If your business collects, stores, or processes customer financial information, compliance with the FTC Safeguards Rule may not be optional; it may be mandatory. Yet many organizations remain unclear about whether the rule applies to them, what it actually requires, and how to confidently demonstrate compliance.
In this BTI Communications Group blog, we break down what the FTC Safeguards Rule is, which businesses must follow it, the specific security requirements organizations must implement, and what steps you can take to reduce risk, avoid penalties, and strengthen your cybersecurity posture.
Key Takeaways
- The FTC Safeguards Rule requires certain businesses to protect customer financial information through a documented, enforceable information security program.
- The Rule applies to more than just banks. Many organizations classified as financial institutions under GLBA, including mortgage brokers, auto dealers offering financing, tax preparers, and firms handling financial data may be covered.
- Compliance must be provable. Covered institutions must designate a Qualified Individual, conduct risk assessments, implement required safeguards (including MFA and encryption), monitor systems, train employees, and maintain an incident response plan.
- New breach reporting rules apply. If unencrypted customer information affecting 500 or more consumers is accessed without authorization, a report must be submitted to the FTC within 30 days of discovery.
- Encryption expectations are explicit. Data must be encrypted both in transit and at rest, and exposure of encryption keys may still trigger reporting obligations.
- Breach reports may become public. Notification events are entered into an FTC public database, increasing regulatory scrutiny and reputational risk.
What is the FTC Safeguards Rule?
The FTC Safeguards Rule requires certain businesses to protect customer financial information through a documented, enforceable information security program.
FTC Safeguards Rule is part of the Gramm-Leach-Bliley Act (GLBA) and is enforced by the Federal Trade Commission (FTC).
What is Defined as Customer Information Under the FTC Safeguards Rule?
According to the Federal Trade Commission (FTC) official website, customer information is defined as “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.”
Who Does The FTC Safeguards Rules Apply to?
The FTC Safeguards Rule applies to all financial institutions/ businesses that collect or handle people’s financial information. Many leaders assume this rule applies only to banks. The Safeguards Rule applies to a broad range of organizations considered “financial institutions” under the Gramm-Leach-Bliley Act (GLBA), including:
- Mortgage brokers
- Auto dealerships
- Tax preparation firms
- Accountants
- Investment advisors
- Businesses that handle financial data on behalf of clients
Non-compliance can create regulatory exposure, legal risk, reputational harm, and operational disruption. More importantly, it often indicates security gaps that attackers look for first.
Who The FTC Safeguards Rule Does Not Apply To:
The FTC Safeguards Rule does not apply to three types of entities:
- Organizations regulated by other agencies.
- Businesses that aren’t classified as financial institutions.
- Small businesses.
Organizations Regulated by Other Agencies
Organizations that are already governed by other federal regulations under section 505 of the Gramm-Leach-Bliley Act (GLBA). Some examples include:
| Entity Type | Primary Regulator | Status |
|---|---|---|
| Banks & Savings Associations | Federal Reserve, OCC, or FDIC | Exempt from FTC Rule |
| Credit Unions (Federally Insured) | NCUA | Exempt from FTC Rule |
| Insurance Companies | State Insurance Authorities | Exempt from FTC Rule |
| SEC-Registered Advisors | SEC | Exempt from FTC Rule |
Businesses That Aren't Classified as Financial Institutions
Most everyday businesses are exempt from the FTC Safeguards Rule because their primary job is selling a product, not managing money. This even applies if you offer simple layaway or let regulars “run a tab.” Doctors and lawyers are typically not required to follow FTC Safeguards since they already follow strict privacy laws like HIPAA or state bar rules.
In simple terms, if your business isn’t built around lending, brokering loans, or professional financial advice, you likely don’t have to worry about the FTC Safeguards Rule.
| Business Type | Why They Are Exempt | Compliance Status |
|---|---|---|
| General Retailers | Accepting cash, checks, or cards for goods is not a "financial activity" under GLBA. | Not Required |
| Layaway / "Running a Tab" | Informal internal credit for small purchases is specifically excluded by the FTC. | Not Required |
| Service Providers (Dry Cleaners, Restaurants) | Not "significantly engaged" in financial activities; they provide services, not money management. | Not Required |
| Medical Professionals & Lawyers | Regulated by HIPAA or State Bar Ethics; not in the business of lending or brokering loans. | Not Required |
| Public Utilities | Provide essential services (water, power) rather than financial products. | Not Required |
Small Businesses
If a company is a financial institution but is very small, they get a “break” on the most complex parts of the rule. If you maintain information on fewer than 5,000 consumers, you are exempt from:
- Developing a written risk assessment.
- Appointing a “Qualified Individual” to report to a board of directors.
- Creating a written incident response plan.
- Annual reporting requirements.
However, even if your organization falls under this 5,000-record threshold, you are still required to implement basic security like encryption, multi-factor authentication (MFA), and secure data disposal.
