Ep: 125 – Understanding the New FTC Safeguards Rule: Key Changes and Requirements Explained

Hey there, and welcome to yet another episode of the Virtual CSO Podcast. With you is always your host, John Verry, and with me today, Jeremy Price. Hey, Jeremy

Jeremy Price (00:42.53) 

That’s right.

Jeremy Price (00:57.57)

Hey, how’s it going, John?

John W Verry (01:00.101)

It is going well, end of a long day. Looking forward to the conversation and then wrapping it up. So I always like to start easy. Tell us a little bit about who you are and what is it you do every day.

Jeremy Price (01:12.302)

Sure.

Well, first of all, just thanks for letting me join you on the podcast. This should be fun. Um, so, uh, again, Jeremy Price, I’ve spent about 16 years doing IT infrastructure and security management, uh, for various, uh, companies. And about eight years ago, I decided to kind of make a career shift and I moved more into a client service, um, role where we perform auditing and consulting around cybersecurity data privacy.

like that. So at this point I’m a co-leader of a national cybersecurity practice. We help our clients with regulatory obligations, standing up cybersecurity programs, you know, doing it through the lens of audit, I guess you could say, in many instances, and then just general consulting as well.

John W Verry (02:08.98) 

So I always ask, what’s your drink of choice?

Jeremy Price (02:15.931)

I am a bourbon lover. I think you might be as well. I also like IPAs. A friend of mine just bought me a bottle of Blanton’s back from Japan. He was on a private flight or a private jet and so he gathered up about 10 bottles of bourbon and handed them out to his buddies. As you know, that’s hard to find.

John W Verry (02:35.777)

So I hang around with the wrong people because none of the people who I hang around with might travel on private chats.

Jeremy Price (02:45.008)

Um, you know, my wife, I’m sorry.

John W Verry (02:48.304) 

Can I be his friend? Will you introduce me to him? I mean, he drives on, he flies on private jets, and he gives people bottles of blend. I mean, that’s my kind of friend, Jerry.

Jeremy Price (02:50.774)

Sure, we can do that.

Jeremy Price (02:56.446) 

Yeah, no kidding. He’s a good guy to know. Yeah, my wife wants to go to Napa because she loves wine and I keep telling her that I want to go to the Bourbon Trail.

John W Verry (02:58.817)

So, uh.

John W Verry (03:05.121)

I think you should go do both, but if you do Napa, I like Sonoma better than Napa. I mean, Napa’s cool, but if you go up and loop back around and come down to Sonoma, the Sonoma side is so much prettier, so much nicer, so much more chill. It reminds me a lot more of Italy, like I’ve done the Tuscany region of Italy, some great wine there. And Sonoma made me feel a lot like that. And then on the bourbon side, I was on a little bit of R&R last week.

Jeremy Price (03:11.638) 

Yeah.

Jeremy Price (03:22.883)

Yeah.

John W Verry (03:33.885)

And so I bought a special bottle to try. And I bought a bottle of Widow Jane, is one of my favorite mainstream bourbons out of Brooklyn. And I bought a bottle of their Lucky 13. That was fun and pretty darn good.

Jeremy Price (03:44.194)

Yeah.

Jeremy Price (03:49.064) 

Awesome.

John W Verry (03:49.961)

All right. So that’s not what we’re here to talk about, though, right? We’re here to talk about some new regulations. So, it’s kind of interesting, right? Our financial systems, I would argue anything associated with the banking industry has probably been one of the most highly regulated elements of our industry, regulated by a regular government, regular alphabet soup, of government agencies, the SEC, OCIE, FDIC,
you know, all those organizations. In 2021,

Jeremy Price (04:17.442)

Yep.

John W Verry (04:19.36)

the FTC updated safeguard rules in a manner which I think is going to have a lot more impact than most people realize. And that just went into effect, if I’m not mistaken, in June of this year. So let’s start simple. What is the FTC safeguards rule and what is it intended to do?

Jeremy Price (04:39.823) 

So it’s a good question. So, you know, the GLBA or Graham Leach Blyley Act.

is essentially what we’re talking about today. It’s governed by the FTC, but the actual act itself, it requires financial institutions. It’s been around for a while, but as you said, it was updated and that’s the key to this. So it requires financial institutions, companies that offer things like consumer financial products and services to implement safeguard rules. So the term safeguard is fairly standard.

in the regulated industry, HIPAA has safeguards, et cetera. So, you know, I know we’ll dig into what the actual safeguards are, but essentially they’re, you know, the GLBA through the FTC is looking for a wider array of entities than previously under the act to implement administrative, technical, and physical safeguards to protect consumer information.

but.

