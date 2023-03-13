With cybercrime at an all-time high, the federal government and other regulatory bodies are increasing efforts to protect people’s sensitive data. These efforts are placing higher demands on businesses that deal with data targeted by cyber criminals.
The Federal Trade Commission recently put forth a revised Safeguards Rule that affects financial institutions and non-financial institutions that engage in financial activities or provide financial services to customers. The rule, which was first enacted in 2003, is a regulation requiring financial institutions unsubjected to other regulatory schemes to implement safeguards to protect their customers’ personal information. The revised provisions of the Safeguards Rule, which were originally scheduled to go into effect on July 1, 2020 (but were delayed due to the COVID-19 pandemic), are now scheduled to go into effect in June.
The extension provides businesses with additional time to ensure compliance, allowing them to review their current information security practices and identify areas that need improvement. Compliance with the Safeguards Rule not only protects customers’ personal information but also helps businesses avoid reputational damage and financial losses that can result from a data breach or cyberattack.
CEOs and businesses owners that must adhere to these regulations should be planning to have these provisions in place.
- Implement an information security program that is appropriate for their size and complexity.
- Designate one or more employees to coordinate the information security program.
- Identify and assess the risks to customer information in each relevant area of the business.
- Design and implement safeguards to control the identified risks. Based on the risk assessment, financial institutions should design and implement safeguards to control the identified risks. This may include implementing access controls to restrict employee access to customer information, encrypting sensitive data, and implementing network and device security controls.
- Regularly test or monitor the effectiveness of the safeguards. Financial institutions are now required to conduct vulnerability scans, penetration testing, and reviewing logs for suspicious activity.
- Evaluate and adjust the information security program considering relevant circumstances, such as changes to the business or its operations.
Some businesses affected by this rule are mortgage lenders and brokers, title lenders, non-bank lenders, tax preparers, debt collectors, money transfer services, student loan servicers, auto dealerships that provide financing, real estate settlement service providers, insurance companies offering financial products and services, investment advisers and broker-dealers, and third-party service providers handling sensitive financial information on behalf of covered businesses.
Businesses should take steps to ensure that they are following the revised provisions by the new deadline. Failure to comply could result in enforcement actions by the FTC, including civil penalties and injunctive relief.
Aubri Stone is the vice president of Cybertools, an IT-support company headquartered in Puyallup. She can be reached at aubri@cybertools.us.