Air Date: April 5, 2023
The FTC Safeguards Rule coming into effect on June 9, 2023 outlines encryption as a way to strengthen the security of customer data held or transmitted both in transit over external networks and at rest. The new ruling increased the original aperture of financial institutions and now includes compliance from non-banking financial institutions such as car dealerships, simply because they handle sensitive customer financial information.
Check out our latest Hash It Out session with Virtru leadership team members, Brett McCrae, Sr. Director of Customer Success; Jordan Minter, Sr. Customer Success Manager; and Andrew Lynch, Vice President of Sales as they shed insight on what the FTC ruling entails and who it affects. They will also share lessons learned and best practices gleaned from Virtru customers, especially those in the auto dealership industry who have gone down the road of protecting customer data in compliance with FTC Safeguards.
Transcripts
Brett McCrae: Good afternoon, everyone. My name is Brett McCrae. I'm the Senior Director of Customer Success at Virtru and today, I'm joined by our Vice President of Sales, Andrew Lynch. And also Jordan Minter, who is a Senior Customer Success Manager on my team. We're here to talk to you today about the FTC safeguards rule. It's been a really interesting past year for us here at Virtru, learning a lot about this meeting. A lot of customers and prospects who are impacted by this role in looking to comply with the requirements within that. It's a very timely topic, as we'll talk to Andrew in just a second, The deadline for implementation of this rule is fast approaching, and we wanted to spend a few minutes today, just talking a little bit about the rule, how Virtru, how our products help customers, meet the compliance regulations, and criteria laid out by this rule. And then we'll talk to Jordan a little bit about how our customers are doing, deploying our software tips, tricks, and lessons learned. As we've gone through this FTC journey with them. So, Andrew and Jordan. Thanks for joining me today. How are both of you?
Andrew Lynch: Doing well!
Jordan Minter: Great.
Andrew Lynch: thanks. Thanks. Having.
Brett McCrae: Great. Yeah,…
Jordan Minter: Yeah, for sure.
Brett McCrae: You bet glad to have you. So Andrew let's start with you. Let's pretend I know nothing about the FTC safeguards rule. Can you just give me the high-level view? What is it? Who does it apply to you? And what should I be thinking about? As I see this thing looming?
Andrew Lynch: Sure. The FTC safeguards rule is a rule that the Federal Trade Commission came out with actually, it was released in, I believe. 2003. It's Been out for some time, just not has been enforced yet. Its set to be enforced in June 9, 2023. The rule requires for non-banking financial institutions to have measures in place to keep essentially customers, consumers information secure. Information that is deemed not public, you know, anything you could not find from a basic Google Search for example. In the rule it requires any organizations that fall underneath it, to do certain things, several relate to what Virtru does. Some of those things include things such as implementing and periodically reviewing access control of your data, so ensuring you know where your data is and who has access to it. Specifically requires you to encrypt certain types of customer information and there are some other things it requires you to do. For example it requires you to essentially document your entire plan, do risk assessments and adjust your program as things evolve. At a high level, its built, it's out to ensure that people like you and are, when we're not working, and were regular old consumers that the organizations we're working with and perhaps giving some sensitive information to that we would not want posted on a Reddit for example, that it is secure and there are consequences if there are organizations that are not following those guidelines to ensure security and privacy.
Brett McCrae: Awesome. Thanks for that Andrew, and you know, you leading part of our sales organization. You're getting a lot of inbound requests from prospects about this. Like, Who are you hearing from, kind of paint the landscape a little bit for us as to, you know, who we're talking to and who, you know, I know you mentioned some of the regulations, there of who it applies to, but, but who's coming to Virtru and why?
Andrew Lynch: Sure. I think like any new rule, you know here at Virtru for example , we're not just an FTC safeguards rule Software. We help organizations meet a wide range of compliance requirements, just like any of those, everyday, new organizations are learning that they need to abide by one of them. So everyday we're talking to new organizations that maybe just learned for the first time that they will have to fall under this specific rule. Some of those types organizations include: mortgage lenders, payday lenders, finance companies, mortgage brokers, auto dealerships, tax preparation firms, just to name a few , as you yourself have interacted with them, you could attest they have some sensitive information of yours, like a credit check number, social security number, your income, your social, date of birth, just to name a few. We've seen a wide range of organizations look into this specifically, and were here to make it easy to meet some of the specific data privacy requirements
Brett McCrae: Awesome. Thanks for that Andrew. And I think you meant you said like non-banking financial institutions, right? And I thought, what was interesting about everything you said is, whether it's a mortgage lender, you know, or a car dealer, you're getting an auto loan or a mortgage, you know. A lot of these companies are processing, a lot of your PII and addition to your financial information. So you know, I think it's a pretty broad You know, regulation in that way. But I think that, you know, that non-banking financial institution piece, makes a lot of sense and thanks for highlighting those. Those ones that you that you mentioned. so,
Andrew Lynch: Yep. Yeah, and Real quick call out of course. Organizations would want to on FTC.Gov. ensure they are looking into if they fall within under this and need to meet it. Those were just a few, by no means am I a compliance expert, those are several of the types of organizations that we're hearing from saying that they learned they need to follow this and they are looking at us to try and help them with it.
Brett McCrae: I think that's a great point and, you know, one thing, and it might even be on the FTC website is like businesses change, right? So you may be one business last year, you add a new service line. And all of a sudden, you might fall into compliance, whether it's to this rule or some other rule. So, I think that's a great call out that it's, it's something you need to evaluate periodically because the your business changes, what your business does changes and as it changes. And as, you know, the information, you may be gathering from a customer or another company or, or whatever changes, you know, you're, you're subject to different guidelines, right? So I think that's a great best practice to highlight is number one, Look at the government website. They're the ones implementing or I should say developing the regulation and to evaluate yourself, right? Because things change over time. Awesome Andrew, How do how does Virtru fit in?
Andrew Lynch: Good question. so, just like, I would say again, most of these compliance requirements that were helping organizations meet, we are just one small part. We're not a "buy Virtru" and we are FTC Safeguards Rule compliant. Dont' know of many softwares in existence that do cover everything, of course at the end of the day, the big part about meeting regulation is managing people, managing processes, ensuring those processes are followed. We can help with parts of them, some very important parts, but I wanted to share that from meeting with all types of organizations, I think, most people fully understand that. Virtru helps specifically as a data privacy and encryption software to encrypt that customer information. There is a specific rule, I think its rule 314.4 Section C that essentially states that you need to protect to by encryption, all customer information that is held or transmitted by you that is in transit over external networks at rest. So essentially, you need to encrypt that customer data you have both in transit and at rest. With Virtru offering end-to-end encryption, we can help you meet those encryption requirements. We also help specifically with the need to be able to control and audit that information , that data , throughout its life cycle and be able to specifically see or prove and control unauthorized access. And so Virtru, with our encryption, the Trusted Data Format allows someone to have complete control and oversight of their data throughout its life cycle.
Brett McCrae: Yeah, makes makes perfect sense and Andrew. But, you know, we're gonna shift to Jordan in just a second. But, you know, anything, you've learned from all the prospects that you've talked to and those that have become customers like anything, that that someone who's sitting there at their desk right now, saying, Hey, I only have X amount of days to figure out how I'm going to implement this rule. You know, what would you, what would you say to them?
Andrew Lynch: I would say that, of course it is a journey, its not gonna be all that probably completed in one day. I think the organizations that realize they are going to need to look at several vendors to help with these requirements, probably have it easier at the end of the day. Their expectations will not be as disappointed as someone who's maybe looking for an all in one solution. I will say with Virtru, we can help give you some easy, quick wins, we can help with those encryption requirements, and at the end of the day, Virtru is extremely easy to use. I think Jordan will hopefully talk about that, but consistently when we are showing prospects and talking to customers about Virtru and how you use Virtru, I think they are always impressed with how we integrate directly into your mail client, and just how we can easy we are so we can help you pretty quickly check the box, with some of those, again, requirements, and not put a lot of onuses on your admins, employees, or people you're collaborating with. There are a lot of options for encryption, not as many with end-to-end encryption, but there still are some. Ultimately youre looking into a software that is going to be shown and you're going to interact with your customers with. I would recommend putting one in place where you're making it as easy as possible if I were to get an auto loan, which i've done several times. Its impossible or really difficult to open the email that says if I got the loan and what the rate is, etc. I may not be as eager to get back to the salesperson and go back to the dealership and complete the paperwork, but if I can open it instantly and I don't have to jump through hoops, I'm probably going to be more excited. So ultimately, thinking about how you can align something like Virtru to your business objectives is realistic and I think a lot of people like that specifically about Virtru.
Brett McCrae: Yeah thanks for that android. I think two things that that you said there that really resonated with me one it's a journey. You know it's it's not we're not climbing Mount Everest here it's possible it's doable but it is a journey. It's not snap your fingers and all this, you know, or wave your magic wand and overnight. You're ready to go. I think the other piece you mentioned is like, Yeah, we're we are obviously a software vendor, we do, you know, data centric security for emails, files and SAS apps. And we play an important role in this, but we're certainly not in, you know, an all-encompassing solution for, you know, for this rule. So we're very much a piece of the puzzle. And I think that that's how, you know, if you're out there, scratching your head saying, What am I gonna do? How in the world am I going to figure this out in a limited amount of time? Remember that. It's a puzzle, right? And and you need to fit find the right pieces for your business and put that puzzle together. And ultimately that's how you're going to, how you're gonna get this done. Just like any other, you know, compliance requirement or set of regulations that you that you may have to follow. Um, awesome. So thank you, Andrew. Jordan moving over to you and, and just so everyone knows what customer success is. It's everything after the sale, right? So, we have a team in place that is here to help you implement our software, train, your users. Talk to you about the technical details, the people details, all of those things. So, if anyone's out there wondering, Hey, I don't know what customer success is in a nutshell, you know, we take care of you, after you sign on the dotted line, So Jordan, you know, on the customer success side, you know you've been handling almost all of our FTC safeguards customers of which there are many. Just tell us a little bit about what those customers look like. Who are they? What sort of businesses are? They you know what, what industries are they in?
Jordan Minter: Sure, no thanks. Thanks for the intro. I mean, I definitely say the most notable has been the auto dealerships. We've had a lot of interest there and a lot of new Customers come in in that vertical the, a lot of them are just trying to get ahead of that. That June 9th deadline. Make sure they've got all the boxes checked. Yeah, yeah. I would say, I would definitely say that it's mostly the auto dealerships.
Brett McCrae: Great and and Jordan, you know, as you've gone through the implementation process of Virtru and now you've done it with a lot of these customers multiple times. How's it going? You know, tell me a little bit about what that experience has been. Like both, you know, primarily from the customer point of view.
Jordan Minter: Yeah, I think, you know, every customer's needs are a bit different. You know, we've definitely had some of those white glove deployments but you know, overall they've been able to turn around pretty easily. Most of them are very, very centered on client side or server side email solutions for file sharing or email workflows that they that they already have to encrypt that information at transit and at rest, but you know, and in these situations aren't necessarily unique for us but they're relatively a new process to these customers. So, there's a bit of, you know, I want to say handholding, but probably a bit of hand holding just to try to get them comfortable with this, and how it's gonna work and, and how it's gonna fit into the existing workflow and they're usually pretty quickly surprised at how seamlessly and easily can fit into those workflows already and that, that I think that's helped the process and helped people get really comfortable with it businesses. Get really comfortable with it really quickly.
Brett McCrae: i think it's well, said, Jordan and the other thing that, you know, you mentioned kind of the, the depth and breadth of the customers that are that are using Virtru for this need, I think one thing that's easy for us to overlook but important to call out is Not a single one of those customers tech stack is the same. Right? Everybody's everybody is just different systems,…
Jordan Minter: Correct.
Brett McCrae: Different versions, Google Workspace, you know, Microsoft 365, Microsoft Exchange on Prem and you name it. There's there's a lot of different combinations and permutations out there, you know. And I think it's really It's been really helpful for us that that what we can do is flexible enough to meet, you know, all of those different environmental variables.
Jordan Minter: Yeah I mean you know whether you know they're leveraging a combination of just emailing file sharing with Google and Google Drive or you know, they're leveraging some kind of CRM or dealer management solution. However they're doing business Virtru will likely integrate very easily into those workflows. We have a stack of products and and so far they've they fit right in really easy, really easily and really quickly.
Brett McCrae: Now that's, that's great to hear. So? Jordan, this next question, is a little more general, I think. But, you know, whether you know, a customer's deploying, you know, Virtru software or some other software that they've bought to meet this mean, what are some things that you suggest that, you know, administrators security personnel, IT folks at some of these, you know, these, you know, the let's just say auto dealers for example, what should they be thinking about? Is there as this deadlines coming? They're trying to implement this software, be at Virtru, or something else, like what should be on their checklist? What should be top of mind?
Jordan Minter: You know, I mean, just, how is how are you currently handling, this potentially sensitive data? You know, again is it, is it just email? Is it just file solutions? Is it a combination of the two is it? Are you leveraging a CRM? Are you leveraging a, You know, a dealer management solution? Where is that data now? And how is it being shared? It is really kind of I think the foundation of it. And again once you kind of understand that and and we can talk through that process with you, it's really easy for us to identify, okay? You know, a combination of, you know, Virtru endpoint, email protection with a, an email gateway and and maybe Secure Share is going to work. Just perfect for this workflow, or again, maybe, maybe we're going to talk an application gateway, to make sure that any type of SMTP relay coming out of those applications is protected. But fundamentally I would say, just just starting to think about where that sensitive information lives how it's handled today.
Brett McCrae: That's great. And, and you know, once, you know, once a customer identifies that information and, you know, starts to get software in place. Again, be a Virtru or something else. You know, at the end of the day it's all people, right? It's people that have to use it so could you talk a little bit about that aspect of it?
Jordan Minter: True.
Brett McCrae: Sort of the change management piece and and You know, again, any guidance tips tricks, you know, points that you think folks should consider when they're, you know, because it's one thing to have the software, right? It's it's another thing to make sure it's being used, it's like having a full tank of gas and never doing anything with it, right? So what, what does that people implementation piece look like?
Jordan Minter: He again I think it differs from from place to place, you know, a lot of a lot of them I would say are used to seeing some kind of new security tool come in. I've compared it a lot to like the fishing button that a lot of people are becoming very used to, It's really just kind of educating your user base. Hey, is this sensitive information? Does it need to be encrypted in transit? Is this a time for me to click that little toggle switch to make sure that that information is protected? It's really just kind of educating that user base. With during that onboarding process, providing those trainings. Making sure that everyone understands and sees how really easy it is to use but then on the back end having kind of that catch all with with the email gateway. So, you know, if a user misses turning on that, that toggle switch that the necessary rules are in place to scan those emails and make sure that they're protected on their way out? Or maybe a warning pops up that says, Hey, are you sure that this, You know, isn't sensitive information? And looks like it has a Social security number and it should should we encrypt this and it gives them the option to encrypt this. I'd say Another thing that I've found is really helpful is is custom branding. And when I say custom branding, just just for folks, listening is it's the ability to brand Virtru with your company logos and colors. This has been really helpful in streamlining, the introduction of this tool to people that maybe aren't familiar with it and specifically in those customer-facing workflows. Because, you know, I mean, I'm just making a name up but you know if ABC Car is working with a customer and they're sending them an email and all of a sudden they get an email that says Virtru. They don't, they don't, they don't know what that is. But with the custom branding, it's coming over as ABC Cars. They're seeing it as a solution within ABC Cars. It's more of an, you know, an easier transition. Into, okay, this is I, I totally expected this to come from, you know, ABC Cars there. They really care about protecting my data. And I can open it very easily and respond very easily. I think that's been really instrumental, especially on, on the employee side of of helping these employees that are already talking to customers and making sure that that they're comfortable receiving this and ingesting that information and being able to respond easily,
Brett McCrae: Yeah, I think that's a great point. Jordan. I mean in our if you were actually there's probably someone out here out in the world who's done this, right? But if you were to pulse the general American public about cybersecurity and…gave them a list of words that they think about when they think of cyber Probably Phishing would be pretty high on the list and if not the top thing, right? And so I think anything that, you know, can add a little bit more legitimacy to the software that you're using make it seem not seem but just, you know, have it be a part of your business, you know, branded with your logo right coming from you, ABC Car. Whoever you know, whoever you're your organization, may be helps a ton and ultimately that makes it easier to use and if it's easier to use, then it's easier to make sure you maintain compliance. Right? So it's it's very much interrelated although it may seem like Just a widget or an add-on or a nice to have, it really does make an impact on the usage of the software and ultimately complying with the regulation. You know, there's other one, other thing I wanted to point out that you said that I think is is extremely important. With the deployments we've seen, it's so important to communicate with your employees, right? To let them know that this is coming, you know, Virtru is so easy to use. Other tools are easy to use, but if employees don't know about it, they're never going to use it. And again, back to it's not a great analogy, but if you the full tank of gas and you never use it then what? Good is the gas, right? You…
Jordan Minter: Right. Right.
Brett McCrae: So making sure folks are aware has been really critical and ultimately, you know, has led I think to so many of our customers having such smooth, deployments is employees know what's coming. They know what they need to do to comply. They know how to use the software, they know the dates. And then it's kind of, you know, it's kind of the snowball going downhill, it just picks up steam from there and and There's no such thing as a magic wand, but good, communication helps, right?
Jordan Minter: Right. It's it's a change and you know change is different, change is hard change is interrupting but it it flows really easily and more often than not, I'm hearing the employees or the customers are very surprised at how light of a change or or a modification it is. it's very easily folded into the existing workflows.
Brett McCrae: Absolutely. Well, Jordan, Andrew. We're running a little short on time. I wanted to ask you both one kind of final question. You know, give your 30 second overview, or not pitch, but kind of guidance to somebody who's looking to get in line with the FTC safeguards, what should they be thinking about, like final thought?
Andrew Lynch: I would say don't delay it. Its easy to put something on the backburner that seems like a lot of work, but you may need to meet it and also you're doing a service to your customers to ensure you are meeting those requirements, and Virtru can help with a couple of quick wins, when it comes to protecting your data and encrypting it and having oversight over it throughout its life cycle and we will make the process extremely easy, and we have great resources just like Jordan, and the customer success team to ensure that after you sign with Virtru, we're not gonna leave you hanging, and make sure that this process continues to be easy, and that we're gonna help you as much as we can.
Brett McCrae: Awesome. Thanks. Andrew, Jordan. What about you?
Jordan Minter: I would probably echo that, you know, originally I think the deadline was December 9th or something like that. I can't remember what the old deadline was but, you know, and we had some customers, get really close to that deadline and sign up. So there was kind of a sigh of relief when the deadline was extended. So, I would echo, you know, don't wait until the end. It's a fairly easy process but it's, it's much better to kind of run through it. Understand it, get it deployed ahead of that deadline so that, you know, people are a little bit more comfortable, and it's not just kind of shove down their throat. Hey, we've got to have this in place right now.
Brett McCrae: yeah, I think that's a good call out that Whether it's in software or anything in life when you rush it. Generally doesn't go the way you know, the way, you'd hope it. It would all at one final thought before we before we conclude and you know, it's this I think compliance sometimes when you're when you're in the business world can be viewed as kind of a dirty word. Right. It's just another thing you have to do and look, reality is you have to do it and whether it's the FTC safeguards rule or HIPAA or see, you know, there's all kinds of compliance regimes out there across the board. I think the more you can remember and kind of remind yourself, if, if you get in one, you know, you're having a bad day and you've got to do all these things and you, how are you going to comply with this? You know, remember the goal of compliance is not compliance for compliance's sake, right? The goal of compliance is increased security. And I think that it's really important to remember that. That's the goal. And, you know, I'm certainly not the FTC nor is Virtru, we're not speak on their behalf. But the goal of this, in my opinion is very, you know, set out by the FTC is ultimately to protect consumer information. And if you protect consumer information, that's better for your consumers and customers, and it's better for your business at the end of the day and again, regardless of whether that's this rule or any other, you know, compliance regimens. So it's not just compliance for compliance's sake. It's security. It's better for your customers. It's better for your business. So on that note, we're going to wrap it up for today. One thing I want to make sure that people know is on the landing page for for this hash it out session, you can sign up for a free coffee so make sure you do that. Check it out. Have a little coffee while you while you watch the session or or after you do, thanks for your time today. Thank you, Jordan. And Andrew for, for being such great guests here on the Virtru Hashtag podcast, and good luck everyone. The the deadline is, is coming up quickly and let us know how we can help. Thank you.
Jordan Minter: Thanks.
Fill the form below to claim your gift.
Get expert insights on how to address your data protection challenges
Contact us to learn more about our partnership opportunities.