Your Roadmap to Risk Reduction!

The Continuum GRC ITAM SaaS platform has hundreds of plugin modules available, such as:

GRC compliance image - Continuum GRC solutions for cyber security and audit AI-powered cybersecurity 2025 zero trust ransomware protection supply chain security regulatory compliance operational resilience

FTC Safeguards Rule

As the name suggests, the purpose of the Federal Trade Commission’s Standards for Safeguarding Customer Information – the Safeguards Rule, for short – is to ensure that entities covered by the Rule maintain safeguards to protect the security of customer information. The Safeguards Rule took effect in 2003, but after public comment, the FTC amended it in 2021 to make sure the Rule keeps pace with current technology. While preserving the flexibility of the original Safeguards Rule, the revised Rule provides more concrete guidance for businesses. It reflects core data security principles that all covered companies need to implement.

Modules include:

  • FTC Safeguards Rule

What are you waiting for?

You are just a conversation away from putting the power of Continuum GRC to work for you. 

Contact us using the form below or calling us at 1-888-896-6207 for immediate assistance.

Download our company brochure.

About this standard

The FTC Safeguards Rule, formally known as the Standards for Safeguarding Customer Information, is a regulation issued by the Federal Trade Commission (FTC) under the Gramm-Leach-Bliley Act (GLBA). It mandates that covered financial institutions implement and maintain comprehensive information security programs to protect the confidentiality, integrity, and availability of nonpublic personal information (NPI). Below is a compliance overview of the FTC Safeguards Rule, outlining its key components, requirements, and processes.

Purpose of the FTC Safeguards Rule

The Safeguards Rule aims to:

  • Protect consumers’ sensitive personal information from unauthorized access, use, or disclosure.
  • Ensure financial institutions implement robust security measures to safeguard NPI.
  • Mitigate risks of data breaches, identity theft, and other cybersecurity threats.

Scope and Applicability

  • Covered Entities: Applies to “financial institutions” as defined by the GLBA, including entities engaged in activities deemed financial in nature, such as:
    • Banks, credit unions, and other depository institutions.
    • Mortgage lenders, brokers, and servicers.
    • Payday lenders, check cashers, and finance companies.
    • Insurance companies, investment advisors, and securities brokers (if not regulated by other agencies like the SEC or FINRA).
    • Nonbank entities like tax preparers, debt collectors, or real estate appraisers that handle NPI.
  • Nonpublic Personal Information (NPI): Includes personally identifiable financial information provided by consumers or collected by the institution, such as:
    • Social Security numbers, account numbers, and credit card details.
    • Information from loan applications, credit reports, or transaction histories.
    • Any data that could identify an individual in connection with financial services.

Key Compliance Requirements

The FTC Safeguards Rule, updated in October 2021 with amendments effective June 9, 2023, outlines specific requirements for financial institutions to develop and maintain a comprehensive information security program. Key elements include:

  1. Written Information Security Program (WISP):
    • Institutions must develop, implement, and maintain a Written Information Security Program tailored to their size, complexity, and the nature of their activities.
    • The WISP must address administrative, technical, and physical safeguards to protect NPI.
  2. Core Safeguards Requirements: The program must include safeguards that:
    • Ensure the security and confidentiality of customer information.
    • Protect against anticipated threats or hazards to the security or integrity of such information.
    • Guard against unauthorized access or use that could result in substantial harm or inconvenience to customers.
  3. Nine Key Elements of the Security Program (per the 2021 amendments):
    • Designate a Qualified Individual: Appoint a single qualified individual (e.g., a Chief Information Security Officer) to oversee, implement, and enforce the security program. This can be an employee or an external service provider.
    • Risk Assessments: Conduct regular, written risk assessments to identify internal and external risks to NPI. Assessments must define criteria for evaluating risks and how they will be mitigated.
    • Implement Safeguards:
      • Use access controls to authenticate and restrict access to NPI based on a “need-to-know” basis.
      • Maintain an inventory of data and systems to understand where NPI is stored and processed.
      • Encrypt NPI both in transit (e.g., over networks) and at rest (e.g., on servers or devices).
      • Adopt secure development practices for in-house applications handling NPI.
      • Implement multifactor authentication (MFA) for any individual accessing systems containing NPI.
      • Develop data retention and disposal policies to securely delete NPI when no longer needed, unless required by law to retain it.
      • Maintain a change management process to address system updates or modifications.
      • Monitor and log user activity to detect unauthorized access or anomalies.
    • Continuous Monitoring or Penetration Testing: Implement continuous monitoring of systems or conduct annual penetration testing and biannual vulnerability assessments.
    • Employee Training: Provide regular security awareness training for employees handling NPI.
    • Service Provider Oversight: Select and monitor third-party service providers to ensure they maintain appropriate safeguards for NPI. Contracts must require vendors to comply with the Safeguards Rule.
    • Incident Response Plan: Develop a written plan to respond to and recover from security incidents, including data breaches.
    • Regular Program Evaluation: Periodically assess and update the security program based on risk assessments, testing results, or material changes in operations or threats.
  4. Reporting Requirements (for larger institutions):
    • For institutions with over 5,000 customers, the qualified individual must submit an annual written report to the board of directors or equivalent governing body. The report should include:
      • The overall status of the security program.
      • Compliance with the Safeguards Rule.
      • Results of risk assessments and testing.
      • Security incidents and responses.
      • Recommendations for program improvements.
  5. Exemptions for Smaller Institutions:
    • Financial institutions that collect information on fewer than 5,000 consumers are exempt from certain requirements, such as:
      • Written risk assessments.
      • Continuous monitoring or penetration testing.
      • Annual reporting to a board.
    • However, they must still maintain a WISP and comply with core safeguards.

