The Federal Trade Commission’s Standards for Safeguarding Customer Information, or Safeguards Rule, was created to protect the private information of your customers.
This complex rule applies to "financial institutions subject to the FTC’s jurisdiction" (source). Certain types of businesses have recently been reclassified. As of June 9, 2023, the following industries (and several others) will be subject to the new compliance requirements:
- accountants
- automobile dealerships that lease “automobiles on a nonoperating basis for longer than 90 days” (source)
- businesses that wire money to and from customers
- check-cashing operations (e.g., Check Into Cash)
- investment advisors
- mortgage brokers
- real estate settlement service providers
- retailers who offer proprietary, or private label, credit cards
- property and real estate appraisers
sellers and printers of checks - tax return preparers
- travel agencies
Requirements
The Safeguards Rule requires companies in the above categories and others to “develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information” (source).
Elements of an IT security program must include:
- “Designate a qualified individual responsible for overseeing and implementing your information security program and enforcing your information security program.”
- “Base your information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information.”
- “Design and implement safeguards to control the risks you identify through risk assessment.”
- “Regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures.”
- “Oversee service providers.”
- “Establish a written incident response plan.”
- “Require your qualified individual to report in writing, regularly and at least annually, to your board of directors or equivalent governing body” (source).
This means your business must test for current IT security weaknesses, then address those weaknesses through a comprehensive program that includes implementing multi-factor authentication and encryption of customer data.
Additionally, you have to make sure any providers you use do the same.
The Cost of Non-Compliance
There will, of course, be steep penalties for non-compliance. “The FTC can initiate an enforcement action against the company, which may include long term ‘consent agreements’ for both the company and senior management. The FTC cannot impose a financial penalty for the first offense. But it can seek other damages, including up to $47,517 per day for each consent violation” (source).
By now, you probably have a lot of questions. WYRE is here to help. We currently work within the industries affected by the Safeguards Rule and are actively helping companies like yours ensure they’re in compliance.
We start with a free technology assessment that provides a broad overview of the strengths and weaknesses in your IT environment. With the results of that report in hand, we then help guide you toward the best way to implement a security program, including penetration testing, email and endpoint protection, and network security.
If you already have an IT department, we coordinate our efforts, filling in any gaps in your security coverage while offering 24/7 emergency support.
If you have any questions whatsoever, give us a call: 423-874-8230. We’re ready to get started!