Federal Trade Commission (FTC) Safeguards Rule Requirements: Part Two

This is the second segment of our breakdown of the FTC Safeguards Rule requirements. You can find part one here:

• Federal Trade Commission (FTC) Rule Requirements: Part One

Starting from June 9th, 2023, the FTC Safeguards Rule will mandate the implementation of seven different security requirements. For small businesses, organizing and building a security program can be challenging, especially if the responsibility falls on someone without a security background. Failure to comply with the safeguard rule may result in financial penalties for your company. To ensure compliance, it’s crucial to designate a qualified individual to oversee and implement your organization’s information security program. You can easily do this by reaching out to companies that offer virtual chief information security officers or fractional information security officers. If your organization doesn’t require a full-time security officer, utilizing a virtual chief information security officer can be a cost-effective and efficient solution.

For many small to medium-sized organizations, conducting written risk assessments can be quite challenging. Essentially, risk assessments aid in identifying and comprehending the potential threats to your company. These assessments must be documented and conducted regularly, ideally on an annual basis, in accordance with the Safeguards Rule. However, once the risks have been identified, the real challenge lies in devising and executing effective measures to mitigate them. Planning and implementing safeguards to protect your company’s data, reputation, and overall security can become a significant burden for the personnel responsible for overseeing the information security program.

Penetration testing and vulnerability assessments are highly technical activities that aim to identify potential weaknesses or vulnerabilities in your organization’s technology infrastructure, which could pose a security risk. Penetration testing involves an active attempt to exploit vulnerabilities and should be conducted by trained cybersecurity professionals at least once a year. On the other hand, vulnerability assessments should be performed quarterly and should be managed by the individual responsible for overseeing your organization’s security program. If you outsource these tasks to a third-party service provider, their findings may require technical reconfiguration or implementation of new processes to address the identified technical risks.

These are the first four elements in the FTC Safeguards Rule – there are three additional security program requirements that we will explore further in Part 3.