FTC’s updated Safeguards Rule includes short compliance deadlines and small business exemptions

The Federal Trade Commission (FTC) recently announced its long-awaited update to the Standards for Safeguarding Customer Information, the Safeguards Rule, to strengthen data security requirements for covered businesses. The Safeguards Rule is part of the Gramm-Leach-Bliley Act (GLBA), a federal law that applies to non-banking financial institutions and requires safeguards to ensure the confidentiality and security of consumers’ nonpublic personal information.[1]  

Much like the New York State Department of Financial Services Cybersecurity Regulation, the new Safeguards Rule contains both risk-based and prescriptive requirements. Most of the updated requirements call for compliance within 30 days of the rule’s publication in the Federal Register. Other requirements must be implemented within one year.[2]

The “Final Rule” includes five main modifications:

1. More detailed requirements for information security programs

The updated rule includes more detailed requirements for covered businesses’ information security programs, including specific criteria for risk assessments and the new requirement that the risk assessment be in writing.[3] After conducting a risk assessment, covered businesses, must, within one year, design and implement the following safeguards:

  • Implementation of access controls concerning consumer information
  • Conduct data inventory and classification
  • Encrypt customer information held or transmitted both in transit and at rest
  • Adopt secure development practices
  • Implement Multi-Factor Authentication for any individual accessing any information system
  • Implement and maintain information disposal procedures
  • Adopt change management procedures
  • Test effectiveness of safeguards’ key controls, systems, and procedures
  • Establish a written incident response

Additionally, covered businesses are required to provide effective employee training and oversight of third party service providers. Covered businesses have one year to implement employee training, but only thirty days to oversee service providers, including requiring, by contract, that the service providers implement safeguards.  The FTC  acknowledged  that covered businesses have flexibility to design an information security program that is appropriate to the business’ size and complexity, as well as the nature and scope of its activities, and the sensitivity of its customer information.

2. New accountability requirements

Within one year of the effective date of the modified rule, covered businesses must appoint a single designated Qualified Individual, who may be employed by the covered business, an affiliate or a service provider, to coordinate the information security program.[4] Additionally, periodic reporting to the board of directors or governing body is now required with one year.[5] The FTC noted that this periodic reporting will provide senior management with better awareness of the information security program and improve the allocation of resources to better protect consumer information.[6]

3. New exemptions for small businesses

Recognizing the potential impact of the new requirements on small businesses, the rule provides exemptions from the following requirements for covered businesses that collect information on fewer than 5,000 consumers:

  • Written risk assessment[7]
  • Continuous penetration testing[8]
  • An incident response plan[9]
  • Annual Board of Directors reporting[10]

4. Expanded definition of “financial institution”

Acknowledging that many businesses that collect and maintain sensitive consumer information may not be covered by the rule, the FTC has expanded the definition of “financial institution” to include entities engaged in activities deemed by the Federal Reserve Board to be “incidental” to financial activities.[11] Specifically, the updated rule now includes “finders”, companies that bring together buyers and sellers of a product or service. This brings the Safeguards Rule into line with other federal agencies’ safeguard rules.

5. Definition amendments

The FTC also amended the certain definitions in the following key ways:

  • “Authorized User” replaces “authorized individual” and is broadened to include anyone who the financial institution authorizes to access an information system or data, regardless of whether the user actually accesses or uses the data.[12]
  • “Cybersecurity Event” is replaced with “security event” to include customer information held in physical form, acknowledging that an information security system may have data that is both digital and physical.[13]
  • “Incidental Activity” is added to account for the inclusion of “finders”, defined as those who bring together one or more buyers and sellers of any product or service for a transaction that the parties themselves negotiate.

Notice of supplemental rulemaking

Apart from its update to the Safeguards Rule, the FTC issued a notice of supplemental rulemaking to announce that it is considering implementation of a reporting obligation for covered financial institutions.[14] This reporting obligation would be for cybersecurity events where customer information has been or is reasonably likely to be misused and one thousand or more consumers are affected or are reasonably likely to be affected by it.

Key takeaways

Covered businesses should carefully review the updated rule and move quickly to assess the adequacy of their information security programs. Critically, businesses should be particularly mindful of the 30 day compliance deadline for certain requirements and prioritize their compliance efforts accordingly.  



[1] Examples of non-banking financial institutions subject to the FTC’s enforcement authority are mortgage lenders, pay day lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, travel agencies operated in connection with financial services, collection agencies, credit counselors and financial advisors, tax preparation firms, non-federally insured credit unions, and entities acting as finders. 16 C.F.R. § 314.1(b)

[2] Requirements for which covered businesses will have one year to comply are: designation of a Qualified Individual, a written risk assessment, the design and implementation of safeguards to control risks identified in the risk assessment, continuous monitoring and period penetration testing, employee training, periodic assessments of service providers, and the identification of required remediation measures for known weaknesses.

[3] See generally 16 C.F.R. § 314.4 Elements

[4] 16 C.F.R. § 314.4(a)

[5] 16 C.F.R. § 314.4(i)

[6] 16 CFR  Part 314: Standards for Safeguarding Customer Information (Final Rule), at 6, https://www.ftc.gov/system/files/documents/federal_register_notices/2021/10/safeguards_rule_final.pdf

[7] 16 C.F.R. § 314.4(b)(1)

[8] 16 C.F.R. § 314.4(d)(2)

[9] 16 C.F.R. § 314.4(h)

[10] 16 C.F.R. § 314.4(i)

[11] 16 C.F.R. § 314.2(h)(1)

[12] 16 C.F.R. § 314.2(a)

[13] 16 C.F.R. § 314.2(p)

[14] 16 CFR  Part 314: Standards for Safeguarding Customer Information (Final Rule), at 100-101, https://www.ftc.gov/system/files/documents/federal_register_notices/2021/10/safeguards_rule_final.pdf