The rules of the game have changed. New regulations relating to data security are rapidly appearing, and every business needs to understand the required actions necessary to achieve compliance. If you don’t, potential fines and other stiff penalties are looming alongside issues with customer trust and glaring cybersecurity problems. Even if your business doesn’t fall directly under the FTC Safeguards Rule today, working toward compliance is still critical. Additional rules and regulations are imminent and are likely to apply across all industries that deal with consumer data. A few steps taken in the right direction now can help reduce the risk of ongoing issues now and into the future.
Over the coming weeks and months, we’ll examine compliance in depth. The goal is to give you and your business a thorough understanding of current regulations and pending developments and a look into the future of how and why you need to comply. The sooner steps are taken towards this, the better prepared your business will be to handle potential threats and navigate data breach incidents when they occur. Below are some key components surrounding current FTC compliance and a look beyond at some of the developments and related issues likely to appear this year or at some point soon.
Compliance at a Glance
Data security concerns have been an evolving issue for years now. What once was a wild and unregulated area of business has strongly shifted towards stricter regulations intended to improve data security for the benefit of consumers and businesses alike. While nearly all of the current rules already in place or looming down the road are directed at businesses, the regulators implementing them aim to improve cybersecurity measures for everyone.
Director of the FTC’s Bureau of Consumer Protection, Samuel Levine, says that “entities that collect sensitive consumer data have a responsibility to protect it” and that “the updates adopted by the Commission to the Safeguards Rule detail common-sense steps that these institutions must implement to protect consumer data from cyberattacks and other threats.”
With high-level regulators such as the FTC in the mix, the importance of compliance is evident. But it’s also imperative to note that businesses of all sizes should remain aware of security compliance rules even if they don’t yet fall under direct regulation. Small and medium-sized business owners can take action today to set up safeguards to meet compliance rules down the road.
Compliance Need Not be Costly
Working towards compliance does come with inherent costs. If your business falls under the FTC Safeguards Rule, you’ll need to designate a qualified individual to implement and secure an information security program and run a risk assessment. These tasks might require extra resources or finances to reach compliance. But there are also solutions that can streamline the process and limit costs – a much more approachable plan than attempting things on your own and then dealing with fines and other penalties when a breach occurs.
Does Your Business Need to Comply?
Only some businesses currently fall under the FTC Safeguards Rule mandate. However, don’t succumb to the false assumption that working toward compliance isn’t necessary just because your company doesn’t yet face direct regulation. More regulations and rules are imminent, and the more you can do to bring your business in line with these now, the better you will be for the near future.
Most businesses that do fall under the Safeguards Rule are in the financial sector in some way. If you are under this umbrella, immediate steps should be taken to reach compliance by the new deadline of June 9th, 2023. In a future article, we’ll examine the specifics of this rule and compliance in-depth, but for now, know that your business faces fines of up to $46,000 per violation if it doesn’t meet the new requirements.
Some examples of businesses that must follow the newly mandated Safeguards Rule include banks and banking companies, financial advisors, wealth management, mortgage companies, accountants, tax preparers, appraisers, car dealerships, and finance companies. This is not an exhaustive list. The rule defines a financial institution as “any institution the business of which is engaging in activity that is financial in nature or incidental to such financial activities.”
Additional Compliance Requirements for 2023
The FTC Safeguards Rule was first operative way back in 2003 and was amended in 2021 to reflect more modern cybersecurity safeguards. After some additional back and forth with regulators, the June 9th, 2023, deadline was established for financial institutions to reach full compliance or face penalties.
Some of the additional compliance requirements spelled out in the rule for 2023 include the following:
- Qualified Individual responsible for developing, overseeing, monitoring, and enforcing your business’s information security program.
- Periodic risk assessments must be used to guide continued updating and enforcement of your information security program.
- Implement customer information safeguards to control risks identified in the risk assessments.
- Continuous monitoring or annual penetration testing and biannual vulnerability assessments.
- Implement policies and procedures to ensure employees properly carry out the information security program.
- Businesses must ensure that service providers or third parties with access to their customer information maintain safeguards commiserate with a business’s own information security program.
- Have a written incident response and mitigation plan in place to lay out the process for responding to any breach that exposes or compromises customer information that a business maintains.
- The designated Qualified Individual must report in writing, at least annually, to the business’s board of directors or equivalent governing body a formally written report about information security controls.
An Effective Solution
Reaching compliance may seem complicated, but it doesn’t have to be. LibertyID Business Solutions is a highly effective means to meet most of these rules while also implementing safeguards that go above and beyond to meet ongoing security needs. This solution will significantly improve the safeguards surrounding your consumer’s private data while also pointing your business toward a compliant posture with all federal and state regulations.
LibertyID provides full-service, fully-managed identity fraud restoration to its subscribers. With a 100% success rate in resolving all 31+ forms of identity fraud. LibertyID Business Solutions provides Business fraud remediation, full pre-breach preparation with custom WISP protocols, post-breach regulatory response, customer, and employee identity fraud restoration management, advanced employee training, and third-party vendor management tools.