Safeguarding consumer information is critical when managing data, handling online transactions, and maintaining brand strength. Customers must know that their information is in good hands, secured, and preserved in case of emergency or breach event. Accomplishing this is a matter of establishing strong security policies and integrating them into IT infrastructure.
But, more so, it’s a requirement and follows FTC guidelines and policies. The Federal Trade Commission is responsible for establishing security rules for a lot of things, and consumer information is no different. That’s why any business, especially those that collect and manage user data, must make sure they’re up to code.
The FTC code is the Standards for Safeguarding Customer Information, or known as the Safeguard Rule. This is the modus operandi by which all businesses operate (or should) when utilizing tools, guides, and strategies to shield consumer information.
These days, threats to personal data are spreading rapidly. Phishing methods and ransomware evolve on a daily basis, growing like wildfire. Therefore, it’s imperative to follow their procedures and make sure internal infrastructure is up to code. If nothing else, avoiding regulatory penalties is a major benefit of following the FTC’s Safeguard Rules.
What to know about the Safeguard Rules
The Safeguard Ruleset has existed over a decade, since 2003. But as technology changes, so has the ruleset to keep pace. It is, as mentioned, a foundation by which businesses must build their security and data protection policy on.
As you can see, it’s a big document with a lot of rules to cover. We’ll help along and clarify some of the definitions. The key is to find out whether they apply to you or not. Consider, you may find your business falling under their definition as a “financial institution,” where previously this was not the case.
It’s important to see if you fall under these new guidelines, whether as an established company or new business. The primary goal is to see if you fit the financial institution definition under the FTC guidelines, which is done so by understanding how you conduct business, not how you define your business.
The guideline rules we’ve linked to will help you define this, specifically under section 314.2(h). Some examples include institutions that handle financial transactions. Others may be dealerships, financial brokers, “finders,” and mortgage brokers to list a few. However, with online business what’s defined as a financial institution, which is why it’s important to check if you fall under the Safeguard Rules.
Finders, for instance, are a good example of modern business models. Finders help negotiate buyers and sellers as a mediator party. Because of how that business is conducted and the data handled, that’s a financial institution fitting the category.
Unless you’re exempt, it’s important to not only check if you fit the definition, but also to routinely check the Safety Rules. As your organization grows, so will the technology, data, and IT involved with your operations.
My company fits the FTC definition of a financial institution, what do I have to do?
If after review you’ve found your organization does fall under the FTC requirements, you’ll want to know the next step. Primarily, your goal will be to create and maintain a database that protects consumer information. This requires systems for the transfer of data, digital and physical. Also, data does include “nonpublic personal information,” such as their transaction history, payment methods, addresses, and contact information.
Given the absolute data deluge we experience and how many nodes provide detailed customer information, it’s safe to say this is a wide net, and better to be safe than sorry.
How do you do this? By building an information security program. This is the nexus by which you’ll handle all security policy related to consumer data, including its safeguards (digital and physical), how it’s transferred, reserved, and scaled. In other words, the program must fit the size of your business. This is your security bible, the blueprint by which you’ll build a comprehensive security infrastructure.
Note that this isn’t just for your benefit, or the clients you work with. This is necessary to avoid regulatory fines and penalties. You’ll need to have this plan written, fitting the scale and needs of your enterprise.
How and what goes into this foundation varies from company to company. And, we can’t give you an exact template based on your unique situation. However, there are fundamentals that go into these plans regardless of the broker, company, or business involved with customer data.
Whatever your goals, these goals must be met to satisfy the FTC’s Safeguard Rules.
You must protect and safeguard patient data integrity, along with its confidentiality and privacy.
Your plan must offer strategies for repelling digital threats, old and new, while maintaining strategies for newly introduced cyber threats.
You must prevent intrusion threats, or prepare for it, that would otherwise steal, compromise, or damage customer information.
Those are the core goals, and the tenets you’ll operate from when building your security plan. If that sounds hard, well, that’s because it is. Cybersecurity threats and dangers to personal data, much less customer information, are numerous. But it’s also why establishing a strong policy at the core of your IT and cybersecurity plans is so critical.
Now that you have an understanding of the FTC Safeguard rules and why they’re important, you’ll want to know how to build the right one. We’ll discuss that in our next article.
Bytagig is dedicated to providing reliable, full-scale cyber security and IT support for businesses, entrepreneurs, and startups in a variety of industries. Bytagig works both remotely with on-site support in Portland, San Diego, and Boston. Acting as internal IT staff, Bytagig handles employee desktop setup and support, comprehensive IT systems analysis, IT project management, website design, and more. Bytagig is setting the standard for MSPs by being placed on the Channel Future’s NexGen 101 list.