In October 2021, accounting firms countrywide noted with interest – and in some cases trepidation – the announcement by the Federal Trade Commission (FTC) that it was making sweeping changes to its Safeguards Rule. The Agency made this move to better protect US consumers from breaches and cyberattacks that too often lead to identity theft and other financial losses.
So, how do these revisions to the Safeguards Rule affect your accounting practice and your approach to cloud data security?
What is the Safeguards Rule?
Initially introduced in 2003, the Federal Trade Commission’s Standards for Safeguarding Customer Information – the Safeguards Rule, for short – is a law designed to ensure that financial institutions take appropriate measures to protect the security of customer information.
Who does the Safeguards Rule apply to?
The Safeguards Rule applies to all financial institutions that are subject to the FTC’s jurisdiction and aren’t subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. § 6805.
What’s required under the Safeguards Rule?
Specifically, the Safeguards Rule stipulates that financial institutions must develop, implement, and maintain a robust information security program that includes administrative, technical, and physical safeguards to secure customers’ personally identifiable information (PII).
Safeguards Rule changes
In 2021, the FTC amended the Rule in an effort to address new data security threats, risks associated with advances in digital technology, and the ongoing rise in cybercrime.
The revised GLBA Safeguards Rule came into effect on January 10th, 2022, and provides more concrete guidance for financial institutions on how to ensure information security compliance.
The amended Rule:
1. Expands on the definition of who is regarded as a “financial institution”: Under the revised guidance, a financial institution is any institution whose business involves engaging in financial activities. Accountants and other tax preparation services firms that complete income tax returns thus fall into this category.
2. Provides additional criteria relating to existing information security programs: For example, it includes limitations on who may access consumer data and guidance on using encryption to secure data.
3. Stipulates what’s required as part of organizational risk assessments: While the original Safeguards Rule required that financial institutions undertake a risk assessment and implement safeguards to address all identified risks, the amendment sets out more precise criteria for what the risk assessment must contain. This includes access controls, data inventory and classification, encryption, secure development practices, authentication, information disposal procedures, change management, testing, and incident response. It also requires that the risk assessment is in writing.
4. Increases accountability for reporting: In addition to explaining their information-sharing practices, financial institutions must designate a single qualified individual to oversee and report on their information security program.
5. Adds new governance mechanisms: These include measures to ensure adequate employee training and proper oversight of service providers.
6. Offers an exemption for smaller companies: Financial institutions that maintain fewer than five thousand consumers are exempt from the new standards.
7. Provides detailed terminology definitions: See the complete list here.
Spotlight on: Information security programs
Let’s take a closer look at the definition and goals of a business's information security program, as defined in the revised Rule:
- The objective of such a program is to protect your customer information from unauthorized disclosure, misuse, alteration, destruction, compromise, or loss.
- Your information security program must be appropriate to the size and complexity of your business, the nature and scope of your activities, as well as the sensitivity of the customer information you store.
Like many accounting firms, you may be re-evaluating your information security program and investing in additional data security resources.
Some of the most common practices used to enhance security programs include:
- The principle of least privilege: This entails only giving employees the information they need to do their jobs and nothing more. For example, your marketing team probably doesn’t need access to your client’s complete tax returns.
- Password managers: These apps help create and track strong, unique passwords for each account. They also enable secure password sharing between users who may share access to an account.
- Multi-factor authentication: This process adds an extra layer of security by requiring a second form of identification beyond just a password, such as a code sent to an email or mobile device. Combining something you know (your password) with something you have (your phone or email account, for example) helps prevent phishing attacks and other unauthorized access to your data.
- Security training: Helping employees better understand how to spot and avoid potential security threats can enhance your overall security program. A security program is only as good as its weakest link, but with some training, every employee can become a security asset.
- Regular risk assessments: Regular assessments can help you identify and address potential vulnerabilities in your security system. Scheduling these assessments ensures you can make time for this essential activity, even during busy seasons.
By implementing these practices, you can significantly reduce the risk of your data being compromised. While no security measure by itself is foolproof, introducing a variety of best practices to your information security plan will strengthen your organization’s overall security posture.
Investing in a reliable backup solution is another key way to protect your accounting data, as it can help you recover from a security breach or other data loss event.
Backups: A vital element of your information security program
Investing in an accounting backup solution is essential to ensuring your accounting firm abides by the amended FTC Safeguards Rule provisions.
Cloud-based accounting software providers, such as QuickBooks Online, only back up their platform – not your files. Intuit’s terms of service clearly state: “Archive your Content frequently. You are responsible for any lost or unrecoverable Content.” What’s known in the industry as the Shared Responsibility Model dictates that SaaS providers are responsible for backing up their platform data as a whole. This means that if a data breach affects their entire server, SaaS providers can restore all user data, all at once.
However, if just your individual data is affected – a far more likely scenario– your SaaS platform likely won’t be able to help.
Data loss in SaaS is more common than you might think: Rewind found that 40% of users had lost data in the cloud. With a new cyberattack launched every 36 seconds, the 45 billion-dollar cybercrime industry continues to grow. However, the most common cause of data loss by far is simple human error - 90% of data breaches were due to “the human factor”. Let’s face it: everybody makes mistakes.
A robust third-party backup solution is the only way to guarantee that you can recover your account-level data in the case of such an event.
Spotlight on: Backup as a Service
Backup-as-a-Service (also known as BaaS) is precisely what it sounds like: a service that maintains and monitors your backups regularly and helps restore your data when needed. For those looking for “set-it-and-forget-it” data protection, Rewind Backups for QuickBooks Online is the number one choice.
Rewind maintains a continuous backup of all your files and automatically captures changes while you work. Backups are run daily, and restores can be accomplished in a few clicks, with no technical or specialized knowledge required.
Rewind Backups enables financial professionals to “undo” mistakes and restore:
- Individual items, including attachments, reports, expenses, and more
- Your complete QuickBooks Online files, exactly how you need them
Assure your clients that your practice takes its responsibility to secure sensitive information seriously.