If you do, hopefully you are already aware of the FTC Safeguards Rule that goes into effect December 9th, 2022.

If you are not aware, you really need to see the information below for what is required.

Now, the FTC will not be beating down your door on December 10th to see if you have everything in place. However, if you have a breach on December 10th, 2022, and do not have the requirements implemented, your fines will be higher than if you did have those implementations. So, it is important to implement as many of the requirements as you can by December 9th.

The goal of the Safeguards Rule is to make sure that companies are protecting the Personally Identifiable Information of their customers. The requirements of the rule are sound information security practices. So not only will implementing the requirements keep you out of hot water with the FTC, but they reduce the likelihood of a data breach and should also lower your Cyber Liability Insurance premiums as well.

In short, the Safeguards Rule requires companies to do the following:

• Designate someone to oversee protecting the businesses and its customer’s Information.
• Perform a written Risk Assessment – Identify the internal and external risks to the Security, Confidentiality, and Integrity of your customer’s information. Document how you evaluated/identified the risks, the controls already in place, and what your business will do to resolve the risk or accept
• Create (if you do not already have one) a written Information Security program. The program should document the technical controls that include the following components:
  • Access Controls – technical and physical ways of limiting access to customers’ PII to authorized users who need access to perform their job functions.
  • Identify and manage the data (Customer’s PII) and the assets used to access that data.
  • Protect and document the encryption used for the Customer’s PII, in transit and at rest.
  • If your company develops applications in-house, document the secure development practices used.
  • Implement multi-factor authentication for anyone accessing customer PII unless there is an equal or more secure solution. This one control significantly reduces the risk an account can be compromised. If enabled everywhere possible will lower Cyber Liability Insurance premiums. If it is not enabled, it will significantly increase your premiums.
  • Have a plan for removing customer’s PII 2 years after it is last used in conjunction with a product or service unless it is required for a legitimate business reason.
  • Implement a policy for documenting how changes to access and projects are managed.
  • Define how user access activity is reviewed and how unauthorized access to customer information is detected.
• Regularly test the effectiveness of the controls and procedures. This can be done through vulnerability assessments and/or penetration testing.
• Provide employees with security awareness training to educate them on the types of threats they may experience.
• Oversee vendors and/or service providers that process, and have access to your company’s network or customer’s PII. Require their agreements to include that they are taking steps to protect their access to your company’s network or customer’s PII.
• Regularly review the Information Security program based on changes to business operations, risks, threats, or other circumstances.
• A written Incident Response plan must be developed that describes how the company plans to recover in the event of a security incident.
• Provide an annual report to the Board or business owner.

All the Safeguards Rule applies to the types of companies listed above that have over 5,000 customer records that contact Personally Identifiable Information. Do you have less than 5,000 customer records? Well, you are not completely out of the woods. You still need to comply with most of the Safeguards Rule. However, you are excluded from these requirements:

• Your company is not required to have a written Risk Assessment. I still strongly recommend doing a Risk Assessment as a best practice for information security.
• Your company is also not required to have an annual penetration test or vulnerability assessment. The vulnerability assessment is also recommended.
• A written Incident Response plan is also excluded. Knowing what your company would do in the event of an information security incident is very important. It is still recommended. This time spent creating an Incident Response plan would save you hours of time working through an incident.
• The requirement to report the status of the Information Security program to the Board is not required.

Not only will implementing these requirements keep you out of trouble with the FTC should you have a data breach, but they also add a layer of security if you do not already have these in place. Implementing multi-factor authentication will greatly reduce the chances that someone will be able to access your accounts and information. Using multi-factor authentication will also lower your Cyber Liability Insurance premiums.

If you would like more information about how to implement any or all of these requirements, call us at (888) 831-9400 or fill out the form below!