Organizations are getting hacked left and right. Hackers are getting smarter, more creative. I think AI is gonna bring in another wave of new things, new attack vectors and whatnot. So, you know, many of these regulatory standards that have been out there, we’re gonna see waves of updates to them. We’re seeing new data privacy laws come out in different states at this point. So GLBA is just another one to add to this big list.

Jeremy Price (06:19.24) 

It’s forcing organizations to protect individuals’ data. This particular instance is really more around your personally identifiable information as it relates to financial services, if you will.

John W Verry (06:36.785)

and to be clear for the folks listening. So I always look on and you see the safeguards. Safeguards are just information security controls.

Jeremy Price (06:44.242)

Yeah, yeah. I mean, at the simplest form, it’s, you know, ways to technically secure, physically secure, and administratively secure environments, so that the data that you hold on your consumers or your customers is protected.

John W Verry (07:03.029)

So you know, you use the term financial institution in your definition, because that’s the way it is defined. But I think that is the root of the now broader impact. So how does the new FTC safeguards change the meaning of that term financial institution? I think in a way which is gonna have the broader impact that we talked about at the start of the episode.

Jeremy Price (07:26.962) 

Yeah, so it’s interesting. I mean, I think traditionally we would have thought about banks, credit card companies, the big places that are holding money and people are getting loans from. But it’s been pretty drastically extended. So the definition of financial institution is anybody that’s providing a financial product or service to consumers. So that’s loans, investments, advice.

insurance. So we’re seeing that they’ve given kind of a list. There’s a pretty extensive list on the FTC’s website that people can go out and take a look at if you want to find out if you’re on it. But one of the ones that was kind of surprising to me was automobile dealerships. So now if you go in and you buy a car from a dealer or you lease a car for more than 90 days, I guess under 90 days they’re considering that to be a rental.

But if you’re purchasing a car and they’re gathering that financial information on you, how much money do you make, how much money does your spouse make, how much money do you have in your bank, whether you’re purchasing an outright or getting a loan, they’re now required under the FTC to follow these rules and to have these safeguards in place. One of the caveats to this is that if you’ve got less than 5,000 records, then the first

rule may not apply to you. So you know one of the one of the areas that I’ve spoken with a number of people about is like tax preparation firms. So you know your CPA that you may have do your taxes. They technically have to follow GLBA because they’ve got financial information on you. Now if that’s a singleperson shop you know if they service less than 5,000 clients in

there’s the potential that they wouldn’t have to follow this. But I would definitely advise anybody that has questions on it to seek legal advice. Again, visit the FTC’s website. Contact one of your trusted advisors if you will to make sure that you’re in the know and not going to find yourself in a place where you were supposed to be following the regulation but you weren’t.

John W Verry (09:53.353)

Yeah, I was going to ask you the question as to how would you determine that, right? I think, you know, the first thing is go to the FTC website. I think the section that covers this is 314.2. And then on top of that, I agree with you completely. You know, at the end of the day, probably your legal counsel, you know, somebody should formally opine on those definitions and if they apply to you. So that way, you know, you don’t run any unnecessary risk.

Jeremy Price (10:04.406)

Thank you.

Jeremy Price (10:19.71) 

Yeah, absolutely.

John W Verry (10:22.713)

So you mentioned the concept of PII. I think FTC safeguards refers to that as non-public personal information. So let’s talk a little bit about that. How does the FTC define non-public personal information and what might be some examples that people would be familiar with?

Jeremy Price (10:30.84) 

Right.

Jeremy Price (10:39.914)

Okay, so I think a lot of people in the world are familiar with the term PII, personally identifiable information, your name, your address, your social security number, things of that nature. So the FTC is a little bit more concerned with personally identifiable financial information. So this is information about your financials that would not be available publicly. And I kind of had to sit back and think about that a little bit.

