Protect Your Business and Your Clients: Get FTC Compliant Before Tax Season - Webinar
Will Nobles: I see everybody is starting to join. Welcome to the webinar today. Brought to you by Vector Choice. Protecting your business and your clients. Get FTC Compliant before tax season. Again. Yes, I am talking to you, my CPA friends. I know busy season is coming up for you guys. So, we wanted to give you some things to think about as you guys are going into tax season today. My name is Will Nobles. I'm the CEO of Vector Choice.
Will Nobles: And I've got my guest speaker here, Jon DePerro, Chief Compliance Officer here at Vector Choice. Jon, thank you so much for being on today.
Jon DePerro: Good morning, Will. Pleasure to be here.
Will Nobles: And Jon, so everybody knows a little bit about Jon. Jon is I would say he's the retired genius. Jon, I'm going to give you that name going forward, retired genius.
Jon DePerro: I mean, I used to be genius. But I'm not anymore, depending on how you take it there.
Will Nobles: But Jon comes from a military background, was in the US army counterintelligence working with the NSA and NATO. He knows compliance. He does the things that we all hate doing is reading a lot of fine print and a lot of legal terms and translating that to compliance and what really it needs there. So, Jon is going to be a wealth source of resources here on this webinar. A little bit about Vector Choice and the team. So, we got Mike Bazar, our chief technology officer. Mike is my business partner as well. We got Sarah Sawyer, Jon, which you just met, and then also Beau Dickey which is our chief security officer. Our management team is made up a Jake, Jon, Troy, Gabby, Brandy and Emma.
Will Nobles: They are the ones that takes care of all the day to day stuff in the business and makes sure that our customers are happy and we are actually taking care of everybody. I've had a great honor to actually just hit Jon, we just hit 15 years yesterday in 15 years in business and it's been a great honor because we have grown like crazy over the years. We've made the Inc 5000, I think the past four or five years now. I was honored in 2022 to get the Titan 100, which is the top 100 CEOs in the state of Georgia. So we've had a chance to win all kinds of awards there and I appreciate the team to be able to do that.
Will Nobles: So, we are now located in Lubbock, Texas, in the west part of Texas there, but we have offices all over the place. So, when you're talking about local, it doesn't matter where you send your check to. We're local to these areas. We have offices, we have employees. We're completely staffed in all these locations where we can service you and everything from these particular locations. We have customers all across the country in multiple states as well. So, Jon, why are we talking about FTC? Why are we talking about it? What's the risk out there?
Jon DePerro: That's a great question. We hear tons of talk about cybersecurity and ransomware and all these breaches and all these problems. And the fact is, the ultimate bill payer for most of these big commercial breaches, as John Q. Taxpayer is regular people, so their data is being stolen. And businesses large and small have largely ignored or significantly underestimated that risk. And the federal government has now stepped in the FTC. Just one aspect of saying, hey, companies who have consumer data, you have to protect it. We're sick of you making bad risk decisions and affecting our constituents. So the FTC and many others, there's HIPAA, there's other ones out there, but today we're talking about the FTC. They've created something called safeguards.
Jon DePerro: And the nickel version is if you're a financial institution, and that's a huge definition to the FTC, but today, specifically, it identifies CPAs and tax preparers. If you are a financial institution, you must do about 20 to 24 different items in order to protect customers' financial data. And why would a CPA be on this call? Why would somebody listening? It's going to get expensive. A lot of companies have said, well, the cost of compliance is more expensive than the cost of non-compliance. So, the federal government said, no problem, we can fix that. We can make it way more expensive to be non-compliant. And this is just the federal government's costs. Right. We'll talk about class action reputation issues later. Yeah.
Will Nobles: Jon, on the I see $100,000 per violation here. $10,000, officer, director. Now, what is considered a violation, and is it per?
Jon DePerro: Whatever the judge and jury say, whatever that judge and jury know, it's kind of easy to laugh about now, but in Chicago, they have another state level, but a similar thing around protecting people's, biometric information, specifically. And White Castle, of all people, were found to be violating it. They thought, well, that was $1,000 per violation, meaning, like, per every employee. And the court came back, the Supreme Court of Illinois came back and said, no, it's per violation. So that went from being a couple thousand dollar fine to a multi-billion dollar lawsuit. Right. So, per violation will be determined by the courts. But that's only once you're at trial. And I'll give you an example what that could look like if I put all my customer information in Dropbox, and I'm not knocking Dropbox.