Enforcement and Penalties

  • FTC Oversight: The FTC enforces the Safeguards Rule through investigations, audits, and enforcement actions.
  • Penalties: Non-compliance can result in:
    • Civil penalties of up to $50,120 per violation (adjusted for inflation as of 2025).
    • Injunctions, restitution, or other corrective actions.
    • Reputational damage and loss of consumer trust.
  • Examples: The FTC has pursued enforcement actions against companies like Equifax (2017) and Uber (2018) for inadequate safeguards, resulting in significant fines and settlements.

Key Compliance Steps

  1. Appoint a Qualified Individual: Designate a responsible person to oversee the security program.
  2. Conduct a Risk Assessment: Identify risks to NPI and document mitigation strategies.
  3. Develop a WISP: Create a written plan addressing the nine required elements, tailored to the institution’s operations.
  4. Implement Safeguards: Deploy technical (e.g., encryption, MFA), administrative (e.g., training, policies), and physical (e.g., secure storage) controls.
  5. Test and Monitor: Perform penetration testing, vulnerability scans, or continuous monitoring to identify weaknesses.
  6. Train Employees: Ensure staff are trained on security practices and aware of their responsibilities.
  7. Oversee Vendors: Vet third-party providers and include Safeguards Rule compliance in contracts.
  8. Prepare for Incidents: Establish a written incident response plan and test it regularly.
  9. Update the Program: Review and adjust the WISP based on new risks, incidents, or business changes.

Challenges

  • Complexity and Cost: Developing a comprehensive WISP and implementing technical safeguards (e.g., encryption, MFA) can be resource-intensive, especially for smaller firms.
  • Third-Party Oversight: Ensuring vendors comply with the rule requires diligent monitoring and contractual safeguards.
  • Evolving Threats: Keeping up with rapidly changing cybersecurity threats necessitates ongoing investment in technology and training.
  • Regulatory Overlap: Firms subject to other regulations (e.g., FINRA, SEC, or state laws) must navigate overlapping requirements.

Benefits of Compliance

  • Consumer Trust: Robust safeguards enhance customer confidence in the institution’s handling of sensitive data.
  • Risk Mitigation: A strong security program reduces the likelihood and impact of data breaches.
  • Regulatory Compliance: Adherence avoids costly penalties and enforcement actions.
  • Competitive Advantage: Demonstrating compliance can attract clients seeking secure financial services.

Recent Developments (as of August 2025)

  • 2021 Amendments Fully Effective: The updated Safeguards Rule, effective June 9, 2023, introduced stricter requirements like MFA, encryption, and risk assessments, reflecting heightened cybersecurity concerns.
  • Increased FTC Enforcement: The FTC has ramped up audits and penalties for non-compliance, particularly targeting firms with inadequate cybersecurity practices.
  • Focus on Third-Party Risks: Recent guidance emphasizes vetting and monitoring service providers to prevent supply chain vulnerabilities.
  • Alignment with Other Standards: The Safeguards Rule aligns with frameworks like NIST SP 800-53 and FedRAMP for federal agencies, facilitating compliance for firms subject to multiple regulations.

How to Get Started

  • Review the FTC Safeguards Rule text and guidance on ftc.gov.
  • Use the FTC’s Small Business Cybersecurity Guide for practical steps to develop a WISP.
  • Engage cybersecurity consultants or legal experts to tailor the program to your institution.
  • Implement tools for encryption, MFA, and monitoring to meet technical requirements.

Conclusion

The FTC Safeguards Rule establishes a robust framework for protecting consumer NPI, requiring financial institutions to implement comprehensive, risk-based security programs. Compliance involves designating a qualified individual, conducting risk assessments, implementing technical and administrative safeguards, and maintaining ongoing monitoring. Non-compliance carries significant penalties, making adherence critical for legal, operational, and reputational reasons.

Amazing Benefits