Why would anybody’s financial information necessarily be out there? Well, there’s people that work for, you know, state agencies where their salaries are published and things of that nature So some of those if you think about you know a teacher or their

pension systems or some of that stuff is publicly available. So there could be some loopholes in that. But for the most part, you know, if you’re obtaining information through an application for a loan, for a credit card, or any other financial product or service, you know, such as tax preparation or legal, you know.

investment advising, things of that nature. They’re wanting to make sure that those organizations are securing that information, account balance information, payment information, credit card purchases. Any of that financial transaction is technically in scope for this. I think one of the things that was new, we talked about how oftentimes

technology advances, you know, when this law was first written, nobody probably thought too much about the internet and cookies more specifically. You know, a cookie is a little piece of code essentially that can be loaded into your browser to track or to collect information on you. So if you’re in a business that’s a covered entity under this, providing financial services

Jeremy Price (12:40.624)

people through cookies, then that particular information is also part of the rule. So the bottom line is if you’re a covered entity under the GLBA and you have information on your clients, you need to find ways to protect it. There’s very prescriptive ways, which we’re going to discuss later on, but you have an obligation to protect the information that you’re collecting on these consumers or individuals.

that you’re doing business with.

John W Verry (13:12.425)

Yeah, there were two things that struck me. Um, one was the cookie. Uh, and, and that’s obviously a nod to, uh, things like GDPR and CCPA, right. Which also cookies or something specific. The other one was that the fact that somebody is a, is a customer of yours, right. There’s someone that consumes your product or service, you know, just, just the existence of that, you know, I thought that was, uh, you know, potentially a high bar, right. You know, uh, and, and it gets interesting as to what, how you define
that.

Jeremy Price (13:21.901) 

Yeah.

Jeremy Price (13:31.287) 

Right.

John W Verry (13:42.157) 

So it’s going to be fun. So, you know, anyone listening? Oop.

Jeremy Price (13:44.03)

Yep, it’s definitely going to be.

I was just going to say, I think a lot of the big, big businesses out there, your banks, your credit card processors, they’re doing a lot of this stuff already, the safeguards that is. Where this is really going to hit home is, and to your point, there’s organizations out there that may not be considered large business, but they’re consuming large volumes of data. The implication to them from a fine perspective and whatnot, and then just the controls and

program put in place could be fairly significant.

John W Verry (14:21.802) 

Yeah, so let’s get there. So if you determine the program applies to you, there are nine main requirements that are outlined. Let’s kind of walk through them just briefly, right? Just touch on them briefly.

Jeremy Price (14:33.774) 

Sure. So I kind of want to start with this though. So yes, there are some, as you alluded to, nine requirements that need to be performed. But like a lot of regulations, they don’t tell you, you must do x, y, and z. There’s a little bit of, you know.

unknown in what gets you compliant and what doesn’t get you compliant. The way I always like to talk about this with HIPAA, which is kind of a similar rule here, is think about the level of due diligence that you would be required to perform if you were a hospital versus a small dermatology clinic, for instance. There’s going to be a significant

Jeremy Price (15:26.76)

process technology that have to be put in place to get a cyber security program.
that will cover all these safeguards appropriately at a hospital. But a small dermatology clinic with one doctor and a couple little op rooms, you know, they’re not gonna be expected to do the same thing. However, they have to do something. If you don’t do anything, you fall into a category of what they call willful neglect. So if you’re not doing anything at all, the regulators are gonna, and you have an incident occur, the regulators are going to impose significant,

So, you know, you’ve got to kind of risk assess this and think about what size of business are we, what kind of data do we hold, what’s the volume of data that we hold before you really think about how you’re going to implement the safeguards.

So, you know, kind of jumping into what these safeguards are. So the first one that we’ll talk about is, you know, designating a qualified individual. So, you know, what does that mean? You need to have somebody that is kind of think of it as a chief information security officer or a security manager that is experienced in these matters. You know, it can be a consultant. It doesn’t have to be somebody that works

directly employed by your organization, but you do have to have somebody that’s identified. Senior members of management need to oversee this person. So if it’s outsourced or if you outsource all of your IT function, then you need to make sure that there is somebody that’s qualified and designated, written down, that has the experience that’s needed to fully understand

Jeremy Price (17:21.032) 

risk assessments and to ensure that the program is managed.

Kind of the second area is you need to base your information security program on a risk assessment. So you know, annually probably, again, they don’t put this in the language, but you know, it would be pretty much expected in the world of cybersecurity that you’re having some sort of annual risk assessment. Maybe larger in the first year and then updates to that either annually or as something significant in your environment changes.

identified the foreseeable internal and external risks to the security, confidentiality, integrity of your customer’s information. And the risk assessment needs to be documented. So showing how you went through the process, what did you evaluate, how did you determine areas of risk that needed to be addressed.