Jon DePerro: I'm not saying it's a good or bad product, but let's say I do it in a way that is not secure, or I use QuickBooks online in a manner that is not secure. You say that movement of data was one violation. Usually, the courts are going to say every time you put something in there. So how many times a day do you upload? How many times a day do you email? How many times a day do you back something up to your thumb drive? Most courts would look at every time you do it as a violation. Now, blood from a turn up, if you have a five person CPA firm, you can't hit them with $5 billion in fines. Right. But the point is, the fines are astronomically more expensive than remediation now.
Jon DePerro: And more importantly, there's $10,000 that will be levied against the officers and directors. That doesn't mean you get to file bankruptcy or quit or do cyber insurance. These are literal FTC federal assessments levied against people. It will follow you wherever you go. Yeah.
Will Nobles: So, Jon, let's talk about where FTC before we even get into FTC, where did it actually come from? You want to talk a little bit about this.
Jon DePerro: The roots of GBLA are from 100 years ago when our financial systems were falling apart and there was fraud and people weren't trusting banks and financial institutions. And then over the next few decades, Graham-Leach-Bliley is decades old. It's very old law that regulates consumer financial products and services. It's important to note that the FTC safeguards do not apply to SEC regulated financial businesses, but they apply to everybody else that the FTC manages. Today we're talking about CPAs tax preparers, but it includes things like auto dealers, travel agents, something called Finders, which is one that's going to blow everyone's mind. We'll talk about that later. But it's hundreds of thousands of businesses around the US. Are going to fall under the FTC safeguards.
Will Nobles: Jon, we do have a question, by the way, guys, if anybody has any questions, please put in the Q A, and we'll be monitoring that to get to you. So, we got a question from Tim here. Is there an FTC gov link that states these fines, or is there something that has to be yes, there is.
Jon DePerro: But I've got my screen, so I can't get to it right now. Tim, let me send it to you. Okay. All right.
Will Nobles: So, we'll definitely get that out if you guys have that concern or those questions there as well. Safeguard Rules let's dive into, you know, this is a legal standard, federal standard. So talk about this a little bit.
Jon DePerro: Yeah, absolutely. Again, the nickel version is you've got customers information as a CPA or what have you, it's on you to protect it. Who decides acceptable level protection? Well, the FTC is saying, well, we're going to create some minimums. These aren't recommendations. These aren't guidelines. It's not a framework. It's not ambiguous. They're giving very clear guidance as to what firms are required to do to protect to reasonably protect consumer information.
Will Nobles: And Jon, the next slide here just blows my mind because I think about financial institutions. I think about CPAs or accounting or hedge funds and stuff like that. But some of these things where they fall under, it's amazing. Talk a little bit about this as well.
Jon DePerro: Like I said, it's hundreds of thousands of companies, people who aren't currently thinking of financial institutions, right? So, the stuff on the left side of this slide is what people are thinking. I'll shift to the right. It says automotive dealers. Now, the FTC specifically called out automotive dealers because they knew automotive dealers have been subject to a lot of compromise and they're very hesitant to upgrade their technology. But aside from literally saying automotive dealers, it really says organizations that provide or arrange for financing, real estate agencies, non-operating leasing companies. An operating leasing company is something like a Hertz rental car where they're operating the equipment for you. You just have the car for a couple of days. We're talking about things like, if you lease a tractor trailer for your farm, if you lease heavy equipment for a factory.
Jon DePerro: If you have a website and there's something they call the Finder if you have a website. And on your website, we had a client we're talking about today, Will and I, that's one of our customers. They probably don't consider the FTC safeguards applying to them because they're a veterinarian. But their website says hey, shop. And when you click the Shop link, it takes you to a different company's website for ecommerce. Well, you can make the case that makes you a finder, meaning you're someone who uses your platform to bring it together, buyers and sellers of services, even though you're not involved in a financial transaction. It's a massive definition that I won't beat up today, but it's hundreds of pages of law to define this.
Will Nobles: And I know we're talking about CPAs, but I want everybody and especially the wire transfer and the Finder. Let's use a few more examples of this. So, a wire transfer, if I am my company, if I do a wire transfer to another entity or I accept wire transfers, does that make me fall into this category?
Jon DePerro: Yes. If you regularly transfer wire transfer money to and from consumers, what's the definition of regular? Again, it's going to be up to the judge and jury, but I think, you know, as a business owner, is it regular if you say, no, we only do it once a year? My retort would be, but do you do it once every year? So, you do it regularly? You do it once a year. So that is a huge one. A lot of people think about just how you're getting paid. Forget credit card rules and other banking rules. The fact you wire transfer money to and from opens this up.
