In October 2021, accounting firms countrywide noted with interest – and in some cases trepidation – the announcement by the Federal Trade Commission (FTC) that it was making sweeping changes to its Safeguards Rule. The Agency made this move to better protect US consumers from breaches and cyberattacks that too often lead to identity theft and other financial losses.
So, how do these revisions to the Safeguards Rule affect your accounting practice and your approach to cloud data security?
Let’s explore.
Initially introduced in 2003, the Federal Trade Commission’s Standards for Safeguarding Customer Information – the Safeguards Rule, for short – is a law designed to ensure that financial institutions take appropriate measures to protect the security of customer information.
The Safeguards Rule applies to all financial institutions that are subject to the FTC’s jurisdiction and aren’t subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. § 6805.
Specifically, the Safeguards Rule stipulates that financial institutions must develop, implement, and maintain a robust information security program that includes administrative, technical, and physical safeguards to secure customers’ personally identifiable information (PII).
In 2021, the FTC amended the Rule in an effort to address new data security threats, risks associated with advances in digital technology, and the ongoing rise in cybercrime.
The revised GLBA Safeguards Rule came into effect on January 10th, 2022, and provides more concrete guidance for financial institutions on how to ensure information security compliance.
The amended Rule:
1. Expands on the definition of who is regarded as a “financial institution”: Under the revised guidance, a financial institution is any institution whose business involves engaging in financial activities. Accountants and other tax preparation services firms that complete income tax returns thus fall into this category.
2. Provides additional criteria relating to existing information security programs: For example, it includes limitations on who may access consumer data and guidance on using encryption to secure data.
3. Stipulates what’s required as part of organizational risk assessments: While the original Safeguards Rule required that financial institutions undertake a risk assessment and implement safeguards to address all identified risks, the amendment sets out more precise criteria for what the risk assessment must contain. This includes access controls, data inventory and classification, encryption, secure development practices, authentication, information disposal procedures, change management, testing, and incident response. It also requires that the risk assessment is in writing.
4. Increases accountability for reporting: In addition to explaining their information-sharing practices, financial institutions must designate a single qualified individual to oversee and report on their information security program.
5. Adds new governance mechanisms: These include measures to ensure adequate employee training and proper oversight of service providers.
6. Offers an exemption for smaller companies: Financial institutions that maintain fewer than five thousand consumers are exempt from the new standards.
7. Provides detailed terminology definitions: See the complete list here.
Let’s take a closer look at the definition and goals of a business's information security program, as defined in the revised Rule:
Like many accounting firms, you may be re-evaluating your information security program and investing in additional data security resources.
Some of the most common practices used to enhance security programs include:
By implementing these practices, you can significantly reduce the risk of your data being compromised. While no security measure by itself is foolproof, introducing a variety of best practices to your information security plan will strengthen your organization’s overall security posture.
Investing in a reliable backup solution is another key way to protect your accounting data, as it can help you recover from a security breach or other data loss event.
Investing in an accounting backup solution is essential to ensuring your accounting firm abides by the amended FTC Safeguards Rule provisions.
Cloud-based accounting software providers, such as QuickBooks Online, only back up their platform – not your files. Intuit’s terms of service clearly state: “Archive your Content frequently. You are responsible for any lost or unrecoverable Content.” What’s known in the industry as the Shared Responsibility Model dictates that SaaS providers are responsible for backing up their platform data as a whole. This means that if a data breach affects their entire server, SaaS providers can restore all user data, all at once.
However, if just your individual data is affected – a far more likely scenario– your SaaS platform likely won’t be able to help.
Data loss in SaaS is more common than you might think: Rewind found that 40% of users had lost data in the cloud. With a new cyberattack launched every 36 seconds, the 45 billion-dollar cybercrime industry continues to grow. However, the most common cause of data loss by far is simple human error - 90% of data breaches were due to “the human factor”. Let’s face it: everybody makes mistakes.
A robust third-party backup solution is the only way to guarantee that you can recover your account-level data in the case of such an event.
Backup-as-a-Service (also known as BaaS) is precisely what it sounds like: a service that maintains and monitors your backups regularly and helps restore your data when needed. For those looking for “set-it-and-forget-it” data protection, Rewind Backups for QuickBooks Online is the number one choice.
Rewind maintains a continuous backup of all your files and automatically captures changes while you work. Backups are run daily, and restores can be accomplished in a few clicks, with no technical or specialized knowledge required.
Rewind Backups enables financial professionals to “undo” mistakes and restore:
Assure your clients that your practice takes its responsibility to secure sensitive information seriously.
Learn more about Rewind Backups for QuickBooks Online today, including a free trial and details about pricing.