Kind of next step to that, you need to then, based on your risk assessment results, design and implement the safeguards. So what are the actual controls that you identified in this risk assessment that need to be implemented? So we’re talking about…

access controls. How do we authenticate or provide access to this customer information? You need to know where this information is, so kind of mappings, classifications of the data that you hold. You need to understand all the devices that have access to that data, and those devices need to be formally managed through a cybersecurity program.

Jeremy Price (19:15.61)

customer information needs to be encrypted in transit, at rest, you know, so you may not have a, you know, a server quote unquote that has encrypted hard drives on it, you know, so there may be an investment that needs to be made to make sure that customer data is encrypted. You know, if you do any development, meaning, you know, you’re developing your own applications to support your business.

You need to ensure that secure development methodologies are taking place. If your apps are developed by a third party, you need to understand what they are doing to ensure secure development practices are in place. Something that I think every organization should have from as many angles as possible is multi-factor authentication.

this is now a requirement. So to access the customer’s information that you’ve got, you need to have multi-factor authentication wrapped around that system. So we would typically see that as, you know, any remote access into your company, you know, multi-factor into the environment. Even if that environment’s a software as a service that a third party manages or runs for you, you need to have it set up with multi-factor authentication.

Disposal of customer information. So the way the Reg speaks to it is no later than two years after the last date the information was used, then you need to properly dispose of it. So you probably need to have a policy put in place here that’s written that talks about how you’re going to dispose of information. You know.

There are sometimes when you would have a legitimate business purpose or need to retain it, maybe there’s a law or regulation even that requires you to retain it further, but those types of things need to be defined in your security policy. You need to be evaluating changes to your information system.

Jeremy Price (21:23.146) 

networks and environments. If we’re doing a major upgrade, do we have good change management processes in place?

you know, if we’re using software as a service and the vendor tells you that there’s gonna be a new big release, have we tested our security controls to ensure that once the new release comes out that multifactor authentication still works or maybe we have reports where we’re reviewing who has access to things or who has access to things, you know, are those reports still running? So there’s a change management aspect of this.

Jeremy Price (22:02.356) 

activity. I just mentioned who has access, who has accessed the system, looking for intrusions essentially. Sometimes this is an outsourced function where the third party is monitoring your logs from all of your systems and can alert you to any type of anomalous activity.

We need to be regularly monitoring and testing all of this. So how do you do that? Vulnerability assessments, penetration testing, tabletop exercises, all of these different methods of ensuring that the program you have in place is actually working. We’re testing against it, we’re monitoring things.

That is one of the safeguards that they’re prescribing needs to be done. So you probably need to be getting annual penetration tests, working with either your IT group or your internal audit group or a third party to perform tabletop exercises. So that’s a big one. Let’s see, also have to implement policies and procedures.

Nobody likes policies and procedures or at least writing them or reading them, but they are necessary.

John W Verry (23:25.065) 

Hey, hey, speak for yourself. I mean, some of us enjoy this stuff. I mean, we should kick you out of the Information Security Practitioners Group for saying that. I mean, you know, should I ask the people that are, you know, editing this to take that out? Nah, you know, leave it in, because I’ll use it against Jeremy from this point forward as black.

Jeremy Price (23:30.34)

Um,

Jeremy Price (23:34.224)

I know.

Jeremy Price (23:37.887) 

sure.

Jeremy Price (23:43.382)

There we go, there we go. I did say they’re necessary though, right?

Yeah, so training users and training security personnel. So you need to understand, are users being trained on cyber security, attack vectors and methods, and securing that data that we’ve got, and then additional training for that security personnel. So if you have your own IT department, there needs to be people going to training to understand the new threats and vectors and technologies that are out there to prevent it.

If you’re using a third party managed service provider, for instance, to perform your IT services, you need to be understanding what they’re doing to make sure that their folks are staying up to par with new technologies.

Overseeing, we just talked about managed service providers. If you’ve got one of those, you need to be taking reasonable steps to not only select that provider, but understand their capabilities to maintain these appropriate safeguards for your customer’s information. You might need right to audit clauses in the contract with them. You’re going to want…

periodic reporting from them on things, activities that they’re doing and how they’re performing and patch management and things of that nature to ensure, to give you comfort that one, that your data is secure and two, just to make sure that you’re meeting the obligation of overseeing these service providers.

