It’s a common misconception that only corporations with more than 5,000 customers are subject to the enhanced cybersecurity demands outlined in the Federal Trade Commission Safeguard Rule. Smaller organizations should prepare to execute similar data information security assessments and improvements on a much simpler scale. While they are exempt from a handful of requirements – designating a “qualified individual” on staff to manage compliance, evaluating their outsourced IT service provider, and having an incident response plan – they remain governed by the intent of the FTC rule: Protecting customers from identity theft and implementing a robust data security program with appropriate safeguards.
As the agency that enforces a variety of antitrust and consumer protection laws affecting virtually every area of commerce, the FTC has focused on protecting consumers and customer data as well as improving financial institution security with its Safeguards Rule, which was expanded and updated in October 2023. The rule applies to any record containing nonpublic or sensitive personal information about any customer of a financial institution and requires “administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.”
In layman’s terms, the new FTC regulation for financial institutions demands those organizations craft a comprehensive data security program that follows information security best practices and addresses three major areas:
The rule has multiple elements and addresses the broad spectrum of cybersecurity measures, responsibilities, and actions that align with established best practices for safeguarding sensitive information. These requirements include:
Other FTC Safeguards Rule guidelines are aligned with the outcomes of a required risk assessment that identifies an organization’s existing internal and external risks to the “security, confidentiality, and integrity” of customer data. The rule requires periodic risk assessments and demands that companies design a security program to close those gaps, using digital and physical access controls, encryption, multifactor authentication, penetration testing, and vulnerability assessments.
In addition to those technical FTC compliance requirements, the Safeguards Rule demands security measures for in-house applications, secure disposal processes, stringent information security policies supporting a robust security culture, detailed security logs, and testing. Businesses are also required to implement compliance and security awareness training for employees, empowering their best line of defense by engaging employees in protecting their business.
While smaller organizations must still execute regular assessments, they do not need to be documented in advance, and the required security measures for those small to midsized businesses are significantly fewer than those demanded of larger corporations. What are best practices for those companies not fully governed by the FTC Safeguard Rule?
Here are some tips for getting started:
Nearly all organizations will need to connect with a cybersecurity expert to meet the detailed requirements of the FTC Safeguards Rule, and smaller companies are no different. Cybersecurity, compliance, and data loss prevention are complicated challenges and require multifaceted solutions integrated seamlessly together.
If you have questions about where your business falls within the FTC Safeguard Rule, request a consultation today.
Daniel Haurey Jr. is the president and founder of managed IT services provider Exigent Technologies, which he founded in 1997. Under his leadership, the MSP has earned accolades ranging from Channel Futures MSP 501 to being named SonicWall’s 2024 MSP Growth Partner of the Year. Dan is a true entrepreneur, dedicated to growing, investing in, and mentoring small businesses. You can find him on LinkedIn, where he regularly posts about technology, business, leadership, and community.