Blog > What are a company's responsibilities, requirements and laws under the FTC Safeguards rules and how can an employer stay compliant
What are a company's responsibilities, requirements and laws under the FTC Safeguards rules and how can an employer stay compliant
Nov 02, 2023, Thu 22:28:51

The Federal Trade Commission (FTC) Safeguards Rule is part of the Gramm-Leach-Bliley Act (GLBA), which was enacted to ensure the security and confidentiality of customer information held by financial institutions. While this answer provides a general overview, please note that regulations can change, and you should always refer to the current official documentation or seek legal advice specific to your situation.

As of September 2021, here's an overview of the responsibilities, requirements, and laws under the FTC Safeguards Rule:

Responsibilities and Requirements:

  1. Information Security Program: Financial institutions must develop, implement, and maintain a comprehensive written information security program that contains administrative, technical, and physical safeguards.

  2. Designate an Employee: An employee or employees must be designated to coordinate the safeguards.

  3. Risk Assessment: Identify and assess the risks to customer information in each relevant area of the company's operation and evaluate the effectiveness of the current safeguards.

  4. Design and Implement Safeguards: Based on the risk assessment, design and implement a safeguards program, and regularly monitor and test it. This could include measures such as encryption, access controls, and authentication procedures.

  5. Service Provider Oversight: If you provide customer information to service providers, you must take steps to ensure that they also maintain appropriate safeguards. This often includes having contractual clauses that obligate them to keep the information secure.

  6. Evaluate and Adjust the Program: Institutions must periodically review and adjust their information security programs in light of relevant circumstances, including changes in business or operations or the results of security testing and monitoring.

How an Employer Can Stay Compliant:

  1. Regular Training: Regularly train employees about the importance of data security and the protocols in place.

  2. Periodic Audits: Conduct regular audits and assessments to ensure compliance with the Safeguards Rule and to identify potential vulnerabilities.

  3. Update Policies and Procedures: As technology and threats evolve, your policies and procedures should too. Periodically review and update them to address new challenges.

  4. Incident Response Plan: Develop a plan to respond to and recover from security incidents. This will help limit damage and reduce recovery time and costs.

  5. Stay Informed: Stay updated on changes to the Safeguards Rule and other related regulations. The FTC often provides guidance, updates, and resources for businesses to understand their obligations.

  6. Seek Expertise: It can be helpful to seek out third-party experts who can evaluate your program's effectiveness and identify potential weaknesses.

  7. Document Everything: Documentation can serve as evidence of your efforts to comply with the rule. This is particularly important if there's ever a question about your organization's compliance.


Here are some definitions from the Safeguards Rule. Consult 16 C.F.R. § 314.2 for more definitions.

Authorized user means any employee, contractor, agent, customer, or other person that is authorized to access any of your information systems or data.

Customer information means any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.

Encryption means the transformation of data into a form that results in a low probability of assigning meaning without the use of a protective process or key, consistent with current cryptographic standards and accompanied by appropriate safeguards for cryptographic key material.


Financial institution means any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C § 1843(k). An institution that is significantly engaged in financial activities, or significantly engaged in activities incidental to such financial activities, is a financial institution.


Information security program means the administrative, technical, or physical safeguards you use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.


Information system means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information containing customer information or connected to a system containing customer information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental controls systems that contains customer information or that is connected to a system that contains customer information.


Multi-factor authentication means authentication through verification of at least two of the following types of authentication factors: (1) Knowledge factors, such as a password; (2) Possession factors, such as a token; or (3) Inherence factors, such as biometric characteristics.


Nonpublic personal information means: (i) Personally identifiable financial information; and (ii) Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available.


Penetration testing means a test methodology in which assessors attempt to circumvent or defeat the security features of an information system by attempting penetration of databases or controls from outside or inside your information systems.


Security event means an event resulting in unauthorized access to, or disruption or misuse of, an information system, information stored on such information system, or customer information held in physical form.

Service provider means any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a financial institution that is subject to this part.

Always keep in mind that while the FTC Safeguards Rule sets a baseline, individual states or other jurisdictions might have their own data protection and privacy laws that are stricter or have additional requirements. As such, always be aware of the laws and regulations specific to your jurisdiction.