Is your business impacted by the new FTC Safeguards?
Are you a financial institution according to the FTC? A financial institution means "any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k). An institution that is significantly engaged in financial activities, or significantly engaged in activities incidental to such financial activities, is a financial institution." Examples of newly defined financial institutions include the following types of businesses:
• Account Servicers
• Accountants
• Any business that wires money
• Auto Dealers
• Businesses that print checks
• Career Counselors
• Check Cashers
• Collection agencies
• Companies that act as Finders – i.e. if you offer your clients 3rd party financing
• Credit Counseling Service
• Estate & Probate Attorneys
• Financing Companies
• Investment Advisory Company
• Mortgage Brokers & Lenders
• Payday Loan Providers
• Real Estate Appraisers
• Retailers that offer credit cards
• Tax Preparation Firms & CPA’s
• Title Agencies
• Travel Agency in connection with Financial Services
What's required
Read full requirements of the law at https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314.
This law is effective in June 2023. In summary, your business must do the following:
Have a designated security officer (internal or external) who is responsible to design, maintain, and enforce information security
Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information – including both technical and physical safeguards
Have a written risk assessments with a plan of action and milestones to mitigate those risks*
Design and implement safeguards, including data identification, data encryption, multi-factor authentication, data retention policies, and system logging
Regular penetration testing and security assessments*
Implement numerous policies and procedures
Provide Security Awareness Training
Oversee Service Providers
Evaluate and adjust your information security program on a regular basis
Have a written incident response plan*
Annual reports to your Board of Directors, or senior management, regarding the status of the plan and the organization’s compliance with the plan*
Contact us today to schedule a review for your organization
* - Requirement is waived if you have records for less than 5,000 consumers.