FTC Safeguards Rule: What Every SMB Needs to Know
The FTC Safeguards Rule isn't just for banks. Auto dealers, tax preparers, accountants, mortgage brokers, and dozens of other small businesses are legally required to have a comprehensive information security program — or face penalties up to $51,744 per day. Here's exactly who must comply and what the 9 required elements are.
The FTC's Expanding Enforcement Reach
The Federal Trade Commission has authority under Section 5 of the FTC Act to take action against businesses that engage in "unfair or deceptive acts or practices" — and the FTC has consistently held that inadequate data security qualifies. In 2026, the FTC has significantly increased its enforcement activity against small and mid-sized businesses, moving beyond its traditional focus on large corporations. In Q1 2026, the FTC announced 14 enforcement actions against businesses with fewer than 500 employees, compared to 6 in all of 2024. The agency has made clear that it views basic cybersecurity hygiene as a legal obligation, not just a best practice.
What the FTC Considers "Reasonable" Security
The FTC does not prescribe a specific security framework, but its enforcement actions and guidance documents make clear what it considers the baseline of reasonable security for businesses that collect consumer data. These include: conducting regular risk assessments to identify security vulnerabilities; implementing access controls to limit who can access sensitive data; encrypting sensitive data both in transit and at rest; training employees on security practices and phishing awareness; monitoring systems for unauthorized access; having an incident response plan; and patching known vulnerabilities in a timely manner. Businesses that fail to implement these basic controls and subsequently experience a breach face significant FTC enforcement risk.
Recent Enforcement Actions and Penalties
Several recent FTC enforcement actions illustrate the agency's current priorities. In February 2026, the FTC reached a $500,000 settlement with a regional healthcare staffing firm that experienced a breach exposing 85,000 individuals' personal data. The FTC found that the company had failed to implement MFA, had not patched a known vulnerability for over six months, and had no incident response plan. In March 2026, a retail chain agreed to a $350,000 penalty and a 20-year consent order requiring comprehensive security improvements after a breach exposed customer payment card data. The consent order requires the company to implement a comprehensive security program, conduct annual third-party security assessments, and report any future security incidents to the FTC within 10 days.
Protecting Your Business from FTC Enforcement
The best protection against FTC enforcement is implementing and documenting a reasonable security program before a breach occurs. Start with a written data security policy that describes what data you collect, how you protect it, and who is responsible for security. Conduct and document an annual security risk assessment. Implement the basic technical controls the FTC expects: MFA, encryption, access controls, and timely patching. Train employees on security awareness at least annually and document the training. Have a written incident response plan that includes breach notification procedures. If you do experience a breach, notify affected individuals promptly and cooperate fully with any regulatory inquiries. Segler.Net can help you develop and document a security program that meets FTC expectations.
- The FTC's Section 5 authority applies to virtually all businesses — you do not need to be in a regulated industry
- Implement and document basic security controls now — the FTC penalizes failure to act after known vulnerabilities
- Conduct and document an annual security risk assessment — this is the FTC's baseline expectation
- Have a written data security policy and train employees on it — documentation is critical in FTC investigations
- If you experience a breach, notify affected individuals promptly — delayed notification significantly increases FTC penalties
Need Help With This Threat?
Our San Antonio security team can assess your exposure, apply patches, and protect your business before attackers strike.
Stay ahead of the next threat
Get weekly security alerts — breaches, patch updates, compliance news, and threat intel — delivered free to your inbox every week.