The Federal Trade Commission announced today that it is delaying the deadline to comply with proposed changes to its Safeguards Rule for six months, because there is a shortage of qualified personnel to implement the changes. The deadline to comply will now be June 6, 2023.
The Safeguards Rule pertains to protections that companies must put into place to safeguard and protect the personal information of their customers.
The FTC said it received a letter from the Small Business Administration’s Office of Advocacy that said the COVID-19 pandemic has exacerbated a shortage of “qualified personnel to implement information security programs and that supply chain issues may lead to delays in obtaining necessary equipment for upgrading security systems.” The letter, which was sent to the FTC back in August, said that smaller companies were going to have a more difficult time implementing the required changes because of personnel issues, lack of external resources, and the necessary equipment.
A full copy of the letter can be accessed by clicking here.
“Because of the economies of scale, less robust recruiting and human resources budgets, and the waiting period for equipment that is being obtained by the larger companies, the problems that are outlined in the letter are magnified for small entities,” the letter stated. “Small entities do not have the buying power of large companies or additional resources to pay a premium for equipment.”
Among the provisions that were due to go into effect on December 9 and will now be pushed to June are:
- Designating a qualified individual to oversee their information security program,
- Developing a written risk assessment,
- Limiting and monitoring who can access sensitive customer information,
- Encrypting all sensitive information,
- Training security personnel,
- Developing an incident response plan,
- Periodically assessing the security practices of service providers, and
- Implementing multi-factor authentication or another method with equivalent protection for any individual accessing customer information.