Compliance as a Service
Keeping Your Data Security FTC CompliantMaintaining customer financial data comes with legal responsibilities and potential liability.
Do you know if your system meets FTC requirements?
Safeguard Comply provides regular reviews of your data security systems. We identify gaps and help you implement solutions, so you stay in compliance with FTC regulations.
You focus on your business, and we’ll focus on your compliance.
FTC Standards
Nine Steps to FTC Compliance
In June 2023, the Federal Trade Commission (FTC) established new standards for data security for non-banking entities that handle customer financial data. The regulations apply to mortgage brokers, CPA firms, registered investment advisors, car dealerships, and more.
Unfortunately, data breaches are a regular occurrence. They can open your business up to civil and criminal prosecutions, especially if your security system is not in compliance with FTC regulations.
The FTC standards outline nine steps for businesses to develop and implement in their data security plans.
Responsibility
Identify an individual who is responsible for planning, implementing, and overseeing the plan. This person owns the plan, its management, and reporting.
Risk Assessment
Take a close look at internal and external threats to your customers’ private information. If your business manages data for 5,000 customers or more, your risk assessment must be in writing. Even if you don’t have 5,000 customers, this provision may still appy to you. We suggest that companies of any size have a written assessment.
Establish Safeguards
Safeguards to consider include:
- Password strength requirements and company policies
- Inactivity locks on device screens
- Electronic file storage systems, along with onsite cabinets and data storage rooms
- Encryption systems for data that is transmitted electronically
- Monitoring of inbound and outbound data transfers and access
- Shredding and disposal policies for documents and computer hardware
- Software updates and virus protection
- Firewalls
- Removal of systems access for terminated employees
- Data access, use, and transportation for remote work
- Access to data on public networks
- Identification processes for information requests from customers or third parties
Click here for more - Rules regarding nonmonitored personal devices for accessing customer information
- Access by cleaning and building maintenance staff or other service providers not under direct contract
- Vendor engagement and monitoring
Click here for more
Testing and Monitoring
Staff Training and Auditing
Assessment of Service Providers
Continuous Improvement Program
New policies and procedures should be created to address these new risks.
Crisis Plan
Your data security program should include a detailed plan of how your business will respond if a data breach occurs. Roles and responsibilities should be clearly defined. This plan should be reviewed and updated regularly as part of the continuous improvement program.
Internal Reporting
The program should be evaluated annually and a report provided to leadership, outlining potential risks and available mitigation strategies.