The Safeguards Rule requires covered financial institutions to develop, implement, and maintain an information security program designed to protect customer information. In 2021, the FTC amended the Safeguards Rule (which originally took effect in 2003) to ensure its contents reflect advancements in technology. According to the FTC, the 2021 update provides “more concrete guidance for businesses,” including the data security principles affected companies must implement.
Who is covered by the FTC Safeguards Rule?
The Safeguards Rule applies to financial institutions subject to the FTC’s jurisdiction and that aren’t subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6805. The amended rule expands the definition of financial institutions, meaning many businesses which previously were not impacted by the rule will be now. Now, however, it’s not just banks and similar financial institutions that will be covered under the rule. By the FTC’s updated definition, affected organizations will be those significantly involved in financial activities, as well as activities incidental to such financial activities.
Some examples are:
Retailer that issues credit cards
Personal Property and Real Estate Appraisers
Check Cashing Business
Accountant or other Tax Preparation Services
Investment Advisory Company
Download our free FTC Safeguards Guide.
What is Required?
The Safeguards Rule requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information. The Rule defines customer information to mean “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.” The 8 required elements of the rule are: