Schedule a Meeting
Services
Services
Cybersecurity
Compliance
Managed IT
Co-Managed IT
AI Consulting
Healthcare IT
Others
Others
Cloud Computing
VoIP Phone
Data Analytics
Pricing
Pricing
Plans
IT Cost Calculator
Resources
Resources
Learning Center
Tools
Tools
IT Needs Analyzer
IT Cost Calculator
Downtime Calculator
Noise Calculator
Case Studies
Company
Company
About Us
Events
ITS Process
Careers
Trust Center
Industries We Serve
Industries We Serve
Healthcare
Financial Services
Automotive
Manufacturing
Non Profit
Architecture and Design
All Industries
Sales: (855) 204-8823
Client Support: (888) 969-3636
Schedule a Meeting

«  View All Posts

Which Businesses are Subject to the New FTC Safeguards Rule?

June 26th, 2025 | 4 min. read

By Mark Sheldon Villanueva

A person holding a magnifying glass with consumers zoomed in

Editor's note: This post was originally published on October 28, 2022 and has been revised for clarity and comprehensiveness.

If your business handles sensitive customer information—like Social Security numbers, bank account details, or credit reports—you may now fall under the scope of the updated FTC Safeguards Rule. Designed to strengthen data security and protect consumer privacy, the rule significantly expands who’s required to implement a written information security program.

Unfortunately, many business owners still aren’t aware that they’re now on the hook for compliance. In this article, we’ll break down exactly which types of businesses are affected by the rule, what the new requirements entail, and how to stay ahead of potential penalties.

At Intelligent Technical Solutions (ITS), we help hundreds of businesses stay on top of the latest compliance standards. In this article, we’ll go over:  

  • What is the FTC Safeguards Rule?  
  • Who’s covered by the FTC Safeguards Rule?  
  • What are the changes in the updated FTC Safeguards Rule?  
  • Simple steps to position your business for compliance 

After reading, it'll be clear whether you should be concerned with the changes in the FTC Safeguards Rule. If you are, you can start preparing your business for the necessary compliance requirements.   

 

What is the FTC Safeguards Rule? 

using customer information

In 1999, Congress passed the Gramm-Leach-Bliley Act (GBLA) that established the 2002 Safeguards Rule, which enhanced the regulatory power of the FTC. This move led to new requirements for financial institutions; these include developing, implementing, and maintaining an information security program to prevent unauthorized access to sensitive customer information.  

 Who's Covered by the Safeguards Rule? 

The Safeguards Rule was originally intended to regulate financial institutions, which, in the original drafting of this rule, meant any organization "significantly engaged in financial activities." 

A financial institution, according to the FTC's amended standards, now refers to any organization that is significantly involved in economic activities and "activities incidental to such financial activities." Speaking generally, the FTC Safeguards Rule covers organizations that:  

  • Handle big money   
  • Extend lines of credit or loans   
  • Connect consumers with financial institutions or are   
  • Involved with others' ability to access capital    

Compliance

What are the Changes in the Updated FTC Safeguards Rule? 

In the past, the Safeguards Rule has been vague and offered flexibility in compliance. However, after public comment and further research, the FTC released the updated Safeguards Rule with amendments to keep up with technological change, respond to current cybersecurity threats, and establish more concrete cybersecurity guidelines. 

Here are the five main modifications in the new Safeguards Rule:

1. The new definition of "Financial Institution"

"Financial institution" was previously just defined as any U.S. company significantly engaged in financial activities. Under the new Safeguards Rule, "financial institution" includes any organization incidental to such financial activities.

The FTC explains that this modification is intended to bring “finders”— companies that bring together buyers and sellers of a product or service — within the scope of the Safeguards Rule. 

Here are some of the non-financial institutions that will need to adhere to the newly updated FTC Safeguards Rule:  

list of some non-financial institutions required to adhere to the newly updated FTC safeguards rule

2. Other new definitions and related examples

The new Safeguards Rule includes several new terms, such as authorized user, multifactor authentication or MFA, encryption, penetration testing, security event, and related examples for clarity and ease of use.

3. New requirements for Information Security Programs 

The new Safeguards Rule provides more detailed requirements for developing and establishing an information security program. The new rule specifies that the risk assessment must now include, among other things: 

  • Criteria for evaluating risks faced by the institution 
  • Criteria for assessing the security of its information systems 
  • How the identified risks will be addressed 

4. Improved accountability

The new Safeguards Rule adds requirements designed to improve the accountability of financial institutions' information security programs. The FTC explains that this requirement will provide senior management with better awareness of their financial institutions' information security programs, making it more likely for the programs to receive the required resources and be able to protect consumer information. 

5. New exemptions for small businesses 

The new Safeguards Rule exempts financial institutions collect information on fewer than 5,000 consumers from certain rules. These are the requirements of a written risk assessment, incident response plan, and annual reporting to the board of directors. 

The Role of MFA in the New Safeguards Rule 

Previous legislation established guidelines for protecting consumer information that could only be enforced on a regional level. But the Safeguards Act sets a national standard, outlining a reasonable information security program. And according to the FTC, a vital component of these programs is multifactor authentication (MFA). 

MFA helps security teams control access to sensitive data. When an MFA solution is deployed, in addition to a username and password, employees with access to sensitive data will need another means of verification to make sure they are who they say they are.    

5 Steps to Comply with the Safeguards Rule 

If your organization is subject to the Safeguards Rule, there are five simple steps to position your business for compliance. 

1. Assign your organization's "Qualified Individual." 

Part of the FTC's amendments to the rule includes designating someone within your organization to be the "Qualified Individual." This person will oversee the development and execution of the organization's information security program and report to the company's board of directors.    

The FTC says that this person does not need to have any accolades or certifications but should be well-experienced in securing an organization of your size and structure.  

2. Deploy an encryption service for files, emails, and apps.

The Safeguards amendment now requires organizations to encrypt all sensitive customer data at rest and in motion. This is a general requirement, as data can move in many ways and for many reasons. 

3. Control network access. 

The Safeguards Rule now requires companies to be in a state of periodic re-evaluation over who in the organization has access to certain information and for how long. This is to lower the risk of breaches by only giving access to data on a need-to-know basis. Restricting access to all data at all times reduces the risk of sensitive data being exposed during a hack or breach.  

4. Assess your applications and partners. 

The FTC urges organizations to reevaluate their in-house applications or third-party partners to ensure they follow the Safeguards Rule requirements. A breach targeted at a third party or by an unprepared in-house application can have staggering effects on the customer data it's designed to protect. 

5. Make sure the security software you choose is user-friendly

Training your employees is a crucial requirement in the Safeguards Rule. Your Qualified Individual can implement as many security measures as possible, but there are still risks if your employees have no idea how to implement them properly. 

Ready to be FTC Safeguards Rule Compliant?

The updated FTC Safeguards Rule isn’t just for banks and credit unions anymore, it now affects a wide range of businesses that handle sensitive consumer data. If your company is even incidentally involved in financial activities, you could be subject to these stricter requirements.

Fortunately, taking action now can help you avoid fines, strengthen your data security, and build trust with your clients. 

At ITS, we help hundreds of businesses navigate the world of compliance as smoothly as possible with our ITS Verify solutions. Schedule a free compliance consultation with our expert if you need help with compliance for the FTC Safeguards Rule. You can also check out the following resources if you want to learn more about the FTC’s updated Safeguards Rule: 

Compliance

Mark Sheldon Villanueva

Mark Sheldon Villanueva has over a decade of experience creating engaging content for companies based in Asia, Australia and North America. He has produced all manner of creative content for small local businesses and large multinational corporations that span a wide variety of industries. Mark also used to work as a content team leader for an award-winning digital marketing agency based in Singapore.

Topics:

Cybersecurity