The FTC Has New Cybersecurity Rules… Is Your Business Compliant?

The Federal Trade Commission has spent years providing businesses with guidance and advice concerning their security. Now, this guidance has converted into enforceable mandates.

In short, your business needs to have systems and protections in place—not plans—in order to abide by last month’s executive order that focuses on the prevention of cybercrime and fraud. Let’s touch on what needs to be accomplished in order for you to do so. 

FTC Guidelines Apply to More Industries than You’d Think

While the FTC does have specific guidelines for some industries (like financial and HR service providers), there are plenty of rules and regulations intended to protect a consumer’s privacy and data security.

In essence, if you collect, store, and/or manage personal data in any form, you need to meet a few key baseline requirements.

What Does a Business Need to Comply with These Updated Guidelines?

The Federal Trade Commission’s new guidelines require SMBs to follow a few processes: 

• Businesses must clearly inform customers and clients about their data collection policies and how this data will be used.
• Businesses must have explicit consent from the customer/client to collect or share their personal information.
• Businesses must maintain up-to-date privacy policies to ensure compliance with these guidelines and beyond.

In addition, there are some more technical safeguards that every business must have in place moving forward:

• The FTC also requires that any access to customer data be protected by multi-factor authentication, which requires more than just a password or passcode. 
• All data should be encrypted—scrambled beyond recognition if the right key isn’t present—both while it is being stored and while it is being shared.
• It is also necessary for businesses to have a designated person in charge of their security program, per the FTC. This can either be an internal team member or an outsourced professional.

The Federal Trade Commission also requires businesses to maintain particular documentation regarding their cybersecurity. These documents include the likes of:

• A written information security program, which outlines where your data is stored and who has the ability to access it.
• An incident response plan, which is a simplified guide to lead your team through the appropriate processes if a hack or other cyber incident should be discovered… from detection and containment, progressing through your investigation, and closing with notification and recovery.

What Happens if You Neglect These Rules, Regulations, and Requirements?

Let’s say you don’t meet the standards required of you by the FTC. You can unfortunately expect a few pretty severe penalties… as in $51,000 per violation. This assumes you haven’t been breached. If you have been, and the FTC discovers that you lacked encryption or hadn’t implemented MFA, these fines can potentially swell into the millions.

You Can’t Afford Noncompliance

Failing to meet the rules that the FTC (or any applicable regulatory agency or body) holds you to simply isn’t an option for a business that plans for success. Not only is it expensive and risky, but it also signals to your prospective customers that your business is lax in essential protections. In comparison, remaining compliant shows you are invested in protecting yourself and your clientele.

We can help you ensure that your business meets its essential technology requirements in compliance with the standards expected of it. Give us a call at (254) 848-7100 to learn more.