Governing Law
Max Per-Day Fine
Required Elements
Business Types Covered
What Is the FTC Safeguards Rule?
The FTC Safeguards Rule is a federal regulation issued by the Federal Trade Commission under the Gramm-Leach-Bliley Act (GLBA). It requires certain businesses — called "financial institutions" under the law — to develop, implement, and maintain a comprehensive written information security program to protect customer financial data.
The rule was originally enacted in 2003, but the FTC significantly updated it in 2023 with far more specific technical requirements. The updated rule is not vague — it tells you exactly what you need to do, including specific controls like multi-factor authentication, encryption standards, penetration testing frequency, and board-level reporting requirements.
Here's the part that surprises most small business owners: the FTC Safeguards Rule is not just for banks. The definition of "financial institution" under GLBA is much broader than most people realize, and it sweeps in a wide range of businesses that handle consumer financial information — many of which have no idea they're covered.
The FTC Safeguards Rule is separate from the FTC's general Section 5 authority over "unfair or deceptive" practices. Even if you're not covered by the Safeguards Rule, the FTC can still take action against your business for inadequate data security under Section 5. The Safeguards Rule just adds a specific, mandatory framework on top of that.
Who Must Comply? (The List Will Surprise You)
Under the Gramm-Leach-Bliley Act, a "financial institution" is any business that is "significantly engaged" in financial activities. The FTC interprets this broadly. Here are the business types that are covered — many of which are common small businesses:
Auto Dealerships
Any dealer that arranges or offers financing — which is virtually all of them
Tax Preparers & Accountants
CPAs, enrolled agents, H&R Block franchises, independent tax preparers
Mortgage Brokers & Lenders
Including independent mortgage brokers and small mortgage companies
Payday & Personal Lenders
Any business that makes consumer loans, including buy-now-pay-later
Financial Advisors & Planners
Investment advisors, financial planners, wealth managers
Insurance Agents & Brokers
Independent agents and brokers who collect consumer financial data
Real Estate Settlement Companies
Title companies, escrow companies, settlement agents
Check Cashing & Money Transfer
Check cashing services, money order sellers, wire transfer services
Student Loan Servicers
Private student loan companies and servicers
Healthcare Billing Companies
Third-party medical billing companies that handle financial data
There is one important exemption: businesses with fewer than 5,000 customer records are exempt from the requirements to conduct annual penetration testing, perform vulnerability assessments, and maintain a written incident response plan. However, they are still required to implement all other elements of the Safeguards Rule — including the information security program itself.
If you're not sure whether your business qualifies as a "financial institution" under GLBA, assume you do and consult with a compliance professional. The FTC has taken enforcement action against businesses that incorrectly assumed they were exempt.
The 9 Required Program Elements
The updated FTC Safeguards Rule requires your information security program to include nine specific elements. Here's what each one actually means in practice:
Designate a Qualified Individual
Effort: LowYou must designate a specific person — or a service provider — to oversee your information security program. This person is responsible for implementing and maintaining the program and must report to your board or senior management at least annually. This can be an employee or an outsourced MSSP.
Conduct a Risk Assessment
Effort: MediumYou must identify and assess the risks to customer information in each area of your operations — employee training, information systems, and detecting/preventing security failures. The risk assessment must be written and updated regularly. This is the foundation everything else is built on.
Implement Safeguards to Control Risks
Effort: HighBased on your risk assessment, you must implement and regularly test safeguards to control the risks you identified. The rule specifies several required safeguards including: access controls (limiting who can access customer data), encryption of customer data in transit and at rest, multi-factor authentication for anyone accessing customer information systems, and secure development practices for in-house software.
Oversee Service Providers
Effort: MediumYou must select and retain service providers that maintain appropriate safeguards for customer information, and require them to implement and maintain those safeguards by contract. This means your vendor contracts must include data security requirements — a handshake agreement is not sufficient.
Evaluate & Adjust the Program
Effort: LowYou must regularly evaluate and adjust your information security program in light of the results of your testing and monitoring, any material changes to your operations, and any other circumstances that you know or have reason to know may have a material impact on your program.
