It's been a couple of months since we shared information regarding the updates coming into effect regarding the FTC Safeguards Rule. For those that can't remember, this updated Rule forces millions of organizations to re-examine and strengthen their customer data security programs.
And when it debuts - in just under two months - the new edition will bring in two major changes. First, it delivers much-needed guidance on exactly how companies must secure their customers’ personally identifiable information (PII) in order to be in compliance.
Second, the updated Rule greatly expands the definition of ‘financial institutions’ to include any organization that routinely handles customer PII and personally identifiable financial information (PIFI).
Retailers, auto dealers, real estate-related businesses, colleges and universities and other organizations outside of the financial services industry are now potentially subject to the FTC’s mandated “Reasonable Information Security Program”, including the nine essential elements laid out by the agency.
While the FTC has published a guide to complying with its customer data Safeguards, many companies still need help. Since protecting customer data is in FileInvite’s DNA, here’s our advice on building an information security program that meets — and exceeds — each of the FTC’s new nine requirements.
1. Ensure your Qualified Individual has both a Business AND a Technical/Security Background.
The FTC decreed that each company must choose a “Qualified Individual” to manage its information security program, but unfortunately has provided few formal requirements for the Qualified Individual. This person can be an employee or work for an outside service provider. They also can have any degree or job title.
What is important is that your Qualified Individual understands both the IT and security systems and the business processes that go into handling your customer personal data.
A member of your cybersecurity team may sound good in theory. However, someone that can deploy a web application firewall or sniff out hackers may not understand how to ensure customer data remains private throughout its entire lifecycle. Or they may not understand how best to balance business and compliance needs.
Someone on your business or legal team might actually be a better choice to wear both hats and balance both goals.
2. Think of Risk Assessment as a Continuous Process, Not an Occasional Event.
The new Safeguards Rule tasks companies with creating a written risk assessment before building their information security plan, as well as “conducting periodic reassessments.”
That sounds well and good. However, it’s also a reactive approach.
If your company wants to do more than just comply with the letter of the FTC rule but actually prevent data loss, using software and cloud services that provide a constant, even real-time, view into the status of your customer personal data is much better.
3. Don’t Just Deploy the Mandated Safeguards — Take Other Steps to Reduce Your Attack Surface.
The FTC describes eight technical safeguards it wants companies to deploy, including encrypting customer data at rest and in transit, assessing apps that handle customer information, deploying multi-factor authentication, securely disposing of customer data within two years of use, and more.
There are other steps that can slash your data risk. For instance, reducing content sprawl by deleting redundant data repositories makes it easier to track and protect your data. So can finding and shutting down unused and extra data pipelines. Companies may also roll back BYOD to allow fewer personal devices, or tighten up mobile app access to customer data.
4. Hire Experts to Test the Effectiveness of Your Safeguards.
If this is the first time deploying an information security program, then you won’t have the expertise to measure whether your Safeguards are working. Rather than having your in-house IT or cybersecurity folks run some penetration tests on the weekend, hire an experienced third-party cybersecurity firm to perform your vulnerability assessments.
5. Make ALL of your Staff Accountable for FTC Safeguards Rule Compliance.
If only your Qualified Individual and cybersecurity/IT team are trained on how to comply with the Safeguards rule, then other employees will keep creating problems. Developers will keep building insecure apps and data pipelines. Business-side workers will flout rules in order to chase sales.
So don’t just train your employees on the importance of the Safeguards — make secure handling of customer data one of their KPIs. That way, you stop potential data privacy problems at the source.
6. Spell out Compliance SLAs and KPIs in your Service Provider Contracts.
In the cloud era, much if not most of your customer personal data is hosted by managed service providers (MSPs) and cloud vendors.
Besides choosing vendors with security skills, sign contracts that hold them accountable to desired Service Level Agreements (SLAs). That requires cybersecurity KPIs around detected intrusion attempts, incident rates, vulnerability patch response times, and more.
7. Keep Infosecurity Simple, Stupid!
You’ll be more effective at protecting your customer data the less complex your information security program needs to be.
The KISS principle — “Keep it simple, stupid!” applies 200 percent to cybersecurity. That’s why reducing content sprawl and therefore your customer data attack surface is so helpful.
8. Practice Your Written Incident Response Plan.
The FTC requires companies to create a written incident response plan in case of a data breach.
Though not mandated, rehearsing your response to a security event is just as important as writing the plan itself.
9. Choose a Qualified Individual Who Is Influential — But Not Too Senior.
The FTC requires the Qualified Individual to report regularly in writing to your company’s Board of Directors (or equivalent) and meet at least once a year.
A Chief Security Officer (CSO) might seem ideal due to their seniority. But your CSO may be too busy to personally manage FTC compliance.
A veteran mid-level manager may be a better choice. They will have the bandwidth to own and execute the customer data privacy program, and are senior enough for the board to take them seriously.
10. Upgrade from Legacy, Risky Technologies.
Sending sensitive documents by email is convenient and commonplace. It’s also impossible to secure. Deploying a newer alternative to a legacy technology can be a quick win that, like centralizing multiple customer databases, reduces your attack surface AND improves your FTC compliance.
FileInvite's free plan can help you get started on your journey towards FTC compliance.
If you're interested in learning more about how our service can help you achieve compliance, either sign up for our free plan or contact our team today.