Will Nobles: And Jon, I know we use the veterinarian, for example. But if I have a website and I'm publishing to sell a widget, and I didn't develop that widget, but let's use it, for example, let's use Vector Choice, for example, if I'm selling a Dell computer on my website, but it's a link to my distributor for that, am I consider a finder at that point?
Jon DePerro: I can say it depends because the non-answer doesn't nobody good. But with the limited information you just gave me, you meet the definition of a finder. Okay. And you'd have to be compliant with FCC safeguards. Very nuanced question.
Will Nobles: If you have any particular questions, we're going to have a link where you can schedule a ten-minute time with Jon to ask him follow up questions and stuff. If you have concerns like the what if situations and everything, we can definitely help you with that. Now, Jon, I hear this a lot, especially from our smaller, you know, I'm too small. And we hear this all the know, I'm too small to get compromised. I don't have enough know, I don't need to worry about cybersecurity, I don't need to worry about this compliant or this compliant, so forth. So let's talk about companies that feel that they're too small. Meeting this and defining this definition here.
Jon DePerro: So, the FTC does safety of under 5000 consumer records. I'm not going to get into a super nuanced debate about how you score that 5000, right? We can have a sidebar if someone thinks that they're borderline, but let's just assume for today's discussion that you only have one customer and you only have one record for them. That's it. You can't be smaller than one. Right. You're a one person CPA with one record. There's only one, two, four items that you don't have to do. A lot of people think, well, I'm under 5000, they don't apply to me. There are four items that don't apply to you. It's the risk assessment being written, your pen test and vulnerability assessments, the written incident response plan, and doing a report in writing to your board of directors.
Will Nobles: If you guys are busy writing that down, we're going to show that here in a second as well.
Jon DePerro: Yeah, everything else in FTC safeguard still applies to you. I don't care if you're one person because it's not about you. It's not about your business. Actually, I was on a different webinar the other day and someone said, who's looking out for the little guy in this? Actually, this is literally designed to look out for the little guy. The little guy being the consumer, not the company who's failing to protect their information, right?
Will Nobles: Yeah. And you see, there's two words here, customer and consumer. And I think that's where I really want to point out here to everyone is that a lot of CPAs we've talked to like, hey, we don't have 5000 customers.
Jon DePerro: Right.
Will Nobles: And I want to be clear that it's not 5000 customers. And Jon, you use this scenario. If I have one customer and they have 1000 employees, that technically is 1000 consumers from that standpoint, is that accurate statement?
Jon DePerro: I would have said employees. I'll give you a good example, one that is 100% true. Across the street from me is a direct marketing printing firm. Right. They only have five or six customers, but they have tens of thousands of consumers that they have their data on that they do the marketing to. Right. So, their number of customers is five or six, but they have consumer data for tens of thousands of company people. Does that make sense? They're the pricing company. They do the marketing.
Will Nobles: So if you do fall under this, make sure it's not the number of customers that you direct customers that you have. It's all the data of multiple people or consumers that you could have inside that one customer.
Jon DePerro: Yes. And we don't need to go down to every rabbit hole on the short webinar. If you're unsure if this applies to you, reach out. Reach out. We're going to talk a little bit about the qualified individual. So, we're going to circle back to this in a second.
Will Nobles: Yeah, and Jon, I got a few questions here for you. So, David asks, the screen says 5000 consumers discuss said 5000 records. Can you clarify? Would ten tax records for a single client be one or ten?
Jon DePerro: It depends how you received it. I mean, if I have an image that shows one PDF that shows five receipts on it, that's one record. If I have five receipts, that's five records. Let me just say this. I have a QR code coming at the end. Let's maybe save our question. Let's go through this and then we can do questions at the end because some of this is going to get answered and some of it is, I think, specific. And we can maybe use my QR code and we can jump on a call and discuss it. Yep. Okay. All right.
Will Nobles: So, Jon. Why is it important to businesses for, especially financial institutes? We're talking about CPA accounting. I know it affects a whole wide range of types of clients, but why are we talking about CPAs and accountants today?
Jon DePerro: First off, the FTC specifically calls you, right, like car dealers. It looked at the hundreds of thousands of companies that this is going to apply to, and they said there's a couple that are probably going to think that they don't need to deal with this, so we'll make sure it's really black and white and clear to them. This applies to you. Second. CPAs have almost every piece of information you need to steal a people's identity, taxpayer's identity, the amount of damage that can be caused if the company that leases me my dishwasher the non-credit, like, maybe they just gave me 90 days, same as cash when I bought a new dishwasher if I didn't do a credit application with them. The amount of data they have is probably not significant.
