FTC Safeguards Rule for Customer Information

FTC Safeguards rule compliance IT provider
If your company handles financial transactions for its customers it may fall under the FTC Safeguards Rule.

The purpose of the FTC’s Safeguards Rule is to ensure that a company maintains safeguards to protect the security of customer information by implementing an information security program in their organization.

“Customer information” means any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.

The Safeguards Rule went into effect in 2003 and the FTC amended it in 2021 to help the Rule keep pace with current technology. The revised FTC Safeguards Rule deadline is June 9, 2023. Your best source of information is the official text of the Safeguards Rule found here.

How do you know if your business is considered a “financial institution” subject to the Safeguards Rule?

The Safeguards Rule defines “financial institution” in a broader sense than normal. What matters are the types of activities your business undertakes, not how you or others categorize your company.

To help you determine if your company is covered, Section 314.2(h) of the Rule lists 13 examples of the kinds of entities that are financial institutions under the Rule, including:
mortgage lenders,
payday lenders,
finance companies including automobile dealerships,
mortgage brokers,
account servicers,
check cashers,
wire transferors,
collection agencies,
credit counselors and other financial advisors,
tax preparation firms,
non-federally insured credit unions,
and investment advisors that aren’t required to register with the SEC.


FTC Safeguards compliance for Car Dealerships
Automobile dealerships fall under the FTC Safeguards Rule and must implement a information security program to protect customer information under their control. Deadline to comply with the FTC Safeguards Rule is is June 9, 202.3

What does the Safeguards Rule require companies to do?

The Safeguards Rule requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information.



9 elements your company’s information security program must include:

Section 314.4 of the Safeguards Rule identifies 9 elements that your company’s information security program must include:

1. Designate a Qualified Individual to implement and supervise your company’s information security program. The Qualified Individual can be an employee of your company or can work for an affiliate or service provider. If the Qualified Individual works for an affiliate or service provider, that affiliate or service provider also must maintain an information security program that protects your business.

2. Conduct a risk assessment.
You can’t formulate an effective information security program until you know what information you have and where it’s stored. After completing that inventory, conduct an assessment to determine foreseeable risks and threats – internal and external – to the security, confidentiality, and integrity of customer information. 

3. Design and implement safeguards to control the risks identified through your risk assessment. 

Implement and periodically review access controls. 

4. Regularly monitor and test the effectiveness of your safeguards.
Test your procedures for detecting actual and attempted attacks. For information systems, testing can be accomplished through continuous monitoring of your system. If you don’t implement that, you must conduct annual penetration testing, as well as vulnerability assessments, including system-wide scans every six months designed to test for publicly-known security vulnerabilities.

5. Train your staff.
Provide your people with security awareness training and schedule regular refreshers.

6. Monitor your service providers.
Select service providers with the skills and experience to maintain appropriate safeguards.

7. Keep your information security program current.
The only constant in information security is change – changes to your operations, changes based on what you learn during risk assessments, changes due to emerging threats, changes in personnel, and changes necessitated by other circumstances you know or have reason to know may have a material impact on your information security program.

8. Create a written incident response plan. Every business needs a “What if?” response and recovery plan in place in case it experiences what the Rule calls a security event – an episode resulting in unauthorized access to or misuse of information stored on your system or maintained in physical form. Section 314.4(h) of the Safeguards Rule specifies what your response plan must cover.

9. Require your Qualified Individual to report to your Board of Directors. Your Qualified Individual must report in writing regularly – and at least annually – to your Board of Directors or governing body. If your company doesn’t have a Board or its equivalent, the report must go to a senior officer responsible for your information security program. 

Visit the FTC website more information about the Safeguards Rule and general guidance on data security.

VTC Tech can help your organization become compliant with the FTC Safeguards Rule.

VTC Tech can help your organization become compliant with the FTC Safeguards Rule. Whether you are an auto dealership or moneylender, we can design and implement a custom information security program that will meet the FTC compliance rules and follow cybersecurity practices. Give us a call now 1-888-800-3211 or contact us here.

Share this blog post:

Add Your Heading Text Here

Add Your Heading Text Here

Let's Get Started!

Need professional IT support for your business?
We are here to help your company if you need IT advice and support from a professional IT services provider.

We offer business managers a free initial IT consultation to determine your needs and advise you of the IT service options available to you. No obligation on your part.

Ready to get some IT advice? Either configure your company’s settings in the adjacent form, schedule a free call with us or call us now at 1-888-800-3211 to get answers to your IT questions.

Configure your company's IT needs to get started!

Managed IT Services provider for business offices.
VTC Tech is an IT provider that helps growing companies with busy offices by managing their IT support and cybersecurity services so they can focus on their core business and grow faster.

Configure your company IT needs:

Join our Newsletter
VTC TECH is happy to bring you the latest insights on IT and how it affects you – in business, at home or anywhere in between.
VTC TECH Newsletter
BREAKING NEWS: Join our Newsletter and find out what's new in IT