The New FTC Safeguards Rule: Is Your Business Affected?

Person completing a cybersecurity shieldIn 2021, the FTC amended the Safeguards Rule (which originally took effect in 2003) to ensure its contents reflect advancements in technology. Originally, the rule was developed to ensure financial institutions protect consumers’ private data. According to the FTC, the 2021 update provides “more concrete guidance for businesses,” including the data security principles affected companies must implement. It will also now apply to a much broader scope of business types.

While the amendment was made in 2021 and the deadline for requirements is approaching, many companies still lack clarity about whether they’re affected and if so, what must be done to ensure compliance. Here’s a quick guide to the New FTC Safeguards Rule to help clear up any uncertainties.

Which Businesses Fall Under the FTC Safeguards Rule?

The amended rule expands the definition of financial institutions, meaning many businesses which previously were not impacted by the rule will be now. The 2003 Safeguards Rule was meant to regulate financial institutions — or organizations “significantly engaged in financial activities.” Now, however, it’s not just banks and similar financial institutions that will be covered under the rule.

By the FTC’s updated definition, affected organizations will be those significantly involved in financial activities, as well as activities incidental to such financial activities. In other words, companies that extend credit lines, offer loans, or are somehow involved with consumers’ ability to access money will all be regulated under the new rule. As the FTC puts it, “The definition of a ‘financial institution’ isn’t a hushed hall with tellers, deposit slips, and ballpoint pens on chains.”

In addition to financial institutions, the FTC cites several other examples of business types that will be impacted by the new rule:

  • BusinessCompanies that lease property on a nonoperating basis for 90 days or more, such as automobile, boat, motorcycle, RV, and other types of dealerships
  • Retailers that issue in-house credit cards
  • Payday lenders
  • Real estate settlement services
  • Companies that sell or print checks
  • Any company that wires funds
  • Accountants
  • Travel agents
  • Mortgage brokers
  • Financial counselors or advisors
  • Appraisers
  • Credit counseling services
  • Organizations that work as finders, or any business that charges a fee to connect consumers with lenders

Clearly, a seemingly simple change in verbiage makes the updated rule much more expansive, and many businesses will have to implement changes to ensure compliance with the rule before it takes effect. The above list isn’t exhaustive, however, so as the FTC notes, “If you aren’t sure if you’re covered, now’s the time to nail that down.”


Updated FTC Safeguards Overview

When Does the FTC’s Revised Safeguards Rule Take Effect?

Originally, the deadline for the FTC’s Revised Safeguards Rule was December 9, 2022. The new deadline for the Revised Safeguards Rule is June 9, 2023. In November 2022, the FTC issued a statement which cited “reports of personnel shortages and supply chain issues” as the driver for the extension.

What to Do if Your Business Is Covered by the FTC’s Revised Safety Rule

At the most basic level, the Safeguards Rule requires covered organizations to develop, implement, and maintain a program that protects consumer data. Yet, the rule’s provisions are far more complex than that, calling for a written information security program that’s tailored to each business’s size, complexity, and nature of activities. According to the FTC, the program should:

  • Ensure security and confidentiality of customer data
  • Protect against anticipated threats or hazards to the integrity or security of private data
  • Protect against unauthorized access to that information which could harm or inconvenience customers

Indeed, covered companies will need to implement a robust information security program. The FTC outlines nine core elements for the program:

  • Designate a Qualified Individual to implement and supervise the program.
  • Perform a cybersecurity risk assessment to determine internal and external risks and threats to the confidentiality and integrity of customer data.
  • Design and implement safeguards to control identified risks. (This point has its own eight-step process, including encrypting customer data, implementing multi-factor authentication, and securely disposing of customer information.)
  • Routinely monitor and test the effectiveness of safeguards.
  • Educate staff with cybersecurity awareness training and routine follow-up training.
  • Monitor service providers and ensure they maintain the appropriate safeguards.
  • Keep your information security program up-to-date.
  • Develop a written incident response plan. (There are seven elements of this plan, outlined under Section 314.4(h) of the Safeguards Rule.)
  • Have your Qualified Individual report to the Board of Directors with annual written reports, which must include an overall assessment of compliance with the information security program.


As you can see, the requirements are robust and call for an equally comprehensive approach. When considering your company’s compliance measures, allow us to assist by providing sophisticated solutions for data security that fit your business’s unique needs.