Has your law firm been focusing on following the revised Safeguards Rule by the upcoming deadline? Well, you’re in luck!
Due to multiple reports of worker shortages and supply chain problems, the Federal Trade Commission (FTC) has officially lengthened the compliance deadline by a full six months for certain provisions of the updated Safeguards Rule. The new deadline for compliance is set for June 9th, 2023.
While the FTC did not state any changes to the rule itself, only the deadline extension, it may be safe to err on the side of caution and ensure you’re consulting with a knowledgeable service provider as your firm moves forward.
The FTC’s Safeguards Rule protects consumers’ personal information by ensuring financial institutions have the right security safeguards and protections in place.
In this article, we will cover which particular provisions were extended, what changes were made to the rule itself, and the right next steps your firm should take in preparation for this new deadline.
Which Provisions Are Covered by the Extended Deadline?
According to the FTC’s website, here are the key provisions affected by the FTC’s six-month delay:
Designate a “qualified individual” to oversee the security program
The qualified individual can be anyone whom you trust within your firm with the knowledge and experience needed to manage an Information Security program. (See Title 16 C.F.R. § 314.4(a),(i))
Develop a written risk assessment
This assessment will take inventory of all of your firm’s data and where it’s being stored. It will also include your firm’s internal and external security threats and risks. (See Title 16 C.F.R. §314.4 (b)(1))
Design and implement safeguards to control identified risks
Deciding on access controls is crucial to protecting confidential data. Choose who has access to what data, for what reason, and for how long.(See Title 16 C.F.R. §314.4 (c)(1))
Encrypt all sensitive information
Deemed an industry-standard form of data protection, encryption prevents data inside and outside of your firm from being easily threatened. (See Title 16 C.F.R. § 314.4 (c)(3))
Implement multi-factor authentication or another method with equivalent protection
Multi-factor authentication will verify the identity of any user by using at least two identification factors. (See Title 16 C.F.R. § 314.4 (c)(5))
Factors may include:
- A knowledge factor
- A possession factor
- An inherence factor
Train security personnel
Train both your general staff and security team on required safeguards and security practices. (See Title16 C.F.R. § 314.4(e))
Oversee the security practices of service providers
Ensure your provider has the ability to continually monitor your firm’s IT infrastructure. (See Title 16 C.F.R. § 314.4(f)(3))
Develop a written incident response plan
Outline how your firm handles vulnerability threats and identified risks. This should include a list of goals, roles, responsibilities, and processes, for responding to a data breach.
Keep in mind that a service provider will be able to help you map out a plan that fits your firm’s needs. (See Title 16 C.F.R. § 314.4 (h))
Note: To take an even closer look at the list of standards for safeguarding customer information, refer to this website.
Which Provisions Are Not Covered by the Extended Deadline?
Remember, several provisions correlate to one another.
Meaning that some provisions that didn’t fall under the extension may be difficult to complete without first tending to the provisions that fell under the extension.
The following provisions should have been partially in effect by the initial dealing, December 9th, 2022:
- Create Data and Systems Inventory
- Audit Security of In-House and Third-Party Apps
- Dispose of Customer Information Securely
- Monitor and Log User Activity
- Have Regular Vulnerability Scans and Penetration Tests
- Conduct Security Awareness Training for Staff
- Keep all Information Security Systems current
What are the Next Steps?
While the new deadline certainly provides a bit more breathing room, try not to delay your firm’s cybersecurity efforts. Seeing as cyberattacks are increasing at a rapid pace, your firm does not have any time to lose.
June will be here before you know it.
Our team at ArchonOne advises firm’s to start small by first implementing simple, user-friendly tools your whole workforce can feel comfortable using. The next should be finding a “qualified individual” to enforce new rules throughout your company.
Start checking items off of your proverbial FTC Safeguards Checklist one by one so that your firm can confidently reach its security goals in a matter of weeks.
With over 21 years of experience, ArchonOne has direct experience securing law firms’ IT infrastructure by providing on-demand response monitoring and helping them meet security compliance.
Schedule a free demo with ArchonOne today so we can make a plan to address each provision your firm needs to meet by June 2023.