Implement an Incident Response Plan
Effort: MediumYou must create a written incident response plan that defines the goals of the plan, the internal processes for responding to a security event, the roles and responsibilities of each person involved, communication and documentation practices, and how you will evaluate and revise the plan after an incident. (Exempt for businesses with fewer than 5,000 records.)
Conduct Penetration Testing & Vulnerability Assessments
Effort: HighYou must conduct annual penetration testing of your information systems and periodic vulnerability assessments — at least every six months and whenever there are material changes to your operations or business arrangements. (Exempt for businesses with fewer than 5,000 records, but vulnerability scanning is still strongly recommended.)
Train Your Staff
Effort: LowYou must implement a security awareness training program for all employees. Training must be updated to reflect risks identified in your risk assessment. You must also verify that key personnel are taking steps to implement your information security program and that they are keeping current with emerging threats.
Report to the Board
Effort: LowYour Qualified Individual must report to your board of directors — or if you don't have a board, to a senior officer responsible for your information security program — at least annually. The report must cover the overall status of the program and your compliance with the Safeguards Rule, including material matters related to the program.
The Qualified Individual Requirement
One of the most misunderstood requirements in the updated Safeguards Rule is the Qualified Individual (QI). The rule requires you to designate a specific person to oversee your information security program — but it does not require that person to be an employee.
This is actually great news for small businesses. You can fulfill the Qualified Individual requirement by engaging a managed security services provider (MSSP) like Segler.Net. The MSSP acts as your virtual CISO (Chief Information Security Officer), overseeing your security program, conducting risk assessments, and reporting to your leadership team.
In-House QI
- Must have relevant cybersecurity knowledge and experience
- Responsible for day-to-day program oversight
- Must report to board/senior management annually
- Requires ongoing training to stay current
- May be difficult to find/retain for small businesses
Outsourced QI (MSSP)
- Fully permitted under the Safeguards Rule
- Access to a full team of security experts
- Typically more cost-effective for SMBs
- Provides annual board reporting documentation
- Stays current with evolving FTC requirements
Regardless of whether your QI is in-house or outsourced, they must report to your board of directors or senior management at least annually. The report must cover the overall status of your information security program and any material matters related to it — including risk assessment results, significant security events, and recommendations for program improvements.
Risk Assessment & Testing Requirements
The updated Safeguards Rule is unusually specific about testing requirements. Unlike the original 2003 rule, which vaguely required "regular testing," the 2023 update specifies exactly what testing you need and how often.
Annual Penetration Testing
AnnuallyExempt if <5,000 recordsYou must conduct penetration testing of your information systems at least once per year. Penetration testing involves a qualified security professional attempting to break into your systems using the same techniques real attackers use. The goal is to find vulnerabilities before attackers do. This must be done by a qualified third party — you cannot do it yourself.
Vulnerability Assessments
Every 6 MonthsExempt if <5,000 recordsYou must conduct vulnerability assessments at least every six months and whenever there are material changes to your operations. Vulnerability assessments are automated scans that identify known security weaknesses in your systems — think of them as a security health check. Unlike penetration testing, these can be done with automated tools.
Written Risk Assessment
OngoingYour risk assessment must be written and must identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information. It must assess the sufficiency of your existing safeguards. It must be updated regularly — at minimum whenever there are material changes to your business.
Multi-Factor Authentication
RequiredMFA is now explicitly required for any individual accessing any information system containing customer information. This is not optional — it's a specific technical requirement in the rule. SMS-based MFA is acceptable, but authenticator apps or hardware keys are preferred. You must also have a process for periodically reviewing access rights.
Encryption
RequiredCustomer information must be encrypted both in transit (when being sent over networks) and at rest (when stored on servers, laptops, or other devices). If you cannot encrypt certain data, you must document why encryption is not feasible and implement alternative compensating controls.
Vendor & Service Provider Oversight
The Safeguards Rule requires you to oversee your service providers — any third party that has access to your customer information or that maintains, processes, or otherwise is permitted access to customer information through its provision of services to you.
This is a big deal for small businesses that rely heavily on third-party software and services. Your cloud accounting software, your CRM, your email provider, your IT support company — if they touch customer financial data, you have obligations regarding their security.
