging onto your computers.
    • Don’t keep customer information around. Securely delete/destroy it within 2 years after its last use.  CPA’s and others who are required to maintain records will have their own requirements for this.
    • Maintain a log of authorized users’ activity and keep an eye out for unauthorized access.
  5. Training. Train all of your staff on cybersecurity principles regularly.
  6. Manage your vendors. Have a process to choose and regularly reassess you service providers and vendors to ensure they are taking their cybersecurity seriously, and treating your customer data with the safeguards the FTC requires. If you develop your own software for storing customer data, you should be doing regular assessments of these apps as well.
  7. Regular reassessment, revision, & reporting. Regularly monitor and test the effectiveness of your safeguards.  This will probably mean vulnerability scanning and penetration testing.  Update the safeguards based on these tests, based on new threats, and whenever something important changes in the environment.  Update the WISP regularly, and report on it annually to a board of directors or senior management.

Does this really apply to me? My business is so small!

Yes and no.  There are some exceptions for businesses who store customer data for fewer than 5000 people.  However, this is not a full pass.  These smaller businesses still need strong cybersecurity measures and a full plan, but they can get away without a written risk assessment, penetration testing, written incident response plan, and annual report.

But remember, 5000 records is not that many.  If you really try to count how many people you keep historical records on (including spouses and families), and what that number might be a year or two from now when you get hacked, it’s pretty achievable for most small businesses.

So what? How dangerous can non-compliance be?

Here’s the logic around why you, as a small business, should take this seriously:

  1. You’re going to get hacked. Everyone should just assume that.  The less attention you pay to cybersecurity, the more likely you will get hacked because the hackers know you’re an easy target.  If you think you’re too small or boring for a hacker’s attention, you’re wrong.
  2. When you get hacked, people will find out. People talk, and you can’t keep these things a secret.  Also, if the hackers had access to Colorado residents’ info, then you have the legal obligation to notify them, and maybe the state attorney general, so you will let the word out yourself.
  3. The FTC will find out. The FTC does random enforcement of these rules, but they’re more likely to come down on you when there’s been a complaint, or if they find out you were breached and customer data was leaked. See #2.
  4. Fines are REALLY expensive. The FTC can fine business up to $50,120 per violation. And if you have one violation, you likely have more.  That is on top of the actual breach costs: $15,000 for forensics and breach attorney, $500,000 for a ransomware payment (average in 2021), downtime, lost sales, reputation damage, attorney general notifications, raising insurance rates, the list goes on.
  5. All breached users may sue you.  The rule allows any individual affected by your data breach to have a private cause of action against you.

That's a lot of risk you're taking on by ignoring this!  It is far wiser and way less expensive to pay for good cybersecurity and compliance than it is to risk getting hacked.

OK, I’m convinced.  What do I do now?

First, check with your attorney and ask whether your business needs to comply with the FTC Safeguard Rule.  All of the recommendations are standard cybersecurity best practices, so you should be doing them even if they are not required.

Next, get started!  The list above is a great starting point for your WISP.  The links below will give you all the information you need to pull a plan together yourself.

This is too much work!  Can you do it for me?

Absolutely!  If you don’t want to do this yourself, we are experts in cybersecurity and can do all of the heavy lifting for you.  Call us at (303) 963-2302 or fill out the form at the top of this page to get an initial assessment scheduled right away.

Sources:

Sign Me Up For An FTC Network Assessment

Important! We hate spam as much (or more!) than you and promise to NEVER rent, share, or abuse your e-mail address and contact information in any way.

Our health tech company's collaboration with Strive has been marked by their unwavering perseverance that has led to a number of successes during our engagement with them. From the very beginning, their team showed remarkable determination to understand our needs and overcome every challenge that arose. This grit and resilience have translated successful project deliveries, even under the most demanding circumstances. We’ve come to trust Strive IT’s ability to navigate obstacles without losing focus on our overarching goals. Equally impressive is Strive IT’s dedication to growth—both their own and ours. Their professionals are always seeking to refine and expand their skill sets and operational efficiency, staying well-informed about the latest trends and technologies. In turn, they use that knowledge to help us stay on trend with industry shifts, guiding our organization toward innovative solutions. Their commitment to continual improvement not only strengthens their offerings but also empowers us to advance our cyber security goals. Another standout quality is Strive IT’s empathetic approach. Rather than delivering one-size-fits-all answers, they take the time to truly listen to our concerns, exploring each nuance of our operations. This genuine interest in our mission, vision and challenges allows them to tailor solutions that align with our culture and priorities. By placing empathy at the forefront, they ensure that each project outcome reflects our core values and fosters a sense of mutual respect. All these elements—perseverance, growth, and empathy—make Strive far more than a typical managed service provider. They have become a reliable partner in our pursuit of success, showcasing a genuine dedication to helping us thrive. I cannot recommend them more highly.

Sylvia Isler

5 Stars All The Way 

“Strive IT is personable. They not only get to know your technology needs, but they get to know you, too. My last IT company was a little cheaper, but I was always reluctant to call them. It was a headache dealing with their slow responses, and they didn’t appear to understand my business needs. I began asking myself what I was paying for them at all? It become apparent switching to a tech company like Strive was the right move for my small business. With Strive, I get a truly pro-active company. They tell me about problems before I'm even aware of them. Their personal touch, attention to detail, quick response times, and incredible knowledge in regards to technology, makes it a no-brainer to work with them. You get what you pay for and these guys are 5 stars all the way. Top quality and worth every penny.”

Paul Novak Agency Owner
The Novak Insurance Agency