Jon DePerro: A CPA, anybody who's extending credit or arranging for credit, meaning putting you and the credit institution together. You have an amazing amount of consumer data that hackers and bad hackers want, and it can be. I mean, think about what would happen if I got all your financial info around taxis and will. I can bankrupt. I mean, I can have life destroying consequences. You might not be able to make medical bills. It can really ruin a consumer's life to have bank accounts emptied and their identity stolen. And that's what FTC is stepping this up and enforcement starting already.
Will Nobles: And Jon, why are we talking about this now? FTC has been around for a few years. Why in 2023, end of 2023, are we actually talking about FTC safeguards today?
Jon DePerro: Well, the current FTC safeguards took effect in June of this year.
Will Nobles: June of 2023.
Jon DePerro: Correct. June of 2023. There are no more extensions. No more. We have a plan. Those who kick cans down the road, the end of the road was June. So if you haven't gotten complaint with FTC safeguards, you're past that. Tax season is coming upon us. The end of the fiscal year for calendar year based companies is right here. Probably starting to get ready for it already. The next six months is kind of going to be the heightened time for people to be intercepting emails, phishing attacks. I mean, this is the busy season starting for tax preparers and CPAs. So, if you haven't gotten this stuff fixed by now, it's probably a really good time to at least take a look at having a plan for it. Yeah.
Will Nobles: And Jon, how about people on this call that are not CPAs or not accountants, but they obviously everybody, and I know we all use CPAs, right? What are the questions we should be asking our CPAs?
Jon DePerro: Let's go through what you have to do. First question is going to be natural. Okay?
Will Nobles: All right, so let's talk about upcoming. The problem that the financial institutes are running into, right, is getting hacked daily, affecting millions of people's information, and it's just going to keep getting worse. We talk about cybersecurity. We talk about leveling up in your It and your security needs. Multiple layers of security. Jon. It's just the same thing as I come into my house, right? I got cameras around my house. I walk in the door, I lock the bottom lock, I lock the deadbolt. I can set the alarm. I've got a dog and I've got a gun, right? Multiple layers of security there. And I think what we're really getting to is very specific when it comes to compliance and security. Very specific of what the CPA and tax preparers have to actually do.
Jon DePerro: That's a great analogy. And let's remember, security and compliance are related, but they're really fundamentally different things. Example, I know your dog and it ain't doing you any good for security, right? That dog ain't help. But if there was a security checklist that said you have to have a camera, you have to have alarm, you have to have dog, you could check yes on the box. You have a dog, right? But those of you who are on a lot of calls with me know my dog, he's a shepherd, and he will rip your face off. Right? So there are different levels of both of them were dogs, right? So, compliance is not about necessarily securing your environment and preventing anything.
Jon DePerro: When we talk about FTC safeguards a compliance program for it's for you to be able to look to the government, to your customers, to the lawsuits, to your insurance companies, to your state regulators, and say, I was doing everything I was legally obligated to do. I was doing everything correctly. This is not negligence. This is not Willful disregard for the law. I was doing it. Right. Whether you got Will's dog or my dog, the FTC saying you got to have a dog, right? And it's a list of about 20 things. Ballpark 20. Yeah.
Will Nobles: So, let's talk about those 20 or so things here. So here are some of the tools, right? Remember, it's really a business solution or a compliance solution that sort of encompasses all this. But let's talk about the tools real quick.
Jon DePerro: So, first off, these are kind of bullets, not full definitions, right? So, let's not get too deep. Dive into the difference between a pen test or a VPN. But this is what the FTC is requiring you to do. MFA. VPNs for remote access. You have to encrypt all data at rest and in transit. And if you choose to put consumer data in a third-party vendor, you're still responsible for making sure they're encrypting it at rest. So if you want to use Bob's cloud service, not Dropbox version of Dropbox, right? And they say it's encrypted, it's on you to make sure it was. If they get compromised, move It is a Dropbox competitor. And I only mentioned Dropbox because people have heard of it.
Jon DePerro: It's not an endorsement or criticism, but Move It was recently compromised states, I mean, like nation states had lost data. Canada health system lost a ton of data. They got absolutely destroyed because the data was not actually encrypted correctly. They said it was encrypted, but it wasn't. They are all responsible for what happened in that ransomware. Well, it was ransom, but first it was stolen unencrypted. So, you don't get to say, I put my data in this cloud service. It's not my fault what happened to it. That is not how any of the courts are working. You chose to put it there. You should have made sure it was encrypted properly. Same thing with MFA. Well, I'm using this third-party auditing tool. Okay. But you have to have MFA.
