Return to blog index

FTC Safeguards Rule - What your business needs to know

The Safeguards Rule is to ensure that entities covered by the Rule maintain safeguards to protect the security of customer information. What does this mean for your business? Matthew, our Director of Business Development, explains.

Posted on · Last updated on

Hey, my name is Matthew Mulcahy.

I’m the Director of Business Development at ProSource.

And today

I wanted to touch on some recent rule changes from the Federal Trade Commission.

So the Federal Trade Commission has had a comment period open

for the safeguards rule, asking for feedback and proposed changes.

That comment period has closed and has solidified any changes to the rulemaking.

So for those of you that don’t know what the safeguards rule is,

it’s a rule set of cybersecurity requirements

that are meant to help businesses protect consumer financial data.

If you’re a business that is asking for non-public

financial data from consumers, these rules apply to you.

[You] could be an auto dealership doing financing, could be a CPA firm working on

taxes, could be a financial advisor helping with investments —

if you are working with non-public financial information, this is important.

So I’ll link down below a little deeper article

that shows more granularly the rules for businesses.

But what I really wanted to touch on

were the solidified cybersecurity requirements.

So let’s hop down to that.

The first and most important thing,

we see this in HIPAA with a designated compliance officer,

but for the safeguards rule they’re asking you to designate

a named individual to champion this program.

This can be an internal employee or an external vendor, but they need

to be named.

That’s really the person that is going to take ownership of this

and help your business work through this program.

The next one is you have to conduct a risk assessment.

You can’t know where to go if you don’t know where you’re starting.

So this really helps you establish a baseline:

what we have in place and where are our gaps or where’s the risk?

So the first thing you have to do is understand where your current disposition

is and then chart the path forward.

There’s a couple specific controls here based on your risk assessment,

you know, access controls, understanding where your data lies.

Encrypting data in transit and at rest.

So when you’re transferring it internally, externally.

And where you’re storing that data needs to be encrypted.

Understanding access to apps, multi-factor authentication,

whether that’s a push notification or hard token, an SMS text

message, there’s a bunch of ways you can do that.

You know, making sure you’re disposing of customer information securely.

Anticipate and evaluate changes to your IS systems.

Really, that’s just, well, practice change management

and then maintaining a log of authorized users activities

and making sure that no one is improperly accessing your systems.

So they want you to really put some fundamental cybersecurity

best practices in place and then ongoing

testing of those cybersecurity controls.

So one of the most important things down here is training your staff as well.

Your weakest link is your staff.

They can click a link that kneecaps your entire cybersecurity infrastructure

and circumvents all those great controls you have in place and you’re paying for.

Monitoring your service providers: You have to have,

you know, expert outside help in most cases.

We know this is a problem with cybersecurity talent shortages.

So it’s very important to work with a competent provider that can help

you fill those cybersecurity gaps

because you probably don’t need a full time cybersecurity person for this.

Making sure your program’s current and then having a written incident

response plan.

So if something goes wrong,

you know, what I tell everyone is you can never be 100% safe.

You always have to care for that 1% chance that something is going to happen.

And in the event that thing does happen,

you have a written plan how to address that.

And then last but not least, your qualified individual,

whether that’s a inside provider,

I’m sorry, whether that’s an outside provider or an inside resource,

they have to report to your board or your owner.

So they’re making sure that

there’s no plausible deniability from the C-suite anymore.

You can’t say, I didn’t know this was happening.

You know, there’s been too many scenarios where people

have just said that I wasn’t aware, I didn’t know this was going on.

I didn’t know that we needed to do this.

And that’s just not going to be an acceptable excuse anymore.

So a great update, I think, from the FTC.

But yet again, another federal agency pushing down rules that might

contrast with a different agency.

So all this is a lot to keep up with.

If you’re wondering how this applies to your organization, feel free to reach out.

We run a free IT double-check, and it touches on pretty much all

the pieces here and will help you begin your really know your risk assessment

and understanding

where you lie and where the gaps are in terms of aligned to the safeguards ruleset.

So thanks so much for watching.

If you like the video, like it below

and if you have any questions, feel free to DM us.

Once again, Matt from ProSource. I’m the Director of Business Development.

I hope you have a great day. Thanks. Bye.

Speak with an IT expert

Schedule a free, 30-min consultation with one of our IT experts — if, after the call, you didn’t get any value, we’ll buy you a coffee!

Check out our resource library

We’re always adding new content to our digital library. Our blog articles, guides, and customer stories cover a broad spectrum of topics like emerging tech, industry-specific regulations, and security best-practices — just to name a few.