Jeremy Price (25:25.418) 

And then, you know, things change all the time in the world of IT and data. We’re removing data, we’re restoring data, so, you know, we need to be consistently reevaluating and adjusting the information security program.

If you have a penetration test done or a vulnerability test done and it has some findings, then we need to adjust our information security program to ensure that those types of findings don’t pop up again in the future. If patch management is suffering, for instance, from…

patches aren’t being applied rigorously, and someone finds that through a vulnerability or a pin test, then we need to reevaluate what we’re doing with regard to our information security program to ensure that type of a gap is closed and we’re not worried about that in the future. Need to develop incident response plans. So these need to be…

you know, documented, tested, maintained. You know, we don’t wanna build an incident response plan out, put it on the shelf and five years later, you know, pick it up and the names are all, people have left the organization or our providers have changed, you know, so we need to be making sure that we’re updating our incident response plan as things change. You know.

We also.

Jeremy Price (27:01.142)

would expect to see where the FTC says that you have to have a qualified individual reporting in writing and regularly, at least annually, to your board. Obviously some smaller companies may not have a board, and in that case, you know, this qualified individual needs to be making written presentations on the status of the overall program, risks, things of that

organization. So I know that’s a lot. I’ve been speaking a lot. Do you have any questions on any of the points that I was just running through, John?

John W Verry (27:42.413)

Yeah, I think I nodded off after the second point. Would you mind rolling it back there and starting over? I’m kidding. No, that was good. And, you know, to some extent it speaks to the fact that it’s a fairly robust set of information security practices, right? It, you know, it’s, um, if you’re, if you don’t have a reasonably mature cybersecurity program, you’re going to have a little bit of

Jeremy Price (28:07.146)

Yep, it’s very true. I think the good thing about a lot of this is nothing that they’re asking an organization to do is what I would consider overkill or a waste of time and money. Cyber security is a real thing. We see organizations get hit all the time.

You know, many organizations have to follow a number of different regulations. So, you know, I think a good example of that is like higher education. You know, they’ve often got health clinics. They’ve got, so there’s HIPAA. They’ve got GLBA because they’re taking, you know, financial aid and things of that nature. You’ve got, you know,

programs around student data, you’ve got PCI if you’re taking credit cards. So the good news is if you take a framework, a cybersecurity framework, and you apply the majority of the concepts out of that framework, you’re going to have coverage for the things that this particular program is requiring. And the bonus to that is you’re going to meet the obligations of many of the others as well.

you know, when you’ve got a regulation that you’ve got to follow, you map that regulation to a framework, you know, whether it’s the NIST, National Institute of Standards and Technology Cybersecurity Framework, there’s a few others out there from the Center for Internet Security, and so on. But if you implement a cybersecurity program and you follow a cybersecurity framework,

you’re most likely going to be able to check the boxes for a lot of the requirements that these different laws are requiring. And it just makes your life a lot easier too. You build your program on a framework.

Jeremy Price (30:09.794)

when a new regulation comes out the door from, you know, left field that you weren’t expecting, there’s a good chance you’ll be able to map that to that framework and you’re going to be way past the willful neglect category and you’re going to be in good shape. There may be some little tweaks and things that have to be done, but you know, for the most part, you know, you’ll be in good shape if you’re doing what is prescribed through these frameworks.

John W Verry (30:34.741)

Then listen, the nice thing, I agree with you, it’s a good fundamental framework. And it’s because all good frameworks are fundamental, right? Understand scope, what do we protect and why we protect and understand the risks to that data, you know, and then, you know, implement controls proportional to risk and context, right? In fundamental, that’s every information security program in every standard in the world. So they’re just giving us a little bit more prescriptive or semi-prescriptive guidance. So this…

Jeremy Price (31:01.101)

Yeah.

John W Verry (31:02.729)

This went into effect on June 9th, 2023. So by the time anyone’s listening to this, you’re already subject to it. What happens if to somebody, so two things for you. One is how do you need to report compliance or are there audits or is it self attestation? I don’t know how that works. And then the second thing is if you fail to meet the FTC safeguards, what would be the outcome?

Jeremy Price (31:33.418) 

Yeah, so.