Jon DePerro: If you're putting consumer data there, it's on you to figure out how to do it. It's not the government's problem. Right. And it's definitely not your customer's problem.
Will Nobles: So, Jon, I think two things people might be wondering here is one, if the assumption, if I put it in the cloud, or if I put it in an application, a hosted application, I am good. I can wipe my hands and I'm good. Do I need this stuff? Even if I'm using a tool that's cloud based, do I still need this stuff?
Jon DePerro: Absolutely. Third party and vendor management is a huge part of Information Security program, right?
Will Nobles: Pretty much. I think the misleading that it's in the cloud, that it takes the responsibility of everything that's in my office off of me.
Jon DePerro: Not at all. The fact is this data is valuable. If I'm your customer Will and I hand you a diamond ring and I say I'm going to pay you to clean it and to polish it and I expect it back in a week and we sign it like we have a deal. It's good. And you go give it to your bank to put in a safety deposit box. That would seem logical, right? And that bank gets robbed and the ring is gone, who do I sue?
Will Nobles: You're going to sue me that you gave me the ring.
Jon DePerro: I'm not saying you can't sue your bank, but I'm suing you. So, this is a compliance issue. If you were required to ensure that my ring was encrypted, what you chose to do with it, is that's a lawsuit between you and them, you're still responsible for it, right? Yes.
Will Nobles: And so I'm assuming, let's say we're putting things in the cloud. I'm assuming a customer can come and ask that third party vendor, can you show me proof of XYZ? Right. Can you show me that you've done the proper measures?
Jon DePerro: Yeah. And that's why some companies charge $100 for a license and some charge $50 and some are free. Sometimes you get what you pay for. Right. Microsoft, we all use Microsoft, right. They're very good at shared responsibility matrixes and Attestations of what they're doing for what level of service you're paying for. Right. This is why Windows Home Edition is a lot cheaper than an E Three or Business Premium License because you don't get a lot of that stuff. Right. So, if we're doing your Office 365 environment, there's many different licensing levels, as those of us in it know, and maybe a CPA doesn't know all these different things. They just went to Best Buy and got they just thought all Windows was Windows. Right.
Jon DePerro: This is why one of the most important features, and we're going to talk about in the next slide here, I think, is having a qualified individual to manage your Information Security program. The first thing they tell you need is a qualified individual. So, I'm guessing that FTC learned something from, you know, the HIPAA officer and a small dental practice is know the office, right. Who has no training in HIPAA and no training in cybersecurity and no training in compliance. Right. But that's who's responsible. And then things don't go well and that poor lady is sitting there going, I didn't know and it's not her fault, right? The booger has proverbially flicked at her. What the FTC is telling you is you have to be qualified to manage the information security program. And not just today.
Jon DePerro: Actually, when you get into the full language, it says you have to make sure that person staying trained and current because the industry is always changing. Cybersecurity is always changing.
Will Nobles: Right, yeah. Previous slide, I said, but right, the 5000 consumers, this list here is even if you're under that 5000, if you're a CPA firm with one client and one record, right. You're still required by FTC to maintain these line items here.
Will Nobles: I think that's the important piece that a lot of people forget. Like Jon said earlier, only a few of them are not required if you're under that 5000 consumer. But these are still required. Correct me if I'm wrong, Jon, all this wording is coming straight from the FTC site, and everything correct verbatim. You talked a little bit about the designated qualified individual, right. What really makes a person so besides saying, okay, I'm the owner or I'm the practice in a healthcare practice administrator, but I'm the office manager, what makes them qualified?
Jon DePerro: That's a great question. Actually, we talk about this a lot. I think the FTC did not want to endorse specific certifications like SEC, plus they didn't want to put a certain level like you have to be a CSSP or CISM. I don't think they wanted to endorse because those are all run by private companies, right. Nor did they want to put some kind of degree requirement. I think essentially what qualifies you as an individual is that you've had formal training and you've had experience. And that it's reasonable that a jury of plumbers and soccer coaches and stay at home moms and retirees and normal people would look at the qualified individual's resume and say, yes, it's reasonable to assume that person knows how to manage all the tasks that are below on this list.
