How The New FTC Safeguards Rule Will Radically Change How Even Small Businesses Operate

The 5 Biggest Mistake Companies Are Making with the FTC Safeguards Rule and What You Can Do to Avoid Them

A little over a year ago, the FTC made several amendments to the existing Safeguards Rule requiring even very small businesses to ensure the protection of client data. These changes, set to go into effect back in December of 2022, are now going to be enforced starting June 9, 2023 – and it’s very likely that your business, regardless of how small or how your tech is being handled, WILL be required to implement certain new security protocols.

The Safeguards Rule was originally created for financial institutions. However, the new amendments broaden the definition of financial institutions to include real estate appraisers, car dealerships, accountants or other tax preparation services and payday lenders. The FTC goes so far as to include any business that regularly wires money to and from consumers. These organizations are required to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe.

Here are the provisions you must implement:

Designate a qualified individual to oversee their information security program. That means someone at these companies need to be trained in information security, receive continuing security education and be in charge of ensuring the organization is correctly executing the written information security plan. If no one on your team meets this requirement, we can provide someone.

Develop a written risk assessment. A risk assessment is done in two parts: one, a technical scan, and two, a questionnaire designed to reveal common security loopholes. This is typically outsourced to an IT firm like ours and needs to be reviewed annually (by law), but best practices should be quarterly if not monthly in situations where a business is handling a lot of sensitive information and the tolerance for risk by the owner is low. If you need this risk assessment, contact us.

Limit and monitor who can access sensitive customer information. For example, don’t give your entire team access to your credit card processing system. Only allow one employee (the one who works in it day in and day out), as well as one backup person (possibly you, the owner), to be able to log in and access this information.

Encrypt all sensitive information. Again, this is typically done by an outsourced IT company like ours, unless your company is large enough to have a robust cyber security team that can handle it. “Sensitive information” is not just medical records and credit cards, but clients’ e-mail addresses, phone numbers, Social Security information, driver’s license information and birthdays. ALL of this can be used by hackers to exploit your customers using the data you host.

Train security personnel. Employee awareness training is another key component to not only this law, but also to get and keep insurance coverage on cyber liability, crime and other insurance policies.

Develop an incident response plan. Specifically, if (when?) you get compromised, you need to have a plan in place for how you will respond. This is also another service we offer to our clients but should be reviewed by your insurance agent, leadership team, board and other key players in the organization.

Periodically assess the security practices of service providers. This law also requires you to ensure any companies you are doing business with – specifically ones where sensitive information is shared – to be secure and compliant. This may include requiring that vendors state in their contracts that they are adhering to the Safeguards Rule and to certain security frameworks, like CIS or NIST.

Implement multifactor authentication or another method with equivalent protection for any individual accessing customer information. Also known as “2FA,” this process ensures anyone logging in to your accounts must authenticate that request via another device, such as a cell phone or e-mail.

If you want to discuss this new rule with us and how to get started with a Risk Assessment, click here to schedule a phone consultation to discuss your concerns, questions and specific situation. If you prefer, you can call us at 951-968-7066. Or if you would still like to learn more about the FTC Safeguards Rule download our FREE REPORT “The 5 Biggest Mistakes Companies Are Making with the FTC Safeguards Rule and What You Can Do to Avoid Them”.

“Honestly the best investment our company has ever made“

Gosh, where do I start! Our small business had grown faster than our technical needs and wants had grown. Within a couple of weeks, Michael upgraded our firmware/software, found vulnerabilities, patched areas of cyber security concerns, and began helping us get organized for the future. He has been our "IT Department" for two years now and quite honestly the best investment our company has ever made. I absolutely recommend Michael Duke and Just Smart Business Technologies. Just wish I could give him more stars!

Corinne Witzel Controller
Vail Ranch Self Storage
Temecula, CA

“If you are looking for someone that performs quality IT services, pick Michael Duke’s Just Smart Business Technologies“

Just Smart Business Technologies has designed and installed the IT infrastructure for three of our premium assisted senior living communities. Michael Duke and his team are professional, knowledgeable, reliable and pay great attention to details. Their fees are a little higher but well worth the additional cost.  If you are looking for someone that performs quality IT services, pick Michael Duke’s Just Smart Business Technologies.

Lucian Luca VP of Information Technology
Northstar Senior Living
Redding, CA