Understanding the FTC Safeguards Rule: A Business Owner’s Guide

Has your business taken the proper precautions to safeguard sensitive customer data against escalating cyber threats?

If not, massive liability could await in 2024, thanks to an expanded federal regulation called the FTC Safeguards Rule.

With digital crime booming, the updated Federal Trade Commission measure mandates heightened safeguards across sectors shielding customer information, including financial details, from attacks.

Specifically, expanded provisions of the rule establish stronger protocols for locking down client data. Moreover, a new amendment approved in October requires non-banking financial institutions to promptly report certain data breaches and other security events to the FTC or face the consequences.

Non-compliance risks hefty fines, lawsuits, reputational damage, and suspension of e-filing privileges, not to mention the cost of recovering from a data breach, so understanding this rule is no small matter for businesses.

In this article, we’ll explore what businesses need to know about the FTC Safeguards Rule, including who is covered, how to comply, the components of an effective information security program, and why this is so important for businesses. Continue reading to learn more!

What is the New FTC Safeguards Rule for Customer Information?

What does the Federal Trade Commission’s Standards for Safeguarding Customer Information (or the “Safeguards Rule” for short) actually do?

Put simply: Just what it sounds like it does.

The Safeguards Rule is a regulatory measure that mandates that businesses under the FTC’s jurisdiction meet legal standards for handling sensitive customer data, including developing, implementing, and maintaining an information security program equipped with administrative, technical, and physical safeguards.

The objective of this rule is threefold:

  • To ensure the security and confidentiality of customer information
  • To protect against anticipated threats or hazards to the security or integrity of such information
  • To guard against unauthorized access to information that could result in substantial harm or inconvenience to any customer

Recent updates to the Safeguards Rule now require more rigorous protections appropriate to emerging cyber threats. Key changes involve broader encryption and access control rules, multi-factor authentication requirements, assessments of security practices by third-party vendors, and forced security upgrades after any system changes.

Initially implemented in 2003 under the Gramm-Leach-Bliley Act, extensive revisions took effect in 2021 to strengthen the data security safeguards that financial institutions must put in place.

In October 2023, the FTC amended the rule to create a data breach disclosure requirement. This amendment, which will go into effect on May 13, 2024, means non-banking financial institutions must notify the FTC as soon as possible and no later than 30 days after discovering a security breach involving the information of at least 500 consumers.

Also, one of the things that is important for a tax preparer is that when they apply for or renew their Preparer Tax Identification Number (PTIN) they are asked if there is a WISP in place at the firm. 

So, what exactly is a “non-banking financial institution,” anyway?

Does your business count…and if so, how can you ensure compliance?

Let’s explore this in more depth.

To Whom Does the FTC Safeguards Rule Apply?

The Safeguards Rule applies broadly to businesses categorized as “financial institutions” that handle sensitive customer information. However, this designation encompasses far more than banks, credit unions, or investment firms.

Under Section 314.2(h) of the Code of Federal Regulations, “financial institutions” include any company significantly participating in financial activities or related services. Along with lenders and traditional finance groups, professional services organizations like accounting firms, tax preparation services, credit counseling agencies, and consultants or contractors fall under FTC authority.

More specifically, financial institutions subject to FTC Safeguards Rule compliance include businesses such as:

  • Mortgage brokers, lenders, and servicers
  • Loan brokers and originators
  • Financial/investment advisors and planners
  • Tax preparation firms
  • Credit counseling or repair agencies
  • Check cashing companies
  • Services supporting financial industry consumers like career counseling, travel agencies, or enterprise technology consultants
  • Third-party accounts receivable management companies
  • Retailers, dealerships, or service providers extending direct credit lines to customers
  • Businesses regularly transmitting consumer funds or facilitating payments

Essentially, any company that handles nonpublic financial data like bank account details, credit card numbers, income figures, credit scores, or other personal finance records must comply.

Businesses maintaining data on fewer than 5,000 consumers may qualify for exceptions, easing certain requirements. Nevertheless, maintaining prudent security is still vital given the increasing cybercriminal interest in small businesses as soft targets.

How Can Businesses Comply with the FTC Safeguards Rule?

Compliance with the Safeguards Rule requires a written information security program appropriate to the size and complexity of the business, the nature and scope of its activities, and the sensitivity of the customer information at hand.

The objectives of your company’s program must be:

  • To ensure the security and confidentiality of customer information,
  • To protect against anticipated threats or hazards to the security or integrity of that information and
  • To protect against unauthorized access to that information that could result in substantial harm or inconvenience to any customer.

The rule defines “customer information” to mean “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.”

This covers information about your own customers and information about customers of other financial institutions that have provided that data to you.

What Are the Components of an Effective Information Security Program?

An effective modern information security program contains layered administrative, physical, and technical controls, including:

  • Encryption safeguarding data at rest and in transit
  • Firewalls, anti-malware, and intrusion prevention software
  • Access management via role-based permissions and multi-factor authentication
  • Vulnerability assessment, penetration testing, audit logging, and change monitoring
  • Secure backup and recovery capabilities
  • Employee training on handling data and recognizing threats
  • Incident response planning and policy enforcement

Furthermore, the FTC Safeguards Rule outlines some core elements businesses must integrate into their customized program:

  1. Appoint a Qualified Individual to Direct the Program: Designate a senior team member or external expert to spearhead safeguards. Retain oversight duties and ensure service providers meet requirements, too.
  2. Perform Initial and Recurring Risk Assessments: Inventory data flows and infrastructure. Analyze internal and external threats, evaluate existing controls, and outline requirements to address gaps.
  3. Implement Technical and Physical Safeguards: Encrypt data and restrict access to authorized users only by implementing principles of least privilege and separation of duties.
  4. Ensure Third Parties Maintain Adequate Security: Vet vendors to ensure appropriate protections are in place and required by contracts. Rapidly address any vendor-related vulnerabilities.
  5. Test Controls via Audits, Scans, and Monitoring: Continually verify program effectiveness via audits, vulnerability assessments, penetration testing, metrics tracking, system monitoring, and inspection of audit logs.
  6. Train Staff on Evolving Threats: Equip personnel to uphold protocols via security awareness training. Verify key roles stay current on emerging attack vectors.
  7. Continuously Refine Defenses: Evolve safeguards to address operational changes, new attack trends, risk assessment findings, and monitoring results.
  8. Prepare and Test an Incident Response Plan: Define a response strategy with procedures to contain, communicate, investigate rapidly, and remediate threats.
  9. Report Status to Leadership Annually: Apprise leadership and the board on program effectiveness, metrics, risks, vendor oversight, and recommendations.

Larger entities and those facing elevated risks or advanced cyber hazards may require additional controls, such as:

  • 24/7 automated attack detection
  • Verifying identity before data access
  • Restricting contractor credentials
  • Sandboxing untested applications

Why Does the FTC Safeguards Rule Matter for Businesses?

Maintaining robust safeguards to comply with the FTC Safeguards Rule protects customer trust, reputation, and bottom line. Data breaches carry severe financial damages — $4.45 million on average in 2023 — not to mention intangible brand and relationship costs.

As cybercriminals grow more sophisticated, merely reactive security is inadequate. By implementing systematic safeguards per the Safeguards Rule, you reduce the risks and promote continuity if incidents arise.

Need help making sense of all this and understanding the impact on your business?

The potential exposures from something as preventable as non-compliance with the Safeguards Rule make working with seasoned advisors an easy call, and our team stands ready to assist.

Would you like some help?

If you are a client and would like to book a consultation, call us at +1 (212) 382-3939 or contact us here to set up a time.

If you aren’t a client, why not? We can take care of your accounting, bookkeeping, tax, and CFO needs so that you don’t have to worry about any of them. Interested? Contact us here to set up a no-obligation consultation.

Stay informed

Interested in receiving updates in your mailbox? Check out our newsletter, full of information you can use. It comes out once every two weeks, and you can register for it below.

Found this article helpful? Share it with your network.


Stay Updated

Subscribe to Our Newsletter

More Insights

Latest News & Articles

Above & Beyond
Traditional Accounting

Our Offices

Phone: 212-382-3939

New York City
2 West 45th Street, Suite 1208
New York, New York 10036

565 Taxter Road, Suite 105,
Elmsford, New York 10523

Subscribe To Our Newsletter

Jeff Coyle, CPA

Jeff Coyle, CPA, Partner of Rosenberg Chesnov, has been with the firm since 2015. He joined the firm after 20 years of business and accounting experience where he learned the value of accurate reporting, using financial information as a basis for good business decisions and the importance of accounting for management.

He is a diligent financial professional, able to manage the details and turn them into relevant business leading information. He has a strong financial background in construction, technology, consulting services and risk management. He also knows what it takes to create organizations having built teams, grown companies and designed processes for financial analysis and reporting.

His business experience includes:

Creating and preparing financial reporting, budgeting and forecasting.
Planning and preparation of GAAP and other basis financial statements.
Providing insight on financial results and providing advice based on those results.

Jeff also has a long history of helping individuals manage their taxes and plan their finances including:

Income tax planning and strategy.
Filing quarterly and annual taxes.
Audit support.
General financial and planning advice.
Prior to joining the firm in 2015, Jeff was in the private sector where he held senior financial and management positions including Controller and Chief Financial Officer. He has experience across industries, including construction, technology and professional services which gives him a deep understanding of business.

Jeff graduated from Montclair State University, he is a CPA and member of the American Institute of Certified Public Accountants, New York State Society of Certified Public Accountants and New Jersey State Society of Public Accountants.

Jody H. Chesnov, CPA

Jody H. Chesnov, CPA, Managing Partner of Rosenberg Chesnov, has been with the firm since 2004.  After a career of public accounting and general management, Jody knows the value of good financials.  Clarity, decision making, and strategy all start with the facts – Jody has been revealing the facts and turning them into good business results for more than three decades.

He takes a pragmatic approach to accounting, finance and business. His work has supported many companies on their path to growth, including helping them find investors, manage scaling and overcome hurdles.  His experience and passion for business reach beyond accounting and he helps businesses focus on what the numbers mean organizationally, operationally and financially.

He has a particular expertise in early-stage growth companies.  His strengths lie in cutting through the noise to come up with useful, out of the box, solutions that support clients in building their businesses and realizing their larger visions.

Prior to joining the firm in 2004, Jody was in the private sector where he held senior financial and management positions including General Manager, Chief Financial Officer and Controller.  He has experience across industries, which gives him a deep understanding of business.

Jody graduated with a BBA in Accounting from Baruch College, he is a CPA and member of the American Institute of Certified Public Accountants and New York State Society of Certified Public Accountants.

In addition to delivering above and beyond accounting results, Jody is a member of the NYSCPA’s Emerging Tech Entrepreneurial Committee (ETEC), Private Equity and Venture Capital Committee and Family Office Committee.  

He is an angel investor through the Westchester Angels, and has served as an advisor for many startup companies and as a mentor through the Founders Institute.

How Can We Help?

Send us a message and we will contact you as soon as possible.