What the Rule Requires for Service Providers:
- Select service providers that maintain appropriate safeguards — do your due diligence before signing up
- Require service providers to implement and maintain appropriate safeguards by contract — verbal agreements don't count
- Periodically assess service providers based on the risk they present and the continued adequacy of their safeguards
- Require service providers to notify you of any security events that may affect your customer information
In practice, this means reviewing your vendor contracts and adding data security provisions if they're not already there. For major vendors, you should request their SOC 2 Type II report or equivalent security documentation. For smaller vendors, a security questionnaire may be sufficient.
Incident Response & FTC Reporting
The updated Safeguards Rule added a significant new requirement: you must notify the FTC within 30 days of discovering a security breach that affects 500 or more customers. This is a direct reporting obligation to the federal government — not just to affected customers.
30 Days
Maximum time to notify the FTC after discovering a breach affecting 500+ customers
500+
Customer threshold that triggers mandatory FTC notification
Written Plan
Required incident response plan must define roles, communication, and recovery procedures
Your written incident response plan must address: the goals of the plan, the internal processes for responding to a security event, the roles and responsibilities of each person involved in the response, communication and documentation practices, how you will evaluate and revise the plan after an incident, and how you will notify affected customers and regulators.
The FTC notification requirement is separate from state breach notification laws. You may need to notify both the FTC and affected customers under your state's breach notification law. Texas has its own breach notification requirements — see our Texas Breach Notification guide for details.
Penalties for Non-Compliance
The FTC has significantly ramped up enforcement of the Safeguards Rule in 2025 and 2026. Here's what non-compliance can actually cost you:
Civil Penalties
The FTC can seek civil penalties of up to $51,744 per violation per day. In a data breach scenario, each affected customer record could be considered a separate violation. For a breach affecting 1,000 customers, that's potentially $51.7 million in penalties — though the FTC typically negotiates settlements significantly below the maximum.
Consent Orders
The FTC frequently resolves enforcement actions through consent orders — legally binding agreements that require the business to implement specific security improvements, submit to third-party security audits for 10-20 years, and report any future security incidents to the FTC within 10 days. Violating a consent order can result in additional penalties.
Reputational Damage
FTC enforcement actions are public. A consent order or penalty announcement can severely damage customer trust, particularly for businesses in financial services where trust is the foundation of the relationship. The reputational cost often exceeds the financial penalty.
Private Lawsuits
While the FTC Act does not provide a private right of action, a data breach can trigger class action lawsuits from affected customers under state consumer protection laws. An FTC enforcement action finding that you violated the Safeguards Rule can be used as evidence of negligence in those private lawsuits.
Your 90-Day Action Plan
If you're starting from scratch, here's a realistic 90-day roadmap to get your FTC Safeguards compliance program in place:
- Determine if the Safeguards Rule applies to your business
- Designate your Qualified Individual (in-house or outsourced MSSP)
- Inventory all systems that store, process, or transmit customer financial data
- Identify all service providers with access to customer data
- Conduct and document your written risk assessment
- Identify gaps between current security controls and Safeguards Rule requirements
- Prioritize gaps by risk level and remediation effort
- Develop a remediation plan with timelines and owners
- Enable MFA on all systems containing customer information
- Implement encryption for customer data at rest and in transit
- Review and tighten access controls — minimum necessary access
- Update vendor contracts to include data security requirements
- Write your incident response plan
- Conduct employee security awareness training and document it
- Schedule your first penetration test (if required)
- Prepare your first annual board/management report
The Bottom Line
The FTC Safeguards Rule is one of the most underappreciated compliance obligations facing small businesses today. Auto dealers, tax preparers, accountants, mortgage brokers, and dozens of other common business types are legally required to have a comprehensive information security program — and many have no idea.
The good news: the requirements are specific and achievable. Unlike some compliance frameworks that are vague and open to interpretation, the updated Safeguards Rule tells you exactly what you need to do. That makes it easier to build a compliant program — if you know where to start.
The bad news: the FTC is actively enforcing this rule against small businesses, and the penalties are significant. "I didn't know it applied to me" is not a defense.
If you're in a covered business type and you don't have a documented information security program, the time to act is now — before the FTC comes to you.
Ready to Get FTC Safeguards Compliant?
Segler.Net offers a free 30-minute assessment to determine if the Safeguards Rule applies to your business, identify your gaps, and give you a clear action plan — no sales pressure, just honest advice.