Jon DePerro: What is not reasonable is someone who's been running a roofing company for 20 years and is really good at roofing. There's no reason I would think that you understand how to create and manage an information security program. Right?
Will Nobles: And where does this come in? We talk about overseeing service providers. Where does that really come in and what does that mean to the CPA firms?
Jon DePerro: Out kind of the FTC has also already predicted a defense know, they kind of already figure out what people are going to say. And again, I think they looked at HIPAA and said, why did HIPAA fail? Because everyone just blames their cloud service provider. You don't get to just blame the FTC specifically says it's your responsibility to oversee your service providers. Whether that's your managed service provider, like Vector Choice, whether it's your accounting software provider, it's your job to make sure they're doing their job right. You chose them. Of all the companies on the planet, you went with them. It's your job to oversee them, right? So picking the right service providers.
Will Nobles: Jon, and this may be a question that might be too specific, but David's got a question here. If a customer has a direct relationship with Intuit, I'm assuming they're QuickBooks. I'm just going to assume here they control my access. So, let's say David's, the CPA and they control the access to their account, is there still liability when the relationship with Intuit is wrecked? Not through the CPA?
Jon DePerro: Yes. And David, at the end there's going to be a QR code. Let's you and I talk more. I'm assuming you're a CPA that is doing work for a company that just needs extra help, right? So email me at the end. You'll get my email here. David, the nickel version is you forget that you have to encrypt at rest and in transit. And there's some things about the machine you're using to access their environment. So, simple answer. Yes, but call me, we'll walk through it.
Will Nobles: I do get questions. Is this being recorded? Absolutely, it's being recorded. Will be published to you guys. You guys go back and watch. It'll be on our website as well for that. Okay, so how to comply with the new standards, CPA firms and for accounting firms, what do they need to do to actually comply?
Jon DePerro: The first thing you need to do, and I know it's bullet four on here, but the first thing is you need to have that qualified individual identified. Everything else fails after you can't do anything else, right? It's like saying we're going to create a football team. I would probably argue the first thing you need is a coach who's going to put a team together and come up and play, right? Or you're going to create a new company. The first thing you want is a CEO or a president, some leader, right? Anything you're going to do, you need the person who's going to be in charge of doing it identified. Once you've identified that person, you need to understand what data you have, where it lives, how it's used. Right. You need to understand what your obligations for that data are.
Jon DePerro: And we're talking about FTC safeguards mean some of them overlap, like the IRS's tax prepare, the online tax preparer standards. Understand all your obligations. And one thing a lot of companies shoot themselves in the foot with is not disposing of things properly. If you don't need it, get rid of it. Stop trying to secure it for the rest of life. Once something doesn't need to be stored anymore. Get rid of it. And people don't think about all the places they have their data. Well, they say, well, we've got MFA. You can't log into a computer without MFA. And we got everything in our OneDrive, let's say it's 365 and everything's in SharePoint. And you got to have MFA to get to SharePoint. So we're good here. And we do red team testing. It's a separate issue every time.
Jon DePerro: Well, I go to Best Buy, I buy a laptop from Best Buy and I go to 365 online and I can almost always log in through the online portal without MFA and like, oh, we didn't think about that one. Right? Because this is not what you do back to your qualified individual, right. The reason guys like me and Beau can typically get around your stuff so quick is because we've been doing this a long time, right. Spent years at the NSA, probably have seen your security techniques before, right. And we know what are good and what are bad. And this isn't about security again, right? This is about am I doing all the things the FTC says I have to do?
Jon DePerro: Not from my opinion, but from the opinion of people who wrote the FTC safeguards, from the opinion of a judge or jury who are going to define if I was being negligent or if I willfully disregarded.
Will Nobles: And disposing as well. Jon, for this insecure manner. I think that even goes down to the actual hardware piece of it. As know make sure that the hard drives are disposed properly inside the computers and stuff and won't go into technical piece of that. But that's something that you need to be paying attention to as you decommission old equipment. Jon, we have got a question here. Do you have a written security plan template for your clients? We do have a written security plan, but it may need to be updated to meet updated requirements.
Jon DePerro: Yes.
Will Nobles: So that's one of the things that we do for our clients is we do compliance as a service where we can act as this for you. So, you're qualified expert, we're going through. So if you look at.
Jon DePerro: I don't know what anonymous does. I don't know if they're a CPA, I like their operational security. I like the fact that they're staying anonymous and not like admitting something. I'm actually a big fan of what they're doing. The simple answer is, yeah, of course we have written security plans. That's what we do. If a company needs help updating theirs, get on my link and I'll be happy to talk about it.
