Who the heck is the FTC and why should you care?
The FTC—Federal Trade Commission—protects consumers by preventing anti-competitive, deceptive, and unfair business practices. They're now stepping in to help protect consumers, privacy.
The FTC was founded way back in the 30’s. Think about that for a minute. Between then and now, we split the Atom, we got to the moon.
But the expectations and standards businesses were held to really did not change very much—especially relating to how consumer data is protected.
This is not really a brand-new concept, but the FTC is upping their game.
Congress did pass the Gramm Leach Bliley Act or GLBA. Basically, what this was to do is modernize the financial industry and the FTC would be responsible for implementation.
The original rule passed way back in May of 2002, instated in 2003.
It required financial institutions to have some new controls in place. And there are security protections and disclosure requirements, these protections and disclosure requirements. Well, they are based on technology and 1999.
The problem was NOT solved.
The big problem is protecting sensitive personal data has really changed over the past 20 years. How they might have protected and kept confidential or personal information safe back then is completely different today.
With big changes to the technology landscape happening between the two thousands and today, FTC decided to completely overhaul its protections for sensitive data.
If you take a look at the original scope for financial institution, wasn't too, terribly detailed, and it might've been a little bit unclear.
A lot more organizations are being specifically called out. So let me give you some examples of organizations specifically called out in this new scope. The first one is mortgage lenders.
The next one after that, are those payday lenders, you know, the folks where you go up and you might get a check cash or something like this. Also, finance companies, mortgage, brokers themselves, account servicers, Check Cashers, and I'm not talking about the payday lenders here. I'm talking about the folks that just cashed the check for you.
The biggest change to FTC rules?
They have expanded who they define as a “financial Institution”.
Newly covered entities by FTC rules are not limited to:
- Mortgage lenders
- “Pay day” lenders
- Finance companies
- Mortgage brokers
- Account servicers
- Check cashers
- Wire transferors
- Travel agencies operated in connection with financial services
- Real Estate appraisers
- Credit counselors and other financial advisors
- Automotive dealerships
- Tax preparation firms
- Non-federally insured credit unions
- Investment advisors that are not required to register with the Securities and Exchange Commission, and entities acting as finders.
Here is the kicker: EVEN if you may not be listed as a business entity here, if you have functions like this you ARE covered. If you aren’t addressing this stuff, you are putting your business at risk.
If you aren’t covered by FTC at all, you probably should heed their changes to do business today.
No, the government will not come after you with fines.
Your supply chain will be looking for these changes. Someone in your data supply chain WILL be enforced by FTC and will be looking for businesses they do business with to also adhere to a basic standard like FTC. We have been brought in to evaluate vendors and partnerships as a third-party and at some point, if your data security standards do not reach a minimum standard—like the ones outlined in FTC, businesses will opt to engage with other partners.
The FTC Safeguards rules are NOT meant to be a slap on the wrist for speeding. These regulations are the new normal of what you should be doing as a responsible business leader.
Unless you understand where your security weaknesses are, how will you make sure you’re doing enough to keep them out?
The virtual Chief Security Officer (vCSO) is your path forward
The best path forward for growing concerns over data security is to engage in a virtual Chief Security Officer (vCSO). This resource will help make sure your entire business—your processes, policies, people, and technology fit within a minimum-security standard.
Even more, they will lead you as a thought leader in the security space. Technology is taking over parts of your business you may have not thought was possible. If you aren’t looking out for where your data is, how it is being kept secure and ways to prevent that data from getting in the wrong hands, you are asking for a data breach or business-shuttering ransomware attack.
A vCSO will help you address the concerns.
Not sure where to go from here, consider a third-party assessment to see where your security stands.
