'Tis the season of tax prep, payments and refunds (for your lucky clients). While consulting with your firm's clients this year, be sure to inquire if they're aware of a new Federal Trade Commission rule that went into effect in June 2023. The new Safeguards Rule expands cybersecurity requirements to nonbanking businesses.
If an affected business has a cybersecurity incident and is found to be noncompliant, the owner can be subject to civil or criminal prosecution. These rules affect not just your clients, but also your business. Before panic sets in, take time to understand the rule's framework. Here are some questions to ask:
What are the new FTC safeguard standards?
The standards that went into effect in June 2023 are an expansion of the Federal Trade Commission Safeguards Rule, which previously required only banks to report data breaches to customers. Many business entities make client cash transactions using cyber systems and tools.
Imagine if a server, hard drive or laptop where critical information is saved were hacked. All of those passwords and their customer data are now exposed, available to cybercriminals. The new standards require impacted businesses to have a written information security plan to be prepared if a breach occurs. The plan safeguards a business and its clients.
Who is affected by the standards?
The rule affects a wide array of business types and sizes, including sole proprietors.
Simply put, if your business holds client confidential data, you are affected. Entities include car dealerships, registered investment advisors, CPA firms, insurance companies and mortgage brokers, for example.
The rule specifically says: "The 'financial institutions' subject to the Commission's enforcement authority are those that are not otherwise subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act,
Why are these new standards in place?
Since 2021, the Federal Trade Commission has taken additional steps toward protecting American consumer data and privacy through the expansion of the Safeguards Rule. With cyber theft continuing to increase, the nine steps in the rule are designed as concrete guidance.
How can I be sure a business complies?
Get a checkup of all data security systems to identify gaps and help implement solutions, so you and your clients stay in compliance with FTC regulations.
What's involved in establishing the FTC standards?
The
What happens if my clients or I are noncompliant?
The FTC can impose penalties of up to $100,000.00 per violation, and directors and officers of business can be personally fined. Liability does not stop with paying fines and/or penalties to the FTC. Affected consumers and employees can sue the company directly for breach of data privacy. There will also likely be damage to business reputation that may impact company revenue and growth potential. The bottom line is, the cost of compliance is a lot less than the cost of noncompliance.