Questions to ask about the new FTC Safeguard Standards

Tis’ the season of tax prep, payments and refunds (if you’re among the lucky few). While consulting with your CPA this year, be sure to inquire about a new Federal Trade Commission rule that went into place in June 2023. The new Safeguards Rule expands cybersecurity requirements to non-banking businesses.

If your business is affected, has a cybersecurity incident and is found to be non-compliant, you can be subject to civil or criminal prosecution. Before panic sets in, have a conversation with your CPA this tax season to ensure an understanding of the rule’s framework, which requires nine defined steps that are easily understood. Here are questions to ask.

What are the new FTC Safeguard Standards?

The standards that went into effect in June 2023 are an expansion of the Federal Trade Commission Safeguards Rule, which previously required only banks to report data breaches to customers. Many business entities make client cash transactions using cyber systems and tools.

Imagine if a server, hard drive or laptop where critical information is saved were hacked. All of those passwords and customer data is now exposed and available to cybercriminals. The new standards require impacted businesses to have a written information security plan to be prepared  if a breach occurs. The plan safeguards your business and clients.

Who is affected by the standards?

The rule affects a wide array of business types and sizes, including sole proprietors.

Simply said if your business holds client confidential data, you might be affected. Entities include car dealerships, registered investment advisors, CPA firms, insurance companies and mortgage brokers, for example.

The rule specifically says: “The ‘financial institutions’ subject to the Commission’s enforcement authority are those that are not otherwise subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. 6805. More specifically, those entities include, but are not limited to, mortgage lenders, “pay day” lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, travel agencies operated in connection with financial services, collection agencies, credit counselors and other financial advisors, tax preparation firms…”

Why are these new standards in place?

Since 2021, the Federal Trade Commission has taken additional steps toward protecting American consumer data and privacy through the expansion of the “Safeguards Rule.” With cyber theft continuing to increase, the nine-steps in the rule are designed as concrete guidance.

How can I be sure my business complies?

Get a checkup. Safeguard Comply provides regular reviews of your data security systems. We identify gaps and help you implement solutions, so you stay in compliance with FTC regulations.

What’s involved in establishing the FTC standards?

The nine steps provide easy to follow guidelines for business owners, regardless of size of the company. A critical step involves establishing safeguards using best practice cybersecurity processes and tools. For example, remove system access for terminated staff and establish password policies. Steps involve staff training on these best practices and having a crisis plan in place in case there is a breach.

What happens if I am non-compliant?

The FTC can impose penalties of up to $100,000.00 per violation and directors and officers of business can be personally fined. Liability does not stop with paying fines and/or penalties to the FTC. Affected consumers and employees can sue the company directly for breach of data privacy. There will also likely be damage to business reputation that may impact company revenue and growth potential.

Bottom line, the cost of compliance is a lot less than the cost of non-compliance. Contact professionals for an analysis and guidance to create a nine-step plan now.