30 CHANNELVISION | SEPTEMBER - OCTOBER 2024 The cybersecurity compliance landscape is more complex than ever. Companies today must navigate an ever-expanding list of laws and frameworks from numerous agencies, both domestic and global, ranging from the European Union’s GDPR to CISA’s Information Sharing Act. The list goes on. One important agency that channel partners and customers often overlook is the Federal Trade Commission (FTC). Failure to comply with the FTC’s various policies can lead to mandatory corrective measures, federal supervision, fines, regulatory sanctions and reputational harm. The FTC now has several regulations in place governing cybersecurity and data protection. Three major regulations to be aware of include: Safeguards Rule: The Federal Trade Commission (FTC) recently amended its longstanding Gramm-Leach Bliley Safeguards Rule, requiring covered financial organizations to report certain security events and data breaches. Covered entities must now notify the FTC within 30 days after a breach involving the information of at least 500 consumers. The new rule, which went into full effect in May, also broadens the definition of a “financial institution” to include organizations such as auto dealers, real estate appraisers and investment advisory companies, among others. Section 5 of FTC Act: The FTC uses Section 5 as an enforcement tool to prevent deceptive and unfair business practices around data security. Since passing the rule in 2001, the FTC has used Section 5 to go after numerous companies for failing to protect sensitive consumer data, collecting personal information in an unfair manner and misleading the public about privacy and data security. Earlier this year, the FTC handed out its first standalone Section 5 unfairness claims against fundraising software provider Blackbaud for inaccurate breach notices and unreasonable data retention. Health Breach Notification Rule: This rule requires certain businesses and nonprofits that are not covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify their customers, the FTC and the media if there is a breach of unsecured, individually identifiable health information. In July, the FTC amended the rule to stipulate that makers of connected devices, health apps and related products must comply. Tips for Achieving FTC Compliance While there is no way to achieve universal FTC compliance, there are several best practices that apply to all the FTC’s cybersecurity rules. To avoid complications, businesses should use the following guidelines: • Encrypt sensitive information at rest and in transit, and ensure robust key management practices are in place. • Practice security hygiene via secure software development, regular updates and proactive vulnerability management. By Jonathan Cox Keeping up with FTC Cybersecurity Compliance CYBER PATROL
RkJQdWJsaXNoZXIy NTg4Njc=