As of June 9, certain provisions of the FTC’s amended Safeguards Rule took effect, requiring non-banking financial institutions to develop, implement, and maintain a written information security program with administrative, technical, and physical safeguards designed to protect customer data containing nonpublic personal information.
While the June 9 effective date creates urgency around compliance for specific types of financial institutions, the mandated data security measures are things every business should be doing anyway to keep their data — and that of their customers — safe in today’s ever-evolving threat landscape.
Do the Safeguards Rule provisions apply to your business?
The Safeguards Rule applies to any non-banking financial institution that holds or uses consumer information including accounting firms, tax preparers, payroll providers, finance companies, mortgage brokers, collection agencies, and financial and investment advisors. If you’re not completely sure if your company is covered under the rule, you can find more details here.
Some companies may be confused by the exemption of financial institutions that “maintain customer information concerning fewer than five thousand consumers”. You need to consider not only your customers’ data, but any of their customers’ data that you may be storing, accessing, or processing in the course of doing business. When you take this into account, the Safeguard Rule applies to many financial institutions — and yours may be one of them.
What does Safeguards Rule compliance entail?
To comply with the rule’s provisions, your information security program needs to include the following elements:
- Designate a qualified individual, a direct employee or the employe of your service provider, to implement and supervise the program
- Conduct a risk assessment to identify risk and threats to the security, confidentiality, and integrity of customer information.
- Dispose of customer information securely
- Monitor and test the effectiveness of your safeguards on a regular basis
- Train staff, affiliates, and service providers in security awareness so they can spot risks
- Monitor your service providers to ensure they’re meeting security expectations per your contract
- Keep your information security program current to keep pace with changes in your operations and the overall threat landscape
- Create a written incident response and recovery plan that will be put into effect if a security event takes place
- Require your designated qualified individual to report to your Board of Directors or governing body at least annually
Is your organization Safeguards Rule compliance ready?
For small businesses, compliance with Safeguards Rule provisions may seem like a heavy lift. You may not have the in-house expertise to develop, implement, and maintain a comprehensive information security program. Or your internal resources may be so busy with the day-to-day tasks of running your business that this requirement keeps getting pushed off. Unfortunately, the clock has run out and the time to ensure compliance is now.
IV’s new FTC Compliance services can help
Infinitely Virtual (IV) now offers two IV Protect service offerings designed to make FTC Safeguards Rule compliance manageable and affordable.
White Glove FTC Compliance Service: An end-to-end managed service that includes development of your tailored WISP (Written Information Security Program) as mandated by NIST, an in-depth security risk assessment, and implementation of critical IV Protect security solutions to bring your company into FTC compliance quickly and cost-effectively.
FTC Compliance Blueprint: A service offering that delivers the IV Protect security solutions, remote monitoring tools, Risk Assessment/WISP Blueprints , and expert guidance your in-house IT personnel or outsourced IT provider needs to achieve FTC compliance for your business.
For more information, call us at 866-257-8455 or visit InfinitelyVirtual.com/solutions/iv-protect/ftc-safeguards-rule-compliance/.