Questions to ask about the new FTC safeguard standards

'Tis the season of tax prep, payments and refunds (for your lucky clients). While consulting with your firm's clients this year, be sure to inquire if they're aware of a new Federal Trade Commission rule that went into effect in June 2023. The new Safeguards Rule expands cybersecurity requirements to nonbanking businesses. 

If an affected business has a cybersecurity incident and is found to be noncompliant, the owner can be subject to civil or criminal prosecution. These rules affect not just your clients, but also your business. Before panic sets in, take time to understand the rule's framework. Here are some questions to ask:

What are the new FTC safeguard standards?

The standards that went into effect in June 2023 are an expansion of the Federal Trade Commission Safeguards Rule, which previously required only banks to report data breaches to customers. Many business entities make client cash transactions using cyber systems and tools. 

Imagine if a server, hard drive or laptop where critical information is saved were hacked. All of those passwords and their customer data are now exposed, available to cybercriminals. The new standards require impacted businesses to have a written information security plan to be prepared if a breach occurs. The plan safeguards a business and its clients.

Who is affected by the standards?

The rule affects a wide array of business types and sizes, including sole proprietors. 

Simply put, if your business holds client confidential data, you are affected. Entities include car dealerships, registered investment advisors, CPA firms, insurance companies and mortgage brokers, for example.

The rule specifically says: "The 'financial institutions' subject to the Commission's enforcement authority are those that are not otherwise subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. 6805. More specifically, those entities include, but are not limited to, mortgage lenders, 'pay day' lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, travel agencies operated in connection with financial services, collection agencies, credit counselors and other financial advisors, tax preparation firms…"

Why are these new standards in place? 

Since 2021, the Federal Trade Commission has taken additional steps toward protecting American consumer data and privacy through the expansion of the Safeguards Rule. With cyber theft continuing to increase, the nine steps in the rule are designed as concrete guidance. 

How can I be sure a business complies?

Get a checkup of all data security systems to identify gaps and help implement solutions, so you and your clients stay in compliance with FTC regulations.

What's involved in establishing the FTC standards? 

The nine steps provide easy to follow guidelines for business owners, regardless of size of the company. A critical step involves establishing safeguards using best practice cybersecurity processes and tools. For example, remove system access for terminated staff and establish password policies. Steps involve staff training on these best practices and having a crisis plan in place in case there is a breach. 

What happens if my clients or I are noncompliant?

The FTC can impose penalties of up to $100,000.00 per violation, and directors and officers of business can be personally fined. Liability does not stop with paying fines and/or penalties to the FTC. Affected consumers and employees can sue the company directly for breach of data privacy. There will also likely be damage to business reputation that may impact company revenue and growth potential. The bottom line is, the cost of compliance is a lot less than the cost of noncompliance.