The New and Improved SafeGuard Rule by FTC: Companies have three months to prepare

 

The Federal Trade Commission has recently updated new security measures that they expect specific companies to now follow. While FTC has come out with a jurisdiction for businesses’ safety protocols in 2003, they have now implemented these measures to correlate with the new technology and hacking attacks that continue to evolve. Let me inform you on what to look out for. While FTC has been consistent with financial institutions being under jurisdiction and making sure they have the right security measures in store, FTC has now broadened who needs to follow security protocols. The deadline to get security measures in order is December of 2022, are you prepared?

Recently, I was able to attend a Cisco webinar on the new FTC policies. Through this seminar, there was a poll for companies to answer whether they were aware of the new FTC policies. I have posted the results below. Take some time to view them.

These results reveal that many companies are not fully aware of FTC’s policies and the security measures that need to be set in place that are in compliance with the law. Overall, it is important to know these new measures to avoid not only attacks on your consumer’s private information, but the penalty and fees that come with not acquiring specific security tools.

Who will be affected?

As stated before, FTC are now targeting more types of businesses than just financial institutions. Now the definition has broadened from financial institutions to all businesses that handle ‘financial consumer data’. The Code of Federal Regulations: 15 U.S.C. 6801(b), 6805(b)(2). states, “This part applies to the handling of customer information by all financial institutions over which the Federal Trade Commission (“FTC” or “Commission”) has jurisdiction…An entity is a “financial institution” if its business is engaging in an activity that is financial in nature or incidental to such financial activities” (ECFR). Additionally, FTC states that the following businesses are under the definition of financial consumer data. These include:

• mortgage lenders
• payday lenders
• finance companies
• mortgage brokers
• account servicers
• check cashers
• wire transferors
• collection agencies
• credit counselors and other financial advisors
• tax preparation firms
• non-federally insured credit unions, and investment advisors that aren’t required to register with the SEC.

The FTC has presented businesses the ‘consumer rule’ if you are unsure if your business is categorized under these new conditions. We have displayed this governmental rule here.

This rule can also drastically affect some small and medium businesses who are still trying to adapt to new security measures. Many businesses may still need to implement certain tools, procedures, and plans as their businesses are still growing. Also, there has been a misconception over the years that hackers and ransomware attacks only happen to larger companies. However, it is now clear that any businesses with consumer data are at risk, and additionally, many hackers target small and medium companies who don’t have strict security measures set in place.

So, what are the new requirements FTC wants companies to follow?

ALL businesses under this jurisdiction must follow these requirements:

● There needs to be a qualified individual who can manage and look after all your company’s security and private information. This can be an MSP or tech person who works at your company.
● It is mandatory, regardless of how many consumers a company has, to have multi-factor authentication.

Companies above 5,000 consumers must follow these rules additionally:

● All companies should conduct risk assessment tests to make sure that your company’s data is secure.
● Companies should have security policies and incident response plans set in place. Business owners should know what policies need to be implemented and put in place to ensure that data is secured.
● Companies should create an annual report including what incidents companies have seen and experienced. This goes to the financial institutional governing party.

One mandatory rule that has been called out is for ALL businesses under this jurisdiction to have Multi-Factor Authentication.

In Cisco’s webinar, they explain why MFA is an imperative measure businesses should have. Because of so many issues of compromising, lack of difficulty in choosing passwords, and the redundancy of passwords, it has been quite easy for hackers to gain private information quickly. Make sure that your company or MSP provider has 2FA set in place; this is a mandatory action.

What happens if my company is not in compliance with these security rules?

The FTC is serious about making sure these security measures are set in place. If your company’s security protocols are not in compliance with the FTC guidelines, your company can be fined up to $100,000 per violation and can also face up to five years of prison time.

Overall, it is important to know that these updates from FTC will continue to change as time goes on and technology continues to evolve. It is a full-time job to keep up with these security updates. However, for the sake of your company’s private information and monetary, talk with your MSP and create your own security plan before the time is up.

The Infiniwiz technical team takes a proactive approach to your cybersecurity. We set up the right IT protocols and help you put in place the employee procedures that will keep your data and network safe from online hackers and compliant with FTC. However, make sure to do your part in staying alert.