How to Comply with FTC Safeguards Rule
The Safeguards Rule requires businesses to implement a comprehensive written information security program, supported by specific administrative and technical safeguards.
Below are the key requirements business leaders should understand.
1. Have a Written Information Security Program (WISP)
Your organization must create and maintain a documented security program designed to protect customer information.
This program is not one-size-fits-all. It must be tailored to your organization’s size, complexity, and risk profile, and it must be enforceable in day-to-day operations.
2. Have a Designated Qualified Individual
FTC compliance requires your organization to appoint a qualified individual responsible for overseeing and enforcing your security program.
For many small and mid-sized businesses, this is achieved through:
- An internal security officer
- A managed IT and cybersecurity partner
- A virtual CISO (vCISO) model
The key is accountability: someone must own the program and ensure it remains active, monitored, and provable.
3. Conduct Risk Assessments
Conducting regular risk assessments will allow you to:
- Identify where customer information is stored
- Evaluate internal and external threats
- Assess vulnerabilities in systems and workflows
- Document how risks are mitigated
A defensible risk assessment is the foundation for the WISP, and it is often the first place auditors, insurers, and regulators will focus.
4. Required Technical Safeguards
The FTC requires specific protections, including:
- Multi-Factor Authentication (MFA)
- Encryption of data at rest and in transit
- Access controls and least privilege policies
- Secure development practices
- Continuous monitoring
- Vulnerability scanning
- Penetration testing
If these safeguards are incomplete, inconsistently enforced, or undocumented, you are exposed operationally and compliance-wise.
5. Ongoing Monitoring and Testing
Security is not a one-time setup. FTC compliance requires you to:
- Monitor systems continuously
- Conduct vulnerability scans
- Perform regular penetration testing
- Review logs and investigate suspicious activity
This is where many programs break down: tools exist, but monitoring is fragmented, alerts are ignored, and evidence cannot be produced quickly.
6. Employee Training
Employees must receive security awareness training to reduce the likelihood of:
- Phishing attacks
- Social engineering
- Credential compromise
- Ransomware infections
Training should be measurable and recurring, with completion records and clear reinforcement.
7. Incident Response Plan
You must have a documented response plan outlining:
- How breaches are detected
- Who is notified
- How systems are contained
- How recovery occurs
FTC Safeguards Rule Reporting Requirements (Updated)
The updated FTC Safeguards Rule adds a federal incident reporting obligation for certain breaches involving customer information.
When Reporting Is Required
You must report a breach to the FTC when unencrypted customer information affecting 500 or more consumers is acquired or accessed without authorization.
A key point: the reporting trigger is unauthorized access/acquisition, not whether you believe harm will occur. You do not have to determine “likelihood of misuse” before reporting under the Rule.
How to File a Report Under FTC Safeguards Rule
- Reports must be submitted within 30 days of discovering the incident
- Reporting is done through a form on the FTC website
What the Report Must Include
Your report should include:
- Number of consumers affected
- What types of data were involved
- Your institution’s contact information
When Reporting Can Be Delayed
If law enforcement determines public notification would interfere with an investigation or national security, reporting can be delayed while the investigation is active, up to 60 days beyond the initial reporting window.
Does Submitting a Breach Report Mean an FTC Safeguards Rule Violation?
Submitting a breach report does not automatically mean the FTC has found a Safeguards Rule violation, and it does not guarantee an investigation or enforcement action.
However, the FTC will publish notification events in a public database, which can increase scrutiny from regulators and potentially contribute to civil legal exposure.
GLBA Privacy Rule vs. Safeguards Rule
GLBA includes a Privacy Rule that requires financial institutions to describe privacy practices and give consumers the ability to opt out of sharing their nonpublic personal information (NPI) with certain third parties.
The updated FTC Safeguards Rule includes language stating that if an employee, officer, or agent accesses customer information without authorization, the institution can be considered to have “knowledge” of a notification event when it is known to another employee, officer, or agent.
In practical terms, this can create uncertainty in third-party workflows, especially where opt-out status and data-sharing controls intersect with routine vendor access.
Because this area can be operationally complex, organizations should pay close attention to vendor access, data visibility, and how consumer preference flags are exposed in systems and reports.
Final Takeaway: Compliance Must Be Provable
The FTC Safeguards Rule isn’t just about “having cybersecurity.” It’s about having a program that is documented, enforceable, monitored, and provable, and it must cover not only prevention but also response and reporting.
If your organization falls under GLBA, the safest path is to treat compliance as a structured security program: clear ownership, documented risk decisions, technical controls that match the Rule, and an incident process that can support reporting requirements under pressure.
Need Help with FTC Safeguards Rule?
BTI Communications Group helps organizations translate security requirements into practical, defensible programs, so your compliance efforts support both risk reduction and business continuity.
If you need to assess whether the FTC Safeguards Rule applies to your business, strengthen your safeguards, or align incident response with reporting obligations, BTI can help you define a clear path forward.
