The FTC’S updated Safeguards Rule, which was approved in October 2021 and took effect as of June 2023, has slipped by many MSPs, surprising the businesses that fall under its authority.
That’s according to Daniel Astin, a managing partner in the law firm of Ciardi, Ciardi & Astin; and Joseph Brunsman, managing member of the Brunsman Advisory Group LLC and cyber insurance expert, who briefed attendees of The 20’s VISION Conference earlier this year.
“Many more businesses fall under this rule than realize it,” said Brunsman. Companies that are uncertain should contact their attorney to verify whether it applies, he added.
In addition, MSPs have obligations depending on the services they provide. If, for example, an MSP contracts as a vCISO for clients, its liability changes.
The Safeguards Rule applies to financial institutions subject to the FTC’s jurisdiction as well as those that aren’t subject to the enforcement of the Gramm-Leach-Bliley Act. The updated rule strengthens the data security safeguards that financial institutions are required to enact to protect their customers’ financial information.
It also broadens the definition of a financial institution to include nonbank financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders. Any company engaged in an activity that is “financial in nature or is incidental to such activities” is subject to the rule, Brunsman explained. “If you manage data, you must manage the risk.”
Customer information that must be safeguarded includes “any record containing nonpublic personal information … in paper, electronic, or other form, that is handled, maintained by, or on behalf of you or your affiliates,” according to the FTC.
There is no simple checklist for the new Safeguards Rule, but the FTC expects companies to have a written information security program (WISP) appropriate to the size of the business, the financial activities involved, and the information maintained.
The program must encompass administrative, physical, and technical safeguards. Companies must also designate a “qualified individual” to implement and supervise security. The guidelines suggest the CISO should serve in this capacity.
“If your company brings in a service provider to implement and supervise your program, the buck still stops with you,” per the FTC.
Additionally, there’s a responsibility to designate a senior employee to supervise that person. However, “that affiliate or service provider must also maintain an information security program that protects your business.” If an MSP opts to be or is asked to be the qualified individual for clients, Brunsman advised taking some precautions, since eight different federal agencies can enforce this rule.
First, ask clients in writing to investigate the Safeguards Rule themselves. Emphasize that you are not their attorney and offer to work with their counsel to address their needs. “Suggest a plan of implementation, and document everything,” Brunsman suggested.
Next, update your contract with that customer to reflect the new circumstances. Astin emphasized the importance of contracts in general, pointing out, “40% of you have customers with no contracts.” Without a contract, MSPs have maximum exposure when there is an incident and could risk bankruptcy, he said.
Moreover, MSPs should not assume an old contract will still be enforced after the stated end date because insurance companies will refuse claims without a valid and current contract.
“The FTC is now going after CEOs,” said Brunsman, and their enforcement of the Safeguards Rule is “brutal and personal.”
He cited a recent case in which a company used encryption that had known exploits against it. The FTC attached the consent order to the CEO, not just the company. Like financial institutions, MSPs “must comply if they manage any customer data,” said Brunsman.
James E. Gaskin is a ChannelPro contributing editor and former reseller in the Dallas area.