You know, there’s not a self-reporting requirement that I’ve read on, you know, but you, if you meet the obligated, you know, if you’re obligated to do this, then the time is now. I mean, if you’re not doing anything with this program today and you fall into this category, then you know, you need to get moving. You know, you’re gonna need to start by identifying, you know, do we have the in-house talent to do this? If not, you know, who are we gonna use?

and start scheduling things like that risk assessment. That’s probably the number one first step. Identify who’s gonna be the subject matter expert in this or the qualified individual that can help manage through this, either internally or externally, and then get moving on the risk assessment. That can be doing a gap analysis to a framework like we talked about before, but really just understanding the environment, the controls that you have today, and what you need to get put in place.

Through that, you can shake the trees to figure out who’s going to write this policy or this procedure or this incident response plan and things of that nature. But all of those things take time. So you don’t want to be in that willful neglect category if something were to happen. So from an FTC perspective, they have published some guidelines on their fines.

meet these safeguards and you know it’s been my experience you know especially through the lens of HIPAA that willful neglect category kind of changes the fine the regulators come in and they’re like oh wow you’re actually doing a lot here and you were really trying that fine comes down if they come in and they say you know show us your information security program and your risk assessment and you say we don’t have any of that then you’re getting max fines

Jeremy Price (33:29.758)

They say $100,000 per instance for the organization.

So if you’ve got a large breach that comprises of a bunch of records, that can get expensive. And one of the areas that a lot of people don’t realize is that it’s a $10,000 fine per instance for senior leadership or the owners of the company, and that can also go up tremendously. In addition to that, you could end up with class action lawsuits. You could also go to prison.

associated with this. So, you know, you know your business, you know the type of data that you have, you know, you have a responsibility to protect the data and, you know, if you don’t and something happens and the FTC finds out about it, then, you know, you could face significant penalties.

John W Verry (34:29.301) 

So I think those are all pretty good reasons. Jail is a pretty good dissuader. Yeah, I don’t think I would last very long in jail. So yes. All right, I think we beat this up pretty good. Anything we missed?

Jeremy Price (34:56.922) 

Regulations don’t need to be hard. Cyber security doesn’t need to be hard. It can be scary for people that don’t live and breathe it like myself and John. But there’s easy ways to peel back the onion and add layers of security to your network and to protect your data. So if you’re not talking about it as an organization, you should be. And I’d be happy to talk to anybody that wants to chat about it.

John W Verry (35:27.038) 

So give me a fictional character or real-world person that would make an amazing or a horrible CISO and why.

Jeremy Price (35:35.39) 

Okay.

Jeremy Price (35:39.298) 

I think this person would be both amazing and horrible. I’m going to go with Samuel Jackson.

John W Verry (35:48.058)

Samuel Jackson, Stakes on Plain.

Jeremy Price (35:50.35) 

Yeah. Uh, you know, I mean, think about it from a, if he’s, if he’s the internal see-saw, I mean, how’s he going to talk to his employees, you know, don’t click that. I dare, uh, to try to hack me, you know.

John W Verry (36:05.186) 

Well, he could do it with scripture like he did in pulp fiction, right, which is perhaps my favorite role of his, right?

Jeremy Price (36:09.546)

Yeah, yeah, for sure. You know, preach it. So yeah, I don’t know why, but I’ve always just thought that he would make a great CISO.

John W Verry (36:13.525) 

Free chip, baby.

John W Verry (36:21.569) 

because he would scare the heck out of people. But he wouldn’t last long because he would violate every corporate ethics rule with his language and the way he said things. It would be an HR action the minute he did it. He’d be gone right away. He’d be good for a short period of time, I think, what you say.

Jeremy Price (36:23.751)

scare people, yeah.

Jeremy Price (36:31.443) 

Well, that’s why I said.

Jeremy Price (36:37.911)

Yeah, and that’s why I also said amazing and horrible.

John W Verry (36:42.035)

Well, you could have said amazing and short-lived. That would also be the same thing, right? All right. So this has been great. Thank you. If anybody wanted to get in contact with you, what’s the easiest way for them to do that?

Jeremy Price (36:45.004)

Yeah, that’d be a good way to put it

Jeremy Price (36:55.078) 

You can find me on LinkedIn. I don’t do, I guess it’s called X now. I don’t really do much of that. And then, I don’t know, John, do you have podcast notes or something? We can always throw my email address in there. Or you can get ahold of me through John as well.

John W Verry (37:12.201) 

Sounds good, man. Thank you.

Jeremy Price (37:14.454)

Thank you. It’s been fun.

John W Verry (37:16.437)

That’s same here.

Jeremy Price (37:18.294)

All right, well, everybody have a great week from whenever this comes out.