Will Nobles: All right, so what are the risks of not being the obviously we talked about the penalties, right, Jon? We talked about the financial side of things, but how know a lot of people forget their reputation out know what happens in your community, in your city, your town, when you actually do get compromised. How does that hurt your business and class action lawsuits as well. Jon, you want to talk a little bit about that for me?
Jon DePerro: Yeah. We had a slide earlier about the financial penalties that come from the you know, the fact is, the FTC only has so many people who can do investigations and issue penalties. And there's hundreds of thousands of companies in the US. The ODS that you'll get hit with an FTC fine might be low just based on that math. But here's the problem, is when a plumber decides to take Square and credit card payments, and so to make it easier on his customers, and his phone gets hacked or left in an Uber. And there's a problem when he's in front of that judge and jury, and he says the website for Square said it was secure, and I don't know. And iPhone said it's encrypted. Like, I didn't know. I thought I was doing everything. It's a real sympathetic message, right?
Jon DePerro: It's a plumber who's just trying to take credit cards on his phone to help his clients out. When you're a CPA and your entire industry knows about FTC safeguards, you can't go to a CPA trade show event website without somebody seeing an article about FTC safeguards, and you're not compliant. You don't get to say it's because you didn't hear of it. You didn't know the other attorney is going to make the case that you were trying to be cheap instead of compliant. You were trying to save money instead of protecting your clients. You were trying to prioritize profits over your legal responsibilities to consumers. It's not going to play well for a jury. It is just not. In fact, you're not going to trial because every lawyer on the planet is going to have you settling as fast as possible.
Jon DePerro: There's a huge difference in these class action suits for industries that are regulated and are told exactly what they need to do and choose to ignore it, versus industries like a plumber who's just trying to do his business and doesn't understand cybersecurity. Finally, that reputation damage. I use Uber as an example. Those of you who know me know my travel schedule and will schedule too. Like, we travel a lot. But I won't use Uber. I won't use Uber. They didn't just have a security breach, they lied about it. And their chief information officer was literally sent to prison over how bad they lied and hid the information from the government and the insurance companies and their customers. I will never use Uber again. I won't buy a Volkswagen. I wasn't going to buy one anyways.
Jon DePerro: But because they literally had institutional fraud about what their emissions were. And it's not necessarily that I care if it got 24 gallons or 26 gallons. It's that I can't trust anything Volkswagen says about their cars, right? Whether it's zero 60 time, which I think is just eventually. But I can't trust anything Volkswagen says. They got busted out for lying and being fraudulent in their compliance programs. So those are two big companies. I just can't do business with people that I can't trust. We're the same way. It five, six years ago was just a commodity. It's just this thing. I just need email. I just need a file server. It's become commoditized. I don't find it impressive for us to tell our clients, hey, every time you hit send out an email, it'll probably get where it's going. It's just assumed that it works.
Jon DePerro: Right. What people really rely on Vector Choice for is that we understand their business goals and that we help them make informed risk decisions and help them stay within acceptable level risk. Not saying bad things will never happen, but the bad things happen outside of the window you were okay with, right? Or I should say, within the window you're okay with. If that stops being true, we lose that trust, faith and confidence. Right? We have that same reputation.
Will Nobles: Jon. You know, before I go to the next slide here, a lot of people say, well, there's a lot of compliance out, and I'm going to use New York, for example, right? If a CPA firm in New York takes credit cards, they have to be FTC safeguard compliant. They have to be PCI compliant. They have to be. Was it the New York safe harbor? Is that what it's act shield act. And also comply with their cybersecurity insurance so you can have multiple compliance requirements?
Jon DePerro: Most companies do.
Will Nobles: Oh, yes, absolutely.
Jon DePerro: In the local state?
Will Nobles: Local, state. All states now have their own version of some kind of cyber act.
Jon DePerro: Yeah. There's not a state in the union that does not have incident reporting, Codified in law. So even if it's just if this happens, here's what you have to do, right? And they have specific people to notify and timelines. And all this gets back to your qualified individual, right? Qualified is not I worked at the Big Box electronic store doing setting up consumer TVs for a year. So, I guess I can set up your network for you, right? This gets back to qualified for your business, for the type of work you do, the type of data you have, the type of clients you have, who actually has the background to set up and manage your information security program for you.
