Safeguards Rule Resources
Tools to Help Navigate Current and Upcoming Changes

a technology solution provider

Compliance and Regulation Support

Read our blog on the extended deadline of the FTC Safeguards Rule and the new conditions.
FTC Safeguards violation equals fines

FTC Safeguards Rule: What Your Business Needs to Know

What is the FTC Safeguards Rule?

The FTC Safeguards Rule took effect in 2003. It requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security program to keep their customer’s information safe.

The Rule was amended in 2021 to keep up with evolving technology. It provides more concrete guidance for businesses and the core data security principles they need to implement.

What Are The Amended Changes To The Safeguards Rule?

The FTC approved the changes to the Safeguards Rule in October 2021. Originally, the new provisions were set to go into effect on December 9, 2022 but this was extended to June 9, 2023.

The provisions of the updated rule include the following requirements:

  • Designate a qualified individual to oversee their information security program
  • Develop a written security risk assessment and information security program
  • Limit and monitor who can access sensitive customer information
  • Encrypt all sensitive information
  • Train personnel on security awareness
  • Develop an incident response plan
  • Periodically assess the security practices of service providers
  • Systems monitoring, penetration testing and vulnerability assessments
  • Implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information

Helpful Government Resource Links

FTC Safeguards Rule: What Your Business Needs to Know

Business Guidance
Resource from the FTC

NIST Cybersecurity
Framework

Helping organizations to better understand and improve their management of cybersecurity risk

CFPB Consumer Financial Protection Circular

Insufficient data protection
or security for sensitive
consumer information

GLOSSARY OF TERMS

Definition of important terms used in the FTC Safeguards Rule.

Authorized user

Any employee, contractor, agent, customer, or other person that is authorized to access any of your information systems or data.

ENCRYPTION

A way of scrambling data so that only authorized parties can understand the information. In technical terms, it is the process of converting human-readable plaintext to incomprehensible text, also known as ciphertext.

Financial Institution

Any institution the business of which is engaging in an activity that is financial in nature

Information Security Program

The administrative, technical, or physical safeguards you use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.

multi-factor authentication

Authentication method that requires the user to provide two or more verification factors to gain access to a resource such as an application, online account, or a VPN.

non public personal information

Any "personally identifiable financial information" that a financial institution collects about an individual in connection with providing a financial product or service, unless that information is otherwise "publicly available.r

Penetraton Testing

An authorized simulated attack performed on a computer system to evaluate its security.

security event

An event resulting in unauthorized access to, or disruption or misuse of, an information system, information stored on such information system, or customer information held in physical form.

service provider

An event resulting in unauthorized access to, or disruption or misuse of, an information system, information stored on such information system, or customer information held in physical form.