On October 27, 2021, the Federal Trade Commission finalized its long-awaited updates to the Safeguards Rule. The changes require financial institutions, including auto dealers and finance companies, to dust off their existing information security programs and likely make some significant changes. My March Spot Delivery article discussed one key change—encryption requirements for emails containing customer information. This article highlights another key change—the requirement to establish a written incident response plan.
Security breaches happen every day, and it’s only a matter of time before it happens to you. As we’ve all heard, a failure to plan is a plan to fail. Developing a plan for how your company will respond to a breach will help you quickly and efficiently react while also allowing you to avoid the reputational harm associated with failing to appropriately address a security breach.
What is a written incident response plan?
On December 9, 2022, financial institutions will be required to have a written incident response plan. A written incident response plan explains how a financial institution will respond to a security event—an event resulting in unauthorized access to, or disruption or misuse of, an information system, information stored on such information system, or customer information held in physical form.
What are the requirements for a written incident response plan?
A compliant written incident response plan must include specific elements.
What should you do now?
The first step in satisfying the Safeguards Rule’s requirement to establish a written incident response plan is to identify the steps you have in place to address a security event. Your business may have already experienced a security event, so think through what you did to address any previous security events, and write that information down. Next, compare what you did to what steps the Safeguards Rule requires you to take, determine what necessary information is missing, and then figure out how you will address any holes in your incident response plan—or work with your compliance counsel to complete this step. It is also important to inventory any applicable state data breach laws to ensure that your incident response plan incorporates requirements arising under those laws as well. Putting in a little bit of work on the front end will allow you to efficiently and effectively respond to security events when they occur—and they will occur.
Copyright © 2022 CounselorLibrary.com LLC. All rights reserved. This article appeared in Spot Delivery®. Reprinted with express permission from CounselorLibrary.com.
Hudson Cook, LLP provides articles, webinars and other content on its website from time to time provided both by attorneys with Hudson Cook, LLP, and by other outside authors, for information purposes only. Hudson Cook, LLP does not warrant the accuracy or completeness of the content, and has no duty to correct or update information contained on its website. The views and opinions contained in the content provided on the Hudson Cook, LLP website do not constitute the views and opinion of the firm. Such content does not constitute legal advice from such authors or from Hudson Cook, LLP. For legal advice on a matter, one should seek the advice of counsel.
CounselorLibrary is a collection of online complementary consumer credit compliance and privacy products, created, maintained and supported by the lawyers of Hudson Cook, LLP.
CounselorLibrary products and services are available directly through and from www.CounselorLibrary.com and are not legal advice. Counselorlibrary.com, LLC is an entity affiliated with Hudson Cook, LLP.