Would you step out into the road if an out-of-control sports car was barreling down the road?
Why? It might not hit you. It might swerve at the last minute. And some to think of it, you’ve got an important text message to respond to right now. So, okay. Step out. It MIGHT be fine.
That’s a ridiculous example, I know, but there’s something big headed towards your business right now, and it doesn’t make any more sense ignoring that then it does to ignore a car heading towards you.
Of course, I’m talking about the FTC Safeguards. Many companies are overlooking it. Maybe they think they aren’t covered by it. Or maybe they think it’s no big deal.
Even if you don’t think you are covered by FTC, you might be.
The rule has a murky definition of what constitutes a “financial institution”. And if it considers you a covered entity, you’re at risk of more than a bad reputation if you violate the newly enacted rule.
Just to be clear: I am not a legal authority or an administrative judge. So, while the FTC has outlined its expanded definition of who is specifically covered, you may want to consult with your attorney to understand how that definition impacts your business.
If you are covered, here’s a sobering thought: if you fail to comply, it’s not your IT provider the FTC will blame. The rule is pretty clear: regardless of whether you have an MSP or an in-house team, you—the CEO—will be held responsible.
It’s time to start thinking about the data risks you might have within your network and finding a solution to address issues that may be in plain sight.
As you think about your data I want you to think about the following 3 questions.
- Where is your data?
Do you house your data onsite? Do you store it in the cloud? Do you have contracts with other providers to manage it? It doesn’t matter how or where your data is kept, you need to understand where it is and how it is protected. Even if you have explicit contracts with providers who guarantee your data is protected, if it ends up getting leaked or compromised, the FTC will blame you solely for the incident. - What kinds of non-public customer data do you store?
If your organization stores any non-publicly available information about your customers, you likely will want to make sure it is safeguarded. Take an inventory of what types of data you store on your customers and what data any of your vendors store on them. Your security advisor—typically a chief security officer (CSO)—should help you map out where your data is being stored and how it is safeguarded as a means to ensure you’re doing your part to keep customer data safe. - What if a hacker got into your data?
In addition to knowing where data is and having a basic understanding of how it is secured, you should be prepared to understand how worst-case scenarios would turn out. How prepared are you to respond to those scenarios? The easiest way to work through these different cases is by working through tabletop exercises. Your security provider or CSO should be able to help guide your organization through these types of events.
The FTC Safeguards Rule is the new normal in security. It is a baseline that most businesses should be following EVEN if they don’t have to.
Your clients expect you are doing the right thing by their data, and following the FTC Safeguards is the right thing. Do you really want to ignore a speeding car and just stand there in the road?
Are you ready to do the right thing? A great first step is to undergo a third-party security assessments.
