There’s a red hot sports car screaming down the road directly towards YOUR CLIENT. But your client is busy with their phone conducting business.
What do you do?
Stupid question, right? You help them.
The FTC Safeguards aren’t exactly a red hot sports car, but they’re just as powerful in terms of the potential to devastate your client.
Organizations are conducting business as usual while overlooking what’s headed right for them. Maybe they think they’re not covered by it. Or maybe they think the safeguards just aren’t as urgent as the other items on today’s to-do list.
That beautiful red sports car probably didn’t seem to urgent until it hit either.
The FTC means business when it comes to enforcing this law, so let’s talk about some of the finer points of this new rule.
*Note: if you need a refresher on the basics of FTC Safeguards, I highly suggest you take a look at [url].
Before I go any further, however, I want to be clear: I am NOT your attorney. I am a security guy who is interested in helping MSPs protect their client’s best interest. For legal advice, seek the expert knowledge of an attorney.
First off, there’s no way as your client’s security and service provider that you can fulfill every requirement outlined by FTC on your own.
- You can’t have them thinking that you will be solely responsible for meeting the FTC requirements here.
- You can’t be the one checking off a punch down list.
This is not how FTC Safeguards works. You need to be their trusted advisor, but technically as a provider, you will not be at the center of bull’s eye should things go wrong. The FTC will hold your client fully responsible.
But you’re still the one standing there watching that sports car heading for your client. That’s why I want to make sure you are armed with information and are able to communicate risk in a way that they start taking action.
And when an FTC violation occurs, know this: insurance policy will not cover the repercussions. (And I’m talking about yours and your client’s policies.)
Let’s start with a question on many people’s minds: Who’s exempt? (I recently talked specifically on this topic.) If your client is still not clear after reading through the FTC’s description of who is covered under the law, I would highly suggest you have the speak to an attorney who can sort out whether they are covered or not.
It seems that the FTC is trying to cast as wide of a net as they can to describe a financial institution. The definition is murky at best, so you’ll want to be sure your client isn’t covered before saying so.
But here’s an easier, and much more productive approach: Direct all of your clients to abide by this new rule. This is a significant standard for handling customer data, and even if they’re not required, it will benefit your client in the long run.
For now, let’s assume your client is covered under the rule. They’re expected to protect their customer information, which means any information that is non-public personal information about the customer. Nothing too shocking here.
But what might surprise you is that the bunch of manila files laying on someone’s desk is covered with the same intensity as the text files stored on a server.
When you think about protecting non-public personal information, keep in mind that there is no narrow definition outlined by FTC. It really doesn’t matter whether that information is in paper, electronic or some other form.
Your client is expected to take on necessary administrative, physical and technical safeguards to protect all of its non-public consumer data. This goes all the way down to conducting a background check for cleaning services used by your CPA client.
The FTC rule can get that granular. Have you been helping clients understand that?
How about storage of information? Have you explained that having someone else housing or handling data does NOT mean that you or your client is not responsible for the information? That’s right. You’ll need to know exactly how that data is being safeguarded.
Your clients need guidance, and this is where you might consider engaging with them as a security officer or as their security leadership.
You can see that red hot sports car speeding down the road. If you do nothing, your client will be hit and hit hard.
You may not be the party to blame when the FTC Safeguards hit your client, but will that matter in their eyes?
You’re in a position to really make a positive difference for them, so why not create a specific written security plan for protecting their data?
You can be the one to get them to understand their big hairy risk. You can help them see that speeding car and step out of the way to safety.
The easiest way to do this is by showing them a need for a vCSO.
In order to communicate their risks, consider walking them through a tabletop exercise.
Ask them about the types of data they store, how they store it, and who accesses what data. Where does that data live?
You also will want to get them to think about their risks.
What if someone saves that excel sheet to their desktop? What if that loan application is left for anyone to see? Get them to start thinking about their biggest what ifs and get them to realize that they need to do something about at very least the big hairy risks associated with their biggest ones.
As you walk them through their what ifs, get them to realize that you are in the perfect position to help them through both the FTC requirements and doing what is right for their client data.
Their data risks are bigger than they ever have been before. And now the government is making sure they are doing the right things to protect them.
If you don’t help them see this now, someone else will.
Need help to understand how to communicate FTC Safeguards and the big hairy risks your clients are shouldering?
Consider becoming their trusted vCSO and lead them to understand and appreciate the need to fix their data security before something happens.
