Keeping customer data secure doesn’t just make good business sense, it’s often a legal requirement for a lot of companies. Now, under the Oct 2021 additions to the FTC Safeguards Rule, this requirement applies to many more types of organizations than ever before.
At a maximum fine of $46,516 per violation, it’s critical that you know if your business is included on that list, and what you need to do to be compliant. This article will help you with both of those questions.
Who must comply with the new Safeguard Rule?
Below is a list of examples of organizations that meet the new “financial institutions” definition under the updated Safeguard Rule:
- Retailers extending a credit card
- Dealerships leasing a car long term — longer than 90 days
- Organizations appraising real estate or personal property
- Counselors helping individuals associated with a financial institution
- Businesses printing and selling checks on behalf of customers or wiring money
- Businesses engaging in cash checking services
- Income tax return preparers
- Travel agencies
- Real estate settlement services
- Mortgage brokers
- Colleges and universities accepting Title IV funds
The exact definition can be found here.
What are the new requirements?
Under the new rule all organizations classified as ‘financial institutions must implement the following:
- Designate a “Qualified Individual” to plan, oversee, and enforce administrative, physical, and technical safeguards.
- Develop, implement, and maintain a written information security program
- Complete a written information security risk assessment
- Design and implement safeguards to control the risks you identify through risk assessment
- Engage third-party penetration testing and vulnerability assessments
- Conduct security awareness training
- Assess third-party service providers periodically
- Establish a written information incident response program
- Provide the board or respective group with a written report periodically and at least annually from the qualified individual
Here are some specific IT data security practices mandated:
- Access controls
- Multi-factor authentication
- Data inventory and classification
- Continuous monitoring, or annual penetration testing with bi-annual vulnerability scans
- The encryption of all customer data at rest and in transit
What are the exemptions?
Financial institutions with less than 5,000 customers are not required to perform a written risk assessment, conduct continuous monitoring or penetration testing, prepare an incident response plan, or prepare an annual report.
However, companies with less than 5,000 customers are still required to conduct risk assessments, implement a written information security program, evaluate the program and adjust accordingly, oversee service providers, and train employees.
For smaller companies, the 5,000 figure may be more easily surpassed than you think. For credit applications alone, it takes only 84 applications per month to exceed the limit if the retention is 5 years.
When is the deadline?
All organizations that meet the new ‘financial institutions’ definition must be compliant by December 9th, 2022.
How can InfoNetworks help?
InfoNetworks is uniquely positioned, with its proprietary CyberSecure endpoint security software, to assess your current level of compliance and develop a plan to get you compliant as soon as possible. Schedule a demo today.