FTC Safeguards Rule – Do I have to comply?
If you’re a CPA or other tax preparer dealing in non-public personal identifiable information (PII), you’ve likely seen articles related to the newly updated FTC Safeguards Rule.
On June 9th, 2023, the Rule will be enforced. The Rule specifies that “financial institutions [must] develop, implement and maintain an information security program with administrative, technical and physical safeguards designed to protect customer information.”
As a tax preparer, it falls on you and your company to implement a cyber security program to protect your client’s data. The Rule specifically denotes nine tenants to follow under the law.
You’re probably busy this time of year, so we’ve summarized the tenants into key takeaways below. The FTC Safeguards Rule requires companies to:
- Designate a qualified person to oversee their information security program
- Develop a written risk assessment
- Limit and monitor who can access sensitive customer information
- Encrypt all sensitive information
- Train security personnel
- Develop an incident response plan
- Periodically assess the security practices of service providers
- Implement multi-factor authentication or another method with equivalent protection for anyone accessing customer information
- Have a qualified person report to your Board of Directors
“Who is affected by the FTC Safeguards Rule?”
Persons and entities affected by the FTC Safeguards Rule are those that fall under the current definition of a financial institution.
According to the FTC’s official page on the Safeguards Rule, a financial institution “means any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C § 1843(k). An institution that is significantly engaged in financial activities, or significantly engaged in activities incidental to such financial activities, is a financial institution.”
The FTC Business Guidance webpage describes that entities covered include, but are not limited to:
- Mortgage lenders and mortgage brokers
- Motor vehicle dealers
- Payday lenders
- Finance companies
- Account servicers
- Check cashing companies
- Wire transferors
- Collection agencies
- Credit counselors and other financial advisors
- Tax preparation firms
- Non-federally insured credit unions
- Investment advisors that aren’t required to register with the SEC
The FTC notes that even if your business wasn’t covered by the original version of the rule, your business operations have likely evolved and changed over the past 20 years. The bottom line is if you deal in any sort of non-public, personally identifiable information, you are subject to the new regulations and must take action to prevent an FTC investigation or other worse consequences.
“What are the consequences of non-compliance?”
Ignoring the new requirements is always an option, but it could cost your company more in the long run than you’d expect. If your company experiences a data breach, here’s what could happen, according to the FTC:
Data loss.
- Your data is more valuable than you think. The average data breach in the United States costs $9.44 million, over $5 million more than the global average.
Litigation risks.
- Your company could be sued in case of a security breach. Cases where you have to notify victims after a breach significantly increase the risk of litigation.
Expensive fines.
- The maximum fine you can incur from a data breach is $11,000 per day. The agency can also seek damages for consent violations which could total over $43,000 per day for each violation, as well as possible jail time.
Extensive penalties.
- Your company could face long-term consent decrees or extensive injunctive relief, which could significantly stifle your business operations.
Reputational damage.
- The ripple effect of a security breach cannot be underestimated. Not only will it impact your customers’ trust, but it will also negatively affect your relationships with other affiliates and suppliers.
“How can I make sure I comply with everything?”
If you’re concerned about the requirements of the FTC Safeguards Rule and what might happen if you don’t comply, we can help.
We’ve hosted an informational webinar <<insert a link to webinar recording>> on the subject, and we can help you become compliant with the Safeguards rule.
Book a call with us to discuss your current situation, or contact us with any questions/concerns you may have about the FTC Safeguards Rule or any other IT concerns.
Entrust your business to a team of reliable and responsive experts: You won’t regret it.
The post FTC Safeguards Rule – Do I have to comply? appeared first on Blue Light IT.
from: https://www.bluelightit.com/ftc-safeguards-have-to-comply/
Comments
Post a Comment