The new FTC Safeguard rules require financial institutions under FTC jurisdiction to establish, enforce, and maintain an information security program, in writing,to protect their customers’ private information. These rules pertain not only to the information of the customers you deal with directly, but also those you deal with indirectly, through other institutions. While it’s true the new regulations provide a higher level of comfort to the general public, they also add complications to the life of a business owner.
As the leader of a business affected by these guidelines, you may feel confused and uncertain about these new regulations, or maybe you’re just unsure exactly how to put them into practice in your organization.
The experts at DanTech Services offer their wisdom below on the best ways to protect your customers and get your business into compliance with the latest federal mandates. DanTech Services can also provide guidance to remedy any cyberbreaches that may have already occurred. The latest FTC-regulated Guidelines went into effect June 9, 2023, that lay out the specifics for an information security program.
Let’s take a closer look at what a reasonable information security program includes:
Designation of a qualified individual to oversee the program – This supervisor will take ownership and be responsible for establishing, enacting, and enforcing this program, as well as reporting regularly (at least annually) to the Board or a similar governing body. This individual can be an employee of your company or can work for an affiliate or service provider.
A written risk assessment – When conducting your risk assessment, you should take a good inventory of all personally identifiable information (PII) you have stored, noting where you have it stored, who has access to that information, and what risks threaten the integrity of that information. All aspects of the information you retain must be explored before you can determine the best practices to secure it.
Monitored/ limited access to sensitive customer information – Your security program also should include an assessment take note of who has access to secured customer information and reevaluate often whether these employees still have a legitimate need to access it. Keep employees on the access list only if they need to have access.
Encryption of all sensitive data – Encrypt all personal information that is stored on your local network. All data that is being transmitted should be encrypted using Transport Layer Security (TLS). Even consider the additional protection of encrypted e-mails within your business.
Specialized training in security awareness – The best way to ensure your employees remain active participants in your security program is to keep them aware of cybersecurity threats and the dangers they pose. Your employees have eyes on different parts of your business, and as long as they remain vigilant and tuned in, your information security programs effectiveness will be multiplied.
Incident response and recovery plan – Hope for the best, but prepare for the worst, as the wise adage reminds us. No matter how well planned your information security plan is, there’s always a chance that something may go wrong. Your company may suffer a “security incident,” and you’re required to have established a plan to reduce the impact it could have on your business, your employees, and your customers.
Periodic monitoring of service providers to ensure they meet security expectations – the contracts your service providers and you sign should explicitly state your security regulations and include a provision for regular monitoring and reassessment of their performance
Use of Multi-factor authentication to add an extra layer of security – For anyone accessing customer information on your company’s system, the FTC Safeguards require two of the following authentication factors: a knowledge factor (for instance, a password); a possession factor (for example, an authentication code); and/or an inherence factor (for example, fingerprint). The only exception would be if your qualified Individual has approved in writing the use of another equivalent form of secure access controls.
DanTech Services can scan networks for PII (Personally Identifiable Information), secure it through encryption, improve a company’s security posture, deliver needed tools for other areas of management, and assist with the policies needed to fulfill FTC Safeguard requirements. To enlist assistance with your information security program, please contact DanTech Services CEO, Dan Foote. Learn more information about the company by visiting (dantechservices.com/managed-services) and completing an assessment request, call him directly at 907-885-0501 or email (firstname.lastname@example.org)
Fill out the form to request Service Assessment and learn how we can make your technology worry-free! Please download and send us back Assessment Request Form pdf file with some questions to help us to get ready for your Assessment. You will receive a link to this file in your confirmation email.
Please be advised that we don’t accept emails sent from free services like gmail.com, yahoo.com, hotmail.com and similar due to increased level of spam coming from these domains.
Follow us on social media: