.png?width=400&name=SBSIWebinarsBundles_WebMenu%20(1).png)
KEY TAKEAWAYS
If it seems like there is a cyberattack every minute of every day, you aren’t wrong — you're just underestimating how dangerous cybercrime has become. Microsoft's "Digital Defense Report 2024" shows there are more than 600 million cyberattacks every day — about 416,000 per minute — affecting individuals, corporations, and critical infrastructure globally.
Gone are the days when a business could assume it’s not a target. And while regulations can feel like red tape, the FTC Safeguards Rule isn’t one you can afford to ignore — especially if you're in the financial world. (Yes, that includes many nonbank businesses.)
This federal rule is the FTC's way of saying, "If you collect sensitive customer data, you’re responsible for protecting it."
What Is the FTC Safeguards Rule?
Simply put, the FTC Safeguards Rule requires businesses that handle customer financial data to keep that information secure — with real safeguards, not just good intentions.
The rule is enforced by the Federal Trade Commission (FTC) and falls under the Gramm-Leach-Bliley Act (GLBA). And while that might sound like something out of a law school textbook, here’s what matters: If your business touches finance in any way — think car dealerships, payday lenders, mortgage brokers, investment advisors — the Safeguards Rule likely applies to you.
Its purpose? To make sure businesses aren’t just checking a box when it comes to protecting customer data.
Before we dive into who’s covered, what’s required, and what’s at stake, here’s a quick visual summary of the FTC Safeguards Rule:
Who Does the FTC Safeguards Rule Apply To? (Spoiler: Probably You)
The FTC defines "financial institution" more broadly than most people realize. Under the Safeguards Rule, this includes:
- Mortgage brokers
- Payday lenders
- Investment advisors
- Car dealerships
- Tax prep firms
- Other nonbank financial service providers
If you collect and maintain sensitive customer financial information, you probably fall under this rule.
Already regulated by another federal agency (like the FDIC or Federal Reserve)? You might be exempt. But if you’re not, the FTC wants to know how you're protecting your customers' data.
It's also worth noting that if you maintain fewer than 5,000 consumer records, you may be exempt from some of the rule's requirements — but not all of them. This limited exemption can be confusing, as many smaller entities mistakenly assume they're fully off the hook when they’re still expected to meet core security standards.
FTC Safeguards Rule Requirements: What You Actually Have to Do
The Safeguards Rule requires you to develop and maintain a comprehensive, formal information security program (ISP). Not sure where to start? Use this checklist:
1. Appoint Someone to Own It
You need a qualified individual — someone with the authority and know-how to manage your security program — to oversee the process. This can be someone in house or a third-party provider, but someone has to take responsibility.
2. Run a Real Risk Assessment
Not a gut check — a documented, asset-based assessment that identifies what you’re protecting, where the risks are, and how your current controls stack up. Update it regularly.
3. Put Controls in Place (and Make Them Count)
Based on your risk assessment, implement appropriate safeguards. That could mean access controls, data encryption, and multifactor authentication (MFA). Use what you know about your threats to prioritize action.
4. Test, Monitor, Repeat
You’ll need to prove that your safeguards work and keep evolving them. That means ongoing monitoring, annual penetration testing, and vulnerability scans twice a year. If your tech, risks, or business operations change, your ISP should adapt accordingly.
5. Train Your People
Employees are both your first line of defense and your biggest risk. Security awareness training can't be boring or one-and-done. It needs to be consistent, engaging, and actionable.
6. Watch Your Vendors
You can outsource services, not responsibility and accountability. If vendors handle sensitive customer data, you’re still responsible for protecting it. Set expectations, monitor them, and follow up.
7. Have an Incident Response Plan
If something goes wrong (and let's be honest — it probably will), you need a plan. Not a draft, not a mental checklist — a real, written, tested incident response plan. Does your plan address a notification event and the timeline for compliance?
8. Report to the Board
Your qualified individual must provide annual updates to your board or senior leadership about your ISP and any major security developments. This keeps leadership in the loop and accountable.
FTC Safeguards Rule Penalties: What Happens If You Ignore It?
Short answer: You don't want to find out.
Violating the FTC Safeguards Rule can result in civil penalties of up to $11,000 per day, per violation. But the real risk goes beyond fines. A data breach tied to negligence can tank customer trust and do lasting damage to your brand.
The FTC won't randomly knock on your door, but it will investigate if a breach occurs or if someone files a complaint.
Why Compliance Is Worth It (Even Beyond the Rule)
Here's what doesn’t get said enough: Compliance isn’t just about avoiding penalties — it's about building resilience.
Strong cybersecurity helps you avoid becoming the next breach headline. It grows customer trust, supports business growth, and gives your team peace of mind.
Small businesses are increasingly in the crosshairs of cybercriminals, and many don't survive a serious attack. Complying with the FTC Safeguards Rule is a smart investment in your long-term success.
Support for Safeguards Rule Success
Make sure your organization is meeting FTC Safeguards Rule requirements with the right data protection measures in place to safeguard your customers, your business, and your reputation.
Read More
Protecting sensitive data is essential, but building a cybersecurity program can feel overwhelming. Starting with an assessment of where you are today can jumpstart your cybersecurity maturity.
Read More
