Nearly 1,000,000 Companies and Sole Proprietors Now Required to Encrypt Data
Until now, State and Federal privacy laws were being enacted in fairly narrowly defined industries with broad definitions of cybersecurity technology requirements. Then on June 9, 2023, the Safeguards Rule mandated in the Gramm-Leach-Bliley Act began affecting the broadest range of industries and professions with specific technology adoption and new information technology costs.
Let’s study a primary technology requirement challenge and who it impacts.
According to Part 314.2(f) of the Rule, ‘Encryption means the transformation of data into a form that results in a low probability of assigning meaning without the use of a protective process or key, consistent with current cryptographic standards and accompanied by appropriate safeguards for cryptographic key material.’ This is going beyond the need for a firewall or simple email encryption solutions and to the data field itself.
What is not clear is if this includes data-at-rest and in transit. This is of concern as 35% of attacks are from those fetching unencrypted data traveling across a network.
The FTC Safeguards Rule applies to any company offering “any product or service that a financial holding company could offer by engaging in a financial activity under section 4(k) of the Bank Holding Company Act of 1956”. Many people assume that this would include commercial banks, wealth management firms, investment banking, and insurance companies. Counter-intuitively for many people, however, the rules apply to a broad swath of small, medium and enterprise level companies.
Summary information in the Rule cites these general industries as examples and we have included how many firms are operating in the United States. An untold, but high percentage are small businesses.
- Mortgage Lenders – 4,338
- Pay Day Lenders – 23,000
- Finance Companies – 11, 652
- Mortgage Brokers – 25,150
- Account Servicers – 88,600
- Check Cashers – 13,000
- Collection Agencies – 7,023
- Credit Counselors – 29,090
- Tax Preparers – 763,749 professionals with a PTIN, 37% are sole proprietors.
- Investment Advisors – 15,114
Many more professions and companies, most of them SMBs, are included. Examples cited by the FTC include:
- A retailer that extends credit by issuing its own credit card directly to consumers is a financial institution because extending credit is a financial activity.
- An automobile dealership that, as a usual part of its business, leases automobiles on a nonoperating basis for longer than 90 days is a financial institution.
- A personal property or real estate appraiser is a financial institution because real and personal property appraisal is a financial activity.
- A career counselor that specializes in providing career counseling services to individuals currently employed by or recently displaced from a financial organization, individuals who are seeking employment with a financial organization, or individuals who are currently employed by or seeking placement with the finance, accounting or audit departments of any company is a financial institution.
- A business that prints and sells checks for consumers, either as its sole business or as one of its product lines, is a financial institution.
- A business that regularly wires money to and from consumers is a financial institution because transferring money is a financial activity.
- A check cashing business is a financial institution because cashing a check is exchanging money, which is a financial activity.
- An accountant or other tax preparation service that is in the business of completing income tax returns is a financial institution because tax preparation services is a financial activity.
- A business that operates a travel agency in connection with financial services is a financial institution because operating a travel agency in connection with financial services is a financial activity.
- An entity that provides real estate settlement services is a financial institution because providing real estate settlement services is a financial activity.
- A company acting as a finder in bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate is a financial institution.
These new regulations, which protect the consumer, put new I.T. cost burdens on entities large and small. ShieldIO is the leading data protection and encryption services provider which offers affordable solutions for both small and medium sized businesses, as well as large enterprises. For guidance, feel free to contact us directly or your MSP or MSSP at email@example.com.