Are you ready?
6/2/2023 11:30 A.M.
This Friday, June 9, is the deadline for compliance with the Federal Trade Commission’s Safeguards Rule. The Safeguards Rule requires institutions that engage in significant financial activities to have measures in place to keep customer information secure.
The cornerstone of Safeguards Rule compliance is the implementation of a comprehensive Written Information Security Program (WISP). This program serves as a roadmap for safeguarding consumer information and must include the following key elements, as Section 314.4 of the Safeguards Rule describes:
- Designate a Qualified Individual to implement and supervise your company’s information security program (can be a service provider).
- Conduct a written risk assessment. Base your security program on the initial risk assessment, and perform periodic additional risk assessments.
- Design and implement safeguards to control the risks identified through your risk assessment. Periodically review access controls, encrypt customer information, and develop procedures for the secure disposal of customer information, among others.
- Regularly monitor and test the effectiveness of your safeguards through continuous monitoring of your system. If you don’t implement that, you must conduct annual penetration testing, as well as vulnerability assessments, including system-wide scans every six months designed to test for publicly-known security vulnerabilities.
- Provide your people with security awareness training and schedule regular refreshers.
- Monitor your service providers. Select service providers with the skills and experience to maintain appropriate safeguards.
- Keep your information security program current.
- Create a written incident response plan.
- Require your Qualified Individual, in writing, to report to your Board of Directors. If your company doesn’t have a Board or its equivalent, the report must go to a senior officer responsible for your information security program.
For a full explanation of these requirements, see 16 CFR § 314.4.
If you are a business that maintains customer information for less than 5,000 consumers, then you do not need to comply with certain provisions of the rule. Refer to this blog post for more information.
Complying with the Safeguards Rule is not just a legal requirement; it is an essential step toward protecting consumer data and maintaining trust. Failing to comply with the regulation can lead to severe consequences, including financial penalties, reputational damage, and potential legal action. By prioritizing compliance, businesses demonstrate their commitment to data security, foster consumer confidence, and mitigate the risk of data breaches.
Are you ready? Do you still have some things to “iron out”?
The sooner you get started, the better. It certainly can be a big burden for small businesses to create, maintain, and own such a comprehensive security program, but you don’t need to go it alone.
ACA has tapped TPx as its Safeguards Security Partner of Choice. We can guide you through the process and help your company become defensible for the rule.
With unique solutions at discounted pricing for ACA members, you’ll find that the list of requirements is not only attainable, but also manageable.
Find more information and get started at TPx.com/ACA.