Has your business taken the proper precautions to safeguard sensitive customer data against escalating cyber threats?
If not, massive liability could await in 2024, thanks to an expanded federal regulation called the FTC Safeguards Rule.
With digital crime booming, the updated Federal Trade Commission measure mandates heightened safeguards across sectors shielding customer information, including financial details, from attacks.
Specifically, expanded provisions of the rule establish stronger protocols for locking down client data. Moreover, a new amendment approved in October requires non-banking financial institutions to promptly report certain data breaches and other security events to the FTC or face the consequences.
Non-compliance risks hefty fines, lawsuits, reputational damage, and suspension of e-filing privileges, not to mention the cost of recovering from a data breach, so understanding this rule is no small matter for businesses.
In this article, we’ll explore what businesses need to know about the FTC Safeguards Rule, including who is covered, how to comply, the components of an effective information security program, and why this is so important for businesses. Continue reading to learn more!
What does the Federal Trade Commission’s Standards for Safeguarding Customer Information (or the “Safeguards Rule” for short) actually do?
Put simply: Just what it sounds like it does.
The Safeguards Rule is a regulatory measure that mandates that businesses under the FTC’s jurisdiction meet legal standards for handling sensitive customer data, including developing, implementing, and maintaining an information security program equipped with administrative, technical, and physical safeguards.
The objective of this rule is threefold:
Recent updates to the Safeguards Rule now require more rigorous protections appropriate to emerging cyber threats. Key changes involve broader encryption and access control rules, multi-factor authentication requirements, assessments of security practices by third-party vendors, and forced security upgrades after any system changes.
In October 2023, the FTC amended the rule to create a data breach disclosure requirement. This amendment, which will go into effect on May 13, 2024, means non-banking financial institutions must notify the FTC as soon as possible and no later than 30 days after discovering a security breach involving the information of at least 500 consumers.
Also, one of the things that is important for a tax preparer is that when they apply for or renew their Preparer Tax Identification Number (PTIN) they are asked if there is a WISP in place at the firm.
So, what exactly is a “non-banking financial institution,” anyway?
Does your business count…and if so, how can you ensure compliance?
Let’s explore this in more depth.
The Safeguards Rule applies broadly to businesses categorized as “financial institutions” that handle sensitive customer information. However, this designation encompasses far more than banks, credit unions, or investment firms.
Under Section 314.2(h) of the Code of Federal Regulations, “financial institutions” include any company significantly participating in financial activities or related services. Along with lenders and traditional finance groups, professional services organizations like accounting firms, tax preparation services, credit counseling agencies, and consultants or contractors fall under FTC authority.
More specifically, financial institutions subject to FTC Safeguards Rule compliance include businesses such as:
Essentially, any company that handles nonpublic financial data like bank account details, credit card numbers, income figures, credit scores, or other personal finance records must comply.
Businesses maintaining data on fewer than 5,000 consumers may qualify for exceptions, easing certain requirements. Nevertheless, maintaining prudent security is still vital given the increasing cybercriminal interest in small businesses as soft targets.
Compliance with the Safeguards Rule requires a written information security program appropriate to the size and complexity of the business, the nature and scope of its activities, and the sensitivity of the customer information at hand.
The objectives of your company’s program must be:
The rule defines “customer information” to mean “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.”
This covers information about your own customers and information about customers of other financial institutions that have provided that data to you.
An effective modern information security program contains layered administrative, physical, and technical controls, including:
Furthermore, the FTC Safeguards Rule outlines some core elements businesses must integrate into their customized program:
Larger entities and those facing elevated risks or advanced cyber hazards may require additional controls, such as:
Maintaining robust safeguards to comply with the FTC Safeguards Rule protects customer trust, reputation, and bottom line. Data breaches carry severe financial damages — $4.45 million on average in 2023 — not to mention intangible brand and relationship costs.
As cybercriminals grow more sophisticated, merely reactive security is inadequate. By implementing systematic safeguards per the Safeguards Rule, you reduce the risks and promote continuity if incidents arise.
Need help making sense of all this and understanding the impact on your business?
The potential exposures from something as preventable as non-compliance with the Safeguards Rule make working with seasoned advisors an easy call, and our team stands ready to assist.
If you are a client and would like to book a consultation, call us at +1 (212) 382-3939 or contact us here to set up a time.
If you aren’t a client, why not? We can take care of your accounting, bookkeeping, tax, and CFO needs so that you don’t have to worry about any of them. Interested? Contact us here to set up a no-obligation consultation.
Interested in receiving updates in your mailbox? Check out our newsletter, full of information you can use. It comes out once every two weeks, and you can register for it below.
Found this article helpful? Share it with your network.
Above & Beyond
New York City
2 West 45th Street, Suite 1208
New York, New York 10036
565 Taxter Road, Suite 105,
Elmsford, New York 10523
Jeff Coyle, CPA, Partner of Rosenberg Chesnov, has been with the firm since 2015. He joined the firm after 20 years of business and accounting experience where he learned the value of accurate reporting, using financial information as a basis for good business decisions and the importance of accounting for management.
He is a diligent financial professional, able to manage the details and turn them into relevant business leading information. He has a strong financial background in construction, technology, consulting services and risk management. He also knows what it takes to create organizations having built teams, grown companies and designed processes for financial analysis and reporting.
His business experience includes:
Creating and preparing financial reporting, budgeting and forecasting.
Planning and preparation of GAAP and other basis financial statements.
Providing insight on financial results and providing advice based on those results.
Jeff also has a long history of helping individuals manage their taxes and plan their finances including:
Income tax planning and strategy.
Filing quarterly and annual taxes.
General financial and planning advice.
Prior to joining the firm in 2015, Jeff was in the private sector where he held senior financial and management positions including Controller and Chief Financial Officer. He has experience across industries, including construction, technology and professional services which gives him a deep understanding of business.
Jeff graduated from Montclair State University, he is a CPA and member of the American Institute of Certified Public Accountants, New York State Society of Certified Public Accountants and New Jersey State Society of Public Accountants.
Jody H. Chesnov, CPA, Managing Partner of Rosenberg Chesnov, has been with the firm since 2004. After a career of public accounting and general management, Jody knows the value of good financials. Clarity, decision making, and strategy all start with the facts – Jody has been revealing the facts and turning them into good business results for more than three decades.
He takes a pragmatic approach to accounting, finance and business. His work has supported many companies on their path to growth, including helping them find investors, manage scaling and overcome hurdles. His experience and passion for business reach beyond accounting and he helps businesses focus on what the numbers mean organizationally, operationally and financially.
He has a particular expertise in early-stage growth companies. His strengths lie in cutting through the noise to come up with useful, out of the box, solutions that support clients in building their businesses and realizing their larger visions.
Prior to joining the firm in 2004, Jody was in the private sector where he held senior financial and management positions including General Manager, Chief Financial Officer and Controller. He has experience across industries, which gives him a deep understanding of business.
Jody graduated with a BBA in Accounting from Baruch College, he is a CPA and member of the American Institute of Certified Public Accountants and New York State Society of Certified Public Accountants.
In addition to delivering above and beyond accounting results, Jody is a member of the NYSCPA’s Emerging Tech Entrepreneurial Committee (ETEC), Private Equity and Venture Capital Committee and Family Office Committee.
He is an angel investor through the Westchester Angels, and has served as an advisor for many startup companies and as a mentor through the Founders Institute.
Send us a message and we will contact you as soon as possible.