Learn how the FTC Safeguards Rule affects your organization’s data security practices. Trust Tekie Geek.
The Gramm-Leach-Bliley Act (GLBA), first enacted in 1999, changed the way financial institutions handle private customer information. In 2021, changes were approved to one section of GLBA known as the Safeguards Rule. This rule states that non-banking financial institutions must have comprehensive security programs that keep customer information safe. Companies had until June 9, 2023, to comply with the updated requirements.
As more businesses embrace digital transformation, personal information (PI) is more likely to be stored in the cloud or on an onsite server. In the event of a data breach, this PI could be leaked. This damages customer relationships, exposes businesses to fines and litigation, and can negatively affect your bottom line. Specializing in managed IT services, Tekie Geek helps businesses in New York and New Jersey comply with the FTC Safeguards Rule and improve data security.
The revised Safeguards Rule requires any business or organization that handles customer financial data and engages in transactions that use personal customer information to develop, deploy and maintain a comprehensive cybersecurity program to keep customer financial data safe. Federal Trade Commission (FTC) has outlined key requirements for compliance, including:
Businesses that fail to comply with the FTC Safeguards Rule may face fines and penalties, as well as risk potential lawsuits.
The Safeguards Rule applies to businesses under the FTC’s jurisdiction. In general, that means non-banking financial institutions, including:
Although these businesses are not banks, they provide financial products or services to individuals.
All affected businesses must maintain a comprehensive information security program. Of course, compliance can be a challenge for businesses that don’t have sufficient in-house IT resources. Tekie Geek’s outsourced IT services can help small to mid-sized businesses comply with the new rules, even if they do not have an IT staff of their own. We work with companies throughout New York and New Jersey.
Ensuring compliance with these FTC regulations requires a thorough security risk assessment. Begin by reviewing your current data security practices and identifying potential gaps in compliance. Develop an action plan for bringing your policies into compliance. Designate a qualified individual to manage your security plan and allocate the necessary time and resources. Create a clear timeline for implementing the necessary security measures.
The FTC requires businesses to implement safeguards that address any risk identified in your initial assessment. This includes:
Although you should have a qualified individual supervising your information security program, such as a chief information security officer (CISO), you still need to train the rest of your staff. Anyone who handles PI must be educated in the fundamentals of data security. Implement an initial training program and regular refresher workshops to keep staff up to date. This reinforces a culture of data protection across the entire organization.
Your written incident response plan must outline how you will respond to a security threat such as a ransomware or phishing attack. The plan must detail:
Whenever a company partners with an outside service provider, it must assess the vendor’s security practices to ensure they align with the company’s internal policies. Vendor security agreements must include provisions for ongoing monitoring and auditing.
Risks to PI are always changing, so the FTC Safeguards Rule requires affected businesses to perform periodic assessments to see if they need to change or update procedures and user policies. Create a schedule for conducting regular security audits so you can adapt to evolving threats and changing regulations. Additionally, your organization’s qualified individual must report on your information security program, in writing, to your board of directors at least once per year.
Failure to comply with FTC regulations exposes your business to several risks, including:
Proactive, comprehensive compliance efforts are the best solution for mitigating risks and protecting yourself and your customers.
The FTC Safeguards Rule is designed to protect both businesses and their customers. If you’re struggling to stay up to date on regulatory guidelines, Tekie Geek is here to help. Serving businesses in New York and New Jersey, we offer data protection and secure backup solutions to help you stay in compliance and protect your reputation. Our team also provides: