{"id":29609,"date":"2023-12-04T18:00:43","date_gmt":"2023-12-04T12:30:43","guid":{"rendered":"https:\/\/www.getastra.com\/blog\/?p=29609"},"modified":"2026-04-14T19:17:41","modified_gmt":"2026-04-14T13:47:41","slug":"ftc-safeguards-rule","status":"publish","type":"post","link":"https:\/\/www.getastra.com\/blog\/compliance\/ftc-safeguards-rule\/","title":{"rendered":"FTC Safeguards Rule: 2023 Amendment & Strategies"},"content":{"rendered":"\n

The Federal Trade Commission or FTC, established in 1914, was put forth by then-president Woodrow Wilson to protect consumers, investors, and businesses from anti-competition or industry monopoly. Essentially this meant promoting competition and providing more opportunities for others to enter the market sector. <\/p>\n\n\n\n

Federal Trade Commission\u2019s<\/a> major role in the U.S economy is helping with its smooth running. They achieve this by enforcing various laws and regulations to prevent anti-competition, deception, and unfair business practices. One such rule for the protection of consumers is the FTC safeguards rule. <\/p>\n\n\n\n

This article focuses on what the FTC safeguards rule is, what the 2023 amendment means for your business, and strategies to implement the rule seamlessly. Let\u2019s dive in without further ado! <\/p>\n\n\n\n

<\/span>Action Points<\/span><\/h2>\n\n\n\n
    \n
  1. The FTC Safeguards Rule is a set of standards under the Gramm-Leach-Billey Act of 1999. Its purpose is to ensure that financial institutions protect customers’s non-public personal data.<\/li>\n\n\n\n
  2. The Safeguards Rule was amended in 2023 October to state that non-banking financial institutions are required to inform the FTC within 30 days of a breach if it affects 500 or more customers. <\/li>\n\n\n\n
  3. The Safeguard Rule states that organizations must design and implement an information security program that addresses the size and complexity of their organization. <\/li>\n\n\n\n
  4. Organizations under FTC jurisdiction must assess risks, implement safeguards, oversee service providers, and regularly monitor security measures through penetration tests. <\/li>\n<\/ol>\n\n\n\n

    <\/span>What Is the FTC Safeguards Rule?<\/span><\/h2>\n\n\n\n

    FTC Safeguards Rule or Standards for Safeguarding Customer Information is a set of regulations established under the Gramm-Leach-Billey Act (GLBA) of 1999. Its primary goal is to ensure the protection of consumers’ personal information held by financial institutions. They are required to secure the confidentiality and security of consumers’ non-public personal data. <\/p>\n\n\n\n

    Here, banks, credit unions, insurance companies, and other companies that engage in financial activities all come under the umbrella term \u201cfinancial institutions\u201d. While non-public personal data includes social security numbers, credit history, and account numbers. <\/p>\n\n\n\n

    The standard was established in 2003 but underwent modification in 2021 to apace with the current trends in technology. The revised rule provides more solid guidance for businesses in terms of protecting customer data. <\/p>\n\n\n\n

    Gramm-Leach-Billey Act, 1999<\/h3>\n\n\n\n

    The Gramm-Leach-Bliley Act, established in 1999,  is also known as the Financial Services Modernization Act of 1999. It is a US federal law that governs how financial institutions handle individuals\u2019 private information. The act mandates disclosure of information-sharing practices, and implementing safeguards for sensitive data. The rules under GLBA are the Safeguards Rule, the Financial Privacy Rule, and Pretexting provisions. <\/p>\n\n\n\n

    <\/span>Who Does The FTC Safeguards Rule Apply To?<\/span><\/h2>\n\n\n\n

    As mentioned above, the FTC Safeguards Rule mostly applies to financial institutions that come under the FTC jurisdiction. Besides this, according to the Gramm-Leach-Billey Act, the finance business should also not come under any other enforcement authority of another regulator.<\/p>\n\n\n\n

    If you\u2019re wondering whether your business falls under financial institutions subject to FTC\u2019s safeguards rule, well let\u2019s clear that right up! Section 314.2 of the rule lists some examples of entities that come under the term financial institutions. They include: <\/p>\n\n\n\n

      \n
    1. Mortgage brokers & lenders<\/li>\n\n\n\n
    2. Payday lenders <\/li>\n\n\n\n
    3. Finance companies<\/li>\n\n\n\n
    4. Check cashers<\/li>\n\n\n\n
    5. Collection agencies<\/li>\n\n\n\n
    6. Credit counselors and other financial advisors<\/li>\n\n\n\n
    7. Tax preparation firms<\/li>\n\n\n\n
    8. Non-federally insured credit unions,<\/li>\n\n\n\n
    9. Investment advisors who aren\u2019t required to register with the SEC<\/li>\n<\/ol>\n\n\n\n

      The 2021 amendments to the Safeguards Rule add a new example of a financial institution \u2013 finders. Those are companies that bring together buyers and sellers and then the parties themselves negotiate and consummate the transaction. It is also key to note that even if your company wasn\u2019t covered in the original rule, it is important to keep checking since the rule is under constant evolution. <\/p>\n\n\n\n

      <\/span>Latest 2023 Amendment To FTC Safeguards Rule<\/span><\/h2>\n\n\n\n

      October 2023 marked the 20-year anniversary of the Gramm-Leach-Billey Act under which the FTC Safeguards Rule came into effect. Along with this, the FTC also announced an amendment to the rule<\/a> that states that non-banking financial institutions within the FTC\u2019s jurisdiction will have to report any data breach that affects 500 or more people. <\/p>\n\n\n\n

      What Is It? <\/h3>\n\n\n\n

      The revised rule essentially focuses on notification events which are defined as the acquisition of customer information without said customer\u2019s authorization. If at least 500 individuals’ information is affected, then the company in question must contact the FTC as soon as possible and within 30 days after the discovery of the breach. <\/p>\n\n\n\n

      The organization must then fill out a form that includes – <\/p>\n\n\n\n

        \n
      • Name and contact information of the organization<\/li>\n\n\n\n
      • Description of information type<\/li>\n\n\n\n
      • Specific date or date range of the breach<\/li>\n\n\n\n
      • The number of customers affected<\/li>\n\n\n\n
      • A general description of the breach. <\/li>\n<\/ul>\n\n\n\n

        Who Does It Affect?<\/h3>\n\n\n\n

        Wonder\u012bng if the latest amendment is applicable to your organization? Well if your company comes under a non-banking financial institution under the jurisdiction of FTC such as mortgage brokers, payday lenders or motor vehicle dealers, then the answer is yes. <\/p>\n\n\n\n

        Why Was It Enforced?<\/h3>\n\n\n\n

        The amendment was placed to ensure that companies that handle such sensitive financial information are more transparent in case of a data compromise. This disclosure agreement was established in hopes of giving non-banking financial companies an added incentive to safeguard their customer data.  <\/p>\n\n\n\n

        <\/span>FTC Safeguards Rule Requirements For Your Company<\/span><\/h2>\n\n\n\n

        If your company falls under any of the above-mentioned businesses under financial institution, the FTC requires you to maintain an information security program. The information security program must be developed, implemented, and maintained with administrative, physical, and technical safeguards to ensure that customer\u2019s non-public information is protected. <\/p>\n\n\n\n

        The information security program developed by your business must be par with its size and complexity. It should address the nature and scope of your business activities and ensure customer data confidentiality and security accordingly. The program should also protect against potential risks, threats, or hazards to the security of the information and protect against unauthorized access to the same. <\/p>\n\n\n