Financial Data Security

FTC Safeguards Rule

The technical teeth behind GLBA — and the rule that has pulled thousands of small financial businesses into FTC scrutiny since its 2023 expansion.

The Short Version

The FTC Safeguards Rule is the regulation that implements GLBA's information security requirements for FTC-supervised financial institutions. It was significantly expanded in December 2021, with full compliance required by June 9, 2023, and a 30-day breach notification requirement added May 2024.

The rule defines nine specific elements that every covered institution must have in a written information security program. There is no longer a "reasonable effort" defense — the requirements are explicit, and the FTC expects documentation.

Who Needs to Comply?

The Safeguards Rule applies to FTC-supervised "financial institutions" — broader than most expect:

  • Auto dealers offering financing or leasing (a major enforcement focus)
  • Tax preparers and CPA firms handling client financial data
  • Mortgage brokers and originators (non-bank)
  • Payday lenders, finance companies, and check cashers
  • Insurance agencies not otherwise regulated at the state level
  • Real estate settlement and appraisal services
  • Debt collectors and credit counseling
  • Finders — anyone who brings together buyers, sellers, or lenders
  • Retailers offering credit or financing on their own paper

Small-volume exemption: institutions with fewer than 5,000 consumers get lighter documentation requirements, but still must comply with the substantive security controls.

The Nine Required Elements

Every covered institution must have a written information security program that includes all nine:

  • 1. Qualified Individual: A designated person responsible for implementing and supervising the program
  • 2. Risk assessment: Written, periodic, covering foreseeable internal and external risks
  • 3. Safeguards design and implementation: Including access controls, data inventory, encryption at rest and in transit, secure development, MFA, disposal, change management, and activity monitoring
  • 4. Regular monitoring and testing: Continuous monitoring OR annual penetration test plus semi-annual vulnerability scans
  • 5. Security awareness training: For all personnel
  • 6. Service provider oversight: Written contracts with security obligations, periodic assessment
  • 7. Program evaluation and adjustment: Update the program as risks change
  • 8. Written incident response plan: With defined roles, communications, and post-incident review
  • 9. Annual written report to the Board: Covering program status, risk assessment, test results, and material matters

The 30-Day Breach Notification Rule

As of May 13, 2024, covered institutions must notify the FTC within 30 days of discovering a security event:

  • That involves unauthorized acquisition of unencrypted customer information
  • Affecting 500 or more consumers
  • Notification submitted through the FTC's online portal
  • Must include event description, date range, number of consumers, information involved, and corrective action

The FTC then publishes notifications on its website — public disclosure is part of the penalty.

Enforcement and Penalties

  • Civil penalties: Up to $100,000 per violation for institutions
  • Officer/director liability: Up to $10,000 personal
  • Criminal exposure: Up to five years for willful violations
  • Consent decrees: Commonly 20 years with ongoing audit requirements
  • Auto dealer enforcement: FTC has been particularly active against dealers since 2023

How Digital Armor Helps

We build Safeguards Rule programs that actually match the nine elements — not generic templates:

  • Qualified Individual function support
  • Written risk assessment with documented findings
  • All nine control categories implemented and documented
  • Penetration testing and vulnerability scanning coordination
  • Access controls, MFA, encryption, secure disposal
  • Service provider inventory, contract review, and periodic assessment
  • Written incident response plan with tabletop exercise
  • 30-day notification playbook and FTC portal preparation
  • Annual board report template and supporting evidence

Is Your Safeguards Program Actually in Writing?

If it isn't, you don't have one — and that is exactly what the FTC asks for first in an enforcement inquiry. We can produce a documented, defensible program aligned to the nine required elements.

Book Your Assessment