Do you have clients with fewer than 5,000 customers?
Don't be too quick to write them off regarding a conversation about investing in your security stack. Maybe you’ve already tried, and they hit you with a solid rejection saying something like, “There’s an exemption for businesses my size, so no thank you.”
Whether they know it or not, that exemption wasn’t a free pass. In fact, they may not even qualify for it at all.
The time for a conversation with your clients about your security stack is right now regardless of the size of the organization, but let’s clear up a few very confusing points in the new FTC Rule to help you better explain this rule to your clients.
Three misconceptions to address:
MISCONCEPTION 1: If I service less than 5,000 consumers, I don’t have to comply with the rule.
The FTC does have an exemption for businesses that have fewer than 5,000 clients, BUT this exemption is not talking about the number of consumers an organization currently services. It’s talking about consumer data. The FTC defines this exemption only for businesses that store less than 5,000 customer records.
So, let’s say they’re a small lender who only touches 200 people in a month. BUT they’ve been in business for 10 years and have 10,000 people on file (here think non-public information such as credit cards, birth dates, social security numbers, etc.). They’ll still be required to comply FULLY with the FTC Safeguards. The 5,000 number is the total number of consumers on their list, not the number of active consumers at any given time.
MAJOR TAKEAWAY: The FTC Safeguard is about 5,000 or more consumers total...not annually, not monthly, so that means even your small clients need you to comply, and they need your help doing it.
MISCONCEPTION 2: Okay, so my organization has fewer than 5,000 consumers total on file. That means I don’t have to comply with FTC Safeguards.
This is definitely not the case. The FTC Safeguards Rule has fewer guidelines for organizations that have less than 5,000 consumers in their database, but that does not mean the Safeguards are completely inapplicable.
The FTC still expects smaller businesses to comply with 7 elements of their framework. These elements include:
- Element 1:Organizations must designate a qualified individual to run their security program. This could be someone on your staff, or the person or organization that runs your IT. Just because an organization is small doesn’t mean they are exempt from security. You are the perfect leader for this, and now is your opportunity to communicate the value of your cyber stack.
- Element 2:Security must be evaluated on a regular basis to look for internal and external security holes and to evaluate the state of security and assess any controls in place to address those risks. You can offer a stress-free third-party analysis.
- Element 3:Organizations must put controls in place to address security holes. Knowing about the gaps in your security isn’t good enough. At a minimum, organizations will be expected to have a written security program that addresses security gaps identified from a risk assessment, and you are uniquely positioned to do this.
- Element 4:Organizations must regularly monitor security effectiveness. FTC Safeguards expects organizations to regularly test or monitor the effectiveness of the safeguards they have in place. Since hackers are constantly devising ways to break through security, businesses will need to continually test against the security measures they have in place. Using you as vCSO, they won’t have to worry about turnover or inconsistencies in their monitoring.
- Element 5:Organizations must have policies and procedures to help personnel adhere to their security program as well as written policies and procedures around securing their consumer data. Your leadership will help through this challenging process.
- Element 6:Organizations will have to adhere to standards for protecting the confidentiality, integrity and security of their consumer data. This means organizations must ensure their security controls adhere to the FTC’s standards in terms of protecting data. As their information service provider, you can take the lead here. Your client will have to make sure their security controls adhere to the FTC’s standards in terms of protecting their data, and you’ll be the one to help them control for data confidentiality, integrity and security.
- Element 7:And, of course, organizations need to ensure continual improvement of their program based on regular testing. They will then be expected to make adjustments to their security program as needed. One easy way for you to help them address this is through a recurring third-party assessment.
MAJOR TAKEAWAY: The exemption is not a free pass on the Safeguards —your smaller clients still need to adhere to parts of the FTC requirements, and you can help them do this.
MISCONCEPTION 3: If a third party is housing my organization’s data, we aren’t the responsible party when it comes to complying with FTC Safeguards.
You already know that whether data is stored onsite or in the cloud, it needs to adhere to similar security standards, but your clients may be thinking that if their data is being hosted by a third party off site, they are covered. You need to remind them they aren’t. The responsibility lies with the owner of the data, not the organization storing it.
MAJOR TAKEAWAY: You need to be prepared to (1) evaluate their vendors and (2) provide evidence that your team is adhering to the FTC Safeguards.
SO, WHAT’S THE BOTTOM LINE?
The FTC Safeguards will affect small organizations, which means this is a great time to start a conversation with your clients about how you can be their vCSO.
Even if your client isn’t covered by FTC Safeguards at all, which is doubtful given the information we just addressed, there are still reasons you can share with your clients for why it’s time to talk about your security stack:
- Their customers and organizations they do business with may be covered and they’ll be more likely to work with your clients if they’ve addressed the Safeguards.
- These safeguards aren’t going away, and, in fact, they may continue to redefine who is covered.
- The FTC Safeguards are a good baseline security framework to make sure that any organization is not the lowest hanging fruit and thus easy targets for hackers.
It’s time to clear up misconceptions with your clients and help them take their security to the next level. It’s the right time, and you’re the right person.
