A little over a year ago, the FTC made several amendments to the existing Safeguards Rule, requiring even very small businesses to ensure the protection of client data. These changes, set to go into effect back in December of 2022, are now going to be enforced starting June 9, 2023 – and it’s very likely that your business, regardless of how small or how your tech is being handled, WILL be required to implement certain new security protocols.
The Safeguards Rule was originally created for financial institutions. However, the new amendments broaden the definition of financial institutions to include real estate appraisers, car dealerships, and payday lenders. The FTC goes so far as to include any business that regularly wires money to and from consumers. These organizations are required to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe.
Here are the provisions you must implement:
That means someone at these companies need to be trained in information security, receive continuing security education, and be in charge of ensuring the organization is correctly executing the written information security plan. If no one on your team meets this requirement, we can provide someone.
A risk assessment is done in two parts: one, a technical scan, and two, a questionnaire designed to reveal common security loopholes. This is typically outsourced to an IT firm like ours and needs to be reviewed annually (by law), but best practices should be quarterly, if not monthly, in situations where a business is handling a lot of sensitive information and the tolerance for risk by the owner is low. If you need this risk assessment, contact us.
For example, don’t give your entire team access to your credit card processing system. Only allow one employee (the one who works in it day in and day out), as well as one backup person (possibly you, the owner), to be able to log in and access this information.
Again, this is typically done by an outsourced IT company like ours, unless your company is large enough to have a robust cyber security team that can handle it. “Sensitive information” is not just medical records and credit cards but also clients’ e-mail addresses, phone numbers, Social Security information, driver’s license information, and birthdays. ALL of this can be used by hackers to exploit your customers using the data you host.
Employee awareness training is another key component to not only this law, but also to get and keep insurance coverage on cyber liability, crime, and other insurance policies.
Specifically, if (or when?) you get compromised, you need to have a plan in place for how you will respond. This is also another service we offer to our clients, but should be reviewed by your insurance agent, leadership team, board, and other key players in the organization.
Also known as “2FA,” this process ensures anyone logging in to your accounts must authenticate that request via another device, such as a cell phone or e-mail.
If you want to discuss this new rule with us and how to get started with a Risk Assessment, click here to schedule a phone consultation to discuss your concerns, questions and specific situation. If you prefer, you can call us at