Compliance Must Be in Effect By June 9; Prepare Now to Avoid a Scramble
The new deadline for FTC Safeguards Rule compliance is coming up, and there is no guarantee it will be extended again. Affected businesses that provide “financial services,” including real estate agencies and individual appraisers, must take steps now to meet the deadline without scrambling to find support.
Last October, Protect Now published an overview of who must comply with the Safeguards Rule, what compliance requires and who can serve as a qualified individual under the law. In brief, businesses of any size, even a single employee, that routinely collect sensitive personal information for the purpose of issuing, originating, or facilitating financial transactions, or who gather sensitive personal information for professional referral purposes, must comply with the new rules.
The Safeguards Rule requires affected businesses to employ a Qualified Individual, generally someone with a professional background in cyber security, to assess existing operations, address vulnerabilities, train staff on cyber security, develop response and recovery protocols and report on compliance efforts. Noncompliance can trigger fines of $43,972 per violation per day.
There are two things you should do now to ensure compliance.
Step 1: Hire a Qualified Individual
Unless you have a professional background in cyber security, you will need to hire someone for this role. Most small businesses simply need a part-time Chief Information Security Officer, known as a Fractional CISO or Virtual CISO. Find a provider that offers Safeguards Rule compliance.
Businesses that have built their own software or apps, either for public-facing or back-office functions, may need to consider a full-time CISO to manage the additional risks and vulnerabilities of custom solutions.
As the deadline draws closer, the United States may discover that it lacks enough Qualified Individuals to meet the surge in demand. Secure those services now, or you could find yourself noncompliant on June 9.
Step 2: Schedule Employee Training
Employee cyber security training is a required component of Safeguards Rule compliance. Training must address phishing attacks, as well as best practices for handling, transmitting and storing sensitive personal information.
There are no specific guidelines for the format or content of the training, only that it must use methods known to be effective. Training will, at least, be simpler to come by as the deadline nears, as most training companies offer an eLearning solution with no limit on users.
Step 3: Consider the Benefits
While the Safeguards Rule may seem like an onerous and expensive addition to your business’ costs, it also does a lot of good. Businesses in compliance will enjoy far lower risks of data breaches and cyber attacks, and they will have policies, procedures and paperwork in hand if an attack does occur. Being prepared can reduce downtime and lost business. It also will help to protect your reputation and promote customer goodwill.
Those are benefits that businesses with CISOs have enjoyed for some time, and the Safeguard Rule will extend those benefits to a greater number of U.S. businesses. Compliance may be challenging, but it also presents an opportunity to protect your business against the even greater challenges and costs of digging out from a data breach for which you were not prepared.
Protect Now offers in-person and online CSI Protection Certification training that is eligible for CE credits in many states. We encourage you to contact us now to schedule in-person employee cyber security training if you wish to offer it to your staff, organization or professional services group.
Subscribe to CommentsComment