Will Nobles: So, you're probably wondering, okay, well, how can Vector Choice help? So, one, we can help you meet your cybersecurity requirements. We can go and do a free pen test and a vulnerability scan for you to get a preliminary of what you have and what's going on in your environment. I don't care if you're a current customer. I don't care if you're someone that's just listening to this webinar or if you actually have your CPA firm you're like, I need my CPA firm to get checked out to make sure that they're actually doing what they should because you want them to protect your data as well. We can do compliance as a service for you. So, we can make sure we give you that key person.
Will Nobles: We make sure you're actually giving these reports where we can show that if something does get compromised, hey, this company, this CPA firm was compliant at this snapshot of time, right? Compliance is an ongoing basis. It never stops. So, you can be compliant today and out of compliance tomorrow. So, it's a snapshot of time. We can help you with your access control. We can help you understand the laws there and sort of the wording of the documentation that they have. We can help you protect your data, the It side of things. We can give you employee training and keep your employees trained to make sure you are meeting all these types of requirements. So really, why did it come down? Why would you choose vector Choice over someone else to do this for you? One, we know what we're doing, period. Hands down.
Will Nobles: We have a global presence in the United States. We can cover no matter where you're at, we not only know it right. When you're talking to an It vendor, you don't want someone that just knows it. Like Jon said, it is a commodity. Anybody, I wouldn't say anybody, but anybody can do it. But then you got cybersecurity layer of cybersecurity on top of that. You have to have experts to be able to understand and really understand the cybersecurity aspect of things. And then the third layer is that compliance piece, right? Do they have a chief compliance officer? Do they have a compliance team in house? Do they even know what FTC is?
Will Nobles: I actually was talking to an MSP coaching the MSP, a managed service provider that was backed by a CPA firm and the CPA firm or the It provider did not even know what they know. Are they able to talk the talk that you're actually going through and the concerns that you have? Our quality of service is unmatched. My team was telling me the longest hold time last week was 38 seconds in our service queue. The longest hold time. So, we're answering the phone very quickly to get you these answers. We're making sure that you are compliant with every change. I don't care if you're doing PCI or HIPAA or you've got a local state requirement. We're looking at all of that from our compliance team standpoint as well. So, Jon, I'm going to throw it up here, ask any questions.
Will Nobles: I got a few more slides here left, but any final questions that you guys have for Jon that maybe we can answer while we're on the call again, we can set up a one for you to talk to Jon more in detail about a custom situation. And while we're looking for questions, come in. Bottom line, guys, just because it's in the cloud does not mean it's secure or backed up. Just because you don't have the data in rest at your office does not mean you're not required to do this. Just because you have under 5000 consumers in your database does not mean that you're not required to do these things. Unfortunately, you are required by law to do these things. And we're just here sharing that message to you guys.
Jon DePerro: And again, remember, don't shoot the messenger, okay? But the FTC made this rule to protect citizens, not small businesses, right? The rule was not written with how much this will cost you in mind. It was written of what needs to be done to protect people. That being said, I know some of our CPA firms that have gotten compliant are using this as a marketing tool, right. As a differentiator. Why you should hire them instead of the other firms. And I'll even help CPAs. If you're CPA reach out to me, I'll give you bullets. Like what? You tell your prospects to ask your competition if ask to see these three things. If they can't show it to you, they're not compliant, they're not protecting your data. They shouldn't even be a candidate for this proposal because they're not doing it right anyways. Right?
Jon DePerro: Email me and I'll give you those three things. Yeah.
Will Nobles: And that's where guys, you can use that as your unique selling proposition to your clients. If you're a CPA firm on here is what makes you different in the marketplace. I think it and CPA firms are about the same. There's a dime a dozen.
Jon DePerro: Right?
Will Nobles: But what makes you unique as a CPA and I think Jon's bullet points will definitely help you there. If you know a CPA firm or accounting firm that needs this or you're worried about your CPA firm, hey, refer that to us. We will get you some gifts there and send your way as well. And then final and last, if you guys are interested in just doing a call and talking to us about the what if questions, if you want to email us firstname.lastname@example.org. If you want to take us up on this special today, a free assessment, free pen test on your environment to see where you stand and where we need to take you to the next level.
Will Nobles: Again, if you're a current customer or someone on here that's just listing for the first time and didn't know who Vector choice was, take us up on this offer. We would love to be able to show this to you and give you some information back again to Jon. Thank you so much for being on the day. Thank everyone for listening. Jon, I hope everybody enjoyed Jon's dictation of FTC safeguards. I appreciate it, Jon.
Jon DePerro: Thanks.
Will Nobles: All right, guys, have a wonderful day. Thank you.