Still Using Basic Passwords Without MFA? You’re Violating FTC Standards

Data protection is key in an increasingly digital world. Take these seven steps to protect customer data and comply with the FTC Safeguards Rule.

On December 9, 2021, the Federal Trade Commission (FTC) updated its Safeguards Rule to keep pace with evolving technology and ensure financial organizations properly protect customer data. 

The big question: Are you compliant? 

Even bigger question: Have you implemented the right security measures? 

If not, you are setting the stage for serious financial ramifications—up to $ 100,000 per incident and five years in prison for repeated infringements. 

And let’s not forget the reputational damage. If customers can’t trust you with their data, they’ll take their business elsewhere.

So, what do you need to do to stay compliant and safeguard customer information? Let’s jump right in!

7 Steps to Regulatory Compliance

First thing’s first.

You need a rock-solid information security policy tailored to your business’s unique risks. This is essential for protecting customer data and staying compliant.

Here are seven key steps to ensure compliance:

1. Choose a Qualified Information Security Program Manager

This role must be filled by an internal staff member, an affiliate, or a managed I.T. services provider with cybersecurity expertise – not just technical know-how. 

Because without the right expertise, how can you be sure your policies and controls align with industry best practices?

Many businesses choose to outsource this responsibility to simplify compliance, and that’s a smart move. But always remember, the buck stops with you. If you partner with an external provider, designate a senior employee to oversee them and ensure they’re meeting every FTC requirement. 

Compliance isn’t a set-it-and-forget-it process. It requires ongoing vigilance.

2. Conduct a Thorough Risk Assessment 

Once you’ve identified the right person to oversee your security program, it’s time to evaluate your risks.

Start by answering these questions as comprehensively as possible:

• What does your current I.T. environment look like?
• What customer information do you collect, and where is it stored?
• What potential internal or external threats could compromise your program’s integrity, confidentiality, and security?
• Do existing controls effectively mitigate these threats? 

Information security risks are always evolving. A one-time assessment isn’t enough. 

You need regular risk reviews to ensure your security program stays up to date as new threats emerge and your business operations change.

Also: Do you have a reliable I.T. asset management strategy?

3. Build a Strong Information Security Program

Your security program should be comprehensive and proactive, covering all critical areas of data protection. Here’s what it must include:

• Encryption: Protect customer data by making it unreadable to hackers.
• Strong password policies with multi-factor authentication (MFA): Stop attacks at the gate with multi-factor authentication.
• Least privileged access: Ensure employees can only access the data they need for their roles.
• Auditing and logging: Monitor user activity and detect security events in real time.
• Secure data disposal: Align information disposal with business needs and legal requirements.
• I.T. change management: Minimize risks when introducing new systems or assets.

With these controls and policies in place, what’s next? It’s time to test and refine your program. 

4. Monitor, Test, and Strengthen Your Defenses

The FTC requires you to take one of the following approaches to ensure ongoing security:

• Continuous monitoring: Detect threats in real time and respond immediately.
• Regular testing: Conduct annual penetration testing and biannual vulnerability assessments, plus additional testing whenever significant changes occur in your business, operations, or technology.

We recommend both. A layered security approach is always more effective than relying on a single method. 

Continuous monitoring keeps you proactive, while regular testing helps identify and fix vulnerabilities before they become real threats. 

5. Provide Comprehensive Security Training 

Like it or not, your employees are your biggest security risk. A staggering 74% of data breaches happen due to human error. 

Ask yourself:

• Do employees understand your security policies, how they work, and why they matter? 
• Can they recognize social engineering attacks? 
• Do they know what to do if they suspect a data breach?

Education is your best defense. Getting everyone on the same page drops the risk of human error dramatically. Plus, a well-trained team can respond quickly to a breach, minimizing its overall impact. Make security awareness an ongoing priority, not a one-time event. 

Read more: How to transform employees from liabilities into assets

6. Monitor Your Service Providers 

Your security is only as strong as your weakest links, and that includes your vendors. 

According to Verizon’s 2024 Data Breach Investigation Report, 15% of cyberattacks stem from hackers exploiting third-party systems connected to company networks.

A few valuable questions:

• Are you effectively managing vendor risk? 
• Do your service level agreements (SLAs) clearly define security expectations? 
• What non-public customer data can vendors access? 
• Are vendors audited for compliance with the FTC Safeguards Rule?

Stay proactive. Perform annual vendor risk assessments and regularly review contracts to ensure ongoing compliance. A weak link in your supply chain can put your entire business at risk, so don’t leave it unchecked. 

7. Have a Solid Incident Response Plan

What happens when a security event occurs? If you don’t have a clear answer, your organization is at risk.

A “what if” plan is essential for worst-case scenarios. Ask yourself:

• How will you contain security threats? 
• Who is responsible for each step in the response process? 
• What are the official incident response procedures? 
• How will you prevent similar issues from happening again? 

All of this needs to be clearly documented in your information security program.

Managing internal risks, securing third-party access, and staying FTC-compliant may seem overwhelming, but it doesn’t have to be. 

You can stay ahead of threats and protect your business with a proactive approach, the right security framework, and continuous monitoring.

Attentus Can Help With FTC Data Protection

At Attentus, we believe in being the answer when it comes to cybersecurity and compliance.

Since 2003, we’ve helped many small and mid-sized financial institutions navigate the complex requirements set by the FTC, Securities and Exchange Commission (SEC), and other regulators. And we know firsthand how tough those standards can be.

We’re here to make it easier. One of our core values is to Be Easy to Work With, which means we focus on clear communication, straightforward processes, and practical solutions tailored to your risks. Our pricing is also customized to your needs—so you’ll never pay for what you don’t need. Our team can identify vulnerabilities, build strategies that evolve as your business grows, and keep your compliance efforts streamlined and stress-free.

Let’s simplify your I.T. and strengthen your security. Schedule a free consultation and see how we can help.