What is the FTC Safeguards Rule?

Background and 2023 Update

The Safeguards Rule has been around since 2003, but the FTC overhauled it in 2021 with most of the new requirements taking effect in June 2023. The update was driven by years of breach activity affecting auto dealers, mortgage brokers, payday lenders, and other non-bank financial businesses that were subject to the rule but doing little about it.

The original rule was principles-based and vague. The 2023 version is prescriptive, with specific technical and administrative requirements that are now enforceable individually.

Who's Covered

The Safeguards Rule applies to "financial institutions" under the FTC's jurisdiction. That excludes banks, credit unions, and savings institutions (which are covered by their own banking regulators) but includes a wide range of non-bank businesses that engage in financial activities:

• Auto dealers (when arranging financing)
• Mortgage brokers and lenders
• Payday lenders and consumer finance companies
• Tax preparers
• Check cashers
• Wire transfer services
• Investment advisors that aren't SEC-registered
• Real estate appraisers
• Collection agencies
• Career counselors providing financial services

The trigger is engaging in financial activity for a consumer, not the size of the business. A small mortgage broker is covered just like a national one.

The Required Elements

Covered businesses must develop, implement, and maintain a written information security program. The 2023 rule specifies nine elements that the program must include:

1. Qualified Individual

The business must designate a qualified individual responsible for overseeing the security program. This person doesn't have to be a full-time employee, but they must have appropriate expertise. They report to the board or senior management at least annually.

2. Risk Assessment

A written risk assessment that identifies foreseeable internal and external risks to customer information, assesses the sufficiency of existing safeguards, and informs the design of the security program. The assessment must be updated periodically.

3. Safeguards Based on Risk Assessment

Specific technical and physical safeguards proportionate to the risks identified, including:

• Access controls: Authentication and authorization restrictions, with limits on who can access customer information
• Data inventory: Identification and management of customer data, where it's stored, who has access, and when it's destroyed
• Encryption: Customer information must be encrypted both in transit over external networks and at rest, unless the qualified individual approves a compensating control
• Secure development: Adoption of secure-development practices for in-house apps and security assessments for externally developed apps
• Multi-factor authentication: MFA required for any individual accessing customer information, with limited exceptions approved by the qualified individual
• Disposal: Secure disposal of customer information no later than two years after the last interaction with the customer
• Change management: Procedures for evaluating and adjusting the security program in response to changes in operations or technology
• Monitoring: Logs of authorized user activity sufficient to detect unauthorized access

4. Continuous Monitoring or Annual Penetration Testing

The business must regularly test or otherwise monitor the effectiveness of its safeguards. The rule specifies either continuous monitoring or annual penetration testing plus vulnerability assessments at least every six months.

5. Training

Security awareness training for all personnel, plus specialized training for security personnel commensurate with their roles.

6. Service Provider Oversight

The business must select service providers capable of maintaining appropriate safeguards, contractually require them to do so, and periodically assess their performance.

7. Program Evaluation and Adjustment

The security program must be evaluated and adjusted in response to test results, monitoring results, business changes, and any other relevant factors.

8. Incident Response Plan

A written incident response plan that addresses goals, internal processes, roles and responsibilities, communication, remediation, documentation, and post-incident evaluation.

9. Reporting to Governance

The qualified individual must report in writing at least annually to the board or senior management on the overall status of the security program, material matters related to it, and recommendations for changes.

Breach Notification

An additional amendment in 2023 added a notification requirement: covered businesses must notify the FTC of any security incident affecting 500 or more consumers as soon as possible and no later than 30 days after discovery. This took effect May 2024.

Enforcement

The FTC enforces the Safeguards Rule. Penalties can include consent orders, mandatory compliance programs, ongoing monitoring, and civil penalties. The FTC has brought actions against businesses for failing to implement basic safeguards, with consent orders typically requiring 20 years of compliance reporting and biennial third-party audits.