This month I would like to discuss the importance of protecting your customer’s data. Information Security Compliance including FTC (Federal Trade Commission) Safeguard Rules for RV dealerships, service centers, and even mobile technicians. Keep in mind, the role of the FTC is to prevent fraudulent, deceptive, and unfair business practices. They also provide information to help consumers spot, stop, and avoid scams and fraud. Many of our members use different approaches to store and safeguard customer data, we want to ensure everyone is aware of the June 9th deadline to ensure customer data is properly protected.
Cyberattacks on financial institutions continue to grow in frequency and severity. In response to the uptick in cyber threats, government, and industry governing bodies are quickly implementing new regulations and requirements to protect consumers.
One such federal regulation is the Gramm-Leach-Bliley Act (GLBA), a federal law to control how financial institutions collect, store, and transmit consumer information. Though it focuses on “financial institutions” the safeguard rule includes more than just banks.
According to the GLBA, a financial institution is any company that offers financial products or services like loans, financial or investment advice, or insurance to consumers.
More specifically, entities required to comply with GLBA include, but are not limited to:
- Mortgage lenders and mortgage brokers
- “Payday” lenders
- Finance companies
- Account services
- Check cashers
- Wire transferors
- Travel agencies operated in communication with financial services
- Collection agencies
- Credit counselors and other financial advisors
- Tax preparation firms
- Non-federally insured credit unions
- Investment advisors not required to register with the Securities and Exchange Commission (SEC)
- Finders, or companies that bring together buyers and sellers, and then the parties themselves negotiate and consummate the transaction
If you are still determining whether or not your business is considered a financial institution under GLBA, see 16 CFR 314.2 (h). Additionally, you may be exempt from certain provisions if your organization maintains customer information for fewer than 5,000 customers.
A few things to consider, having an IT person on staff doesn’t mean you are compliant. Do not put yourself at risk thinking that is sufficient for the organization. The Safeguard regulatory rule has been around since 2003, ignorance is no longer a defense. Many business owners believe that size matters, believing in the myth that cyber-attacks and Ransomware only happen to larger businesses. This is far from the truth, many small to medium size businesses are the targets because they deprioritize information security. Unfortunately, they do not understand the risk and consequences of not investing in protecting their customer’s data. It is against the law for anyone to pay for the ransom, you do not know whom you are financing. In addition, in the paid-for ransom people on average only see 65% of the data returned.
Here are 8 things to access to see if you are complying with the GBLA act:
- You have a qualified individual to implement and supervise the information security program.
- Risk assessments are conducted.
- Someone is designing and implementing safeguards to control the risks identified in the risk assessment.
- You are monitoring and testing safeguards on a regular basis.
- All required IT training is completed annually and is properly tracked and recorded.
- You ensure all service providers are monitored.
- The information security program is current.
- There is a written incident response plan.
If you answered no to any of the 8 points above, we recommend you click here https://a2crv.com/ for more information regarding how to approach information security awareness and training within your business.
As always, if you have any questions feel free to reach out to me at (813) 919-5873 or Veronica@frvta.org.