Skip to main content


In today’s digital age, protecting customer information and data security have become paramount for businesses. The Federal Trade Commission (FTC) enforces the Safeguards Rule, which sets standards for safeguarding customer information. With technology evolving rapidly, the FTC has recently updated the Rule to ensure it remains effective and relevant. In this article, we will explore the FTC Safeguards Rule, its significance for businesses, and the updates set to take effect in July 2023.

Understanding the Safeguards Rule: The Safeguards Rule, established in 2003, requires financial institutions under the FTC’s jurisdiction to maintain safeguards that protect customer information. Financial institutions covered by the Rule include mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, and more. The Rule applies to entities engaged in activities deemed “financial in nature” or “incidental to such financial activities.”

Key Compliance Questions

  1. Who is Covered by the Safeguards Rule? The Rule applies to financial institutions subject to the FTC’s jurisdiction that are not regulated by another enforcement authority. A comprehensive list of covered institutions can be found in Section 314.2(h) of the Rule.
  2. What Does the Safeguards Rule Require? Financial institutions covered by the Rule must develop, implement, and maintain an information security program. This program should incorporate administrative, technical, and physical safeguards designed to protect customer information. The program must be appropriate to the size and complexity of the business and address the sensitivity of the information at hand.

Updates Coming in July 2023

To keep pace with technological advancements and provide clearer guidance to businesses, the FTC has announced updates to the Safeguards Rule, set to take effect in July 2023. Here are key aspects of the upcoming updates:

  1. Enhanced Guidance: The revised Rule will provide more concrete guidance to covered businesses, ensuring a better understanding of their obligations. This includes specific measures to be implemented as part of the information security program.
  2. Risk Assessment: Businesses will be required to conduct comprehensive risk assessments to identify foreseeable risks and threats to the security, confidentiality, and integrity of customer information. This includes evaluating internal and external risks, as well as periodic reassessments to account for operational changes and emerging threats.
  3. Safeguard Implementation: The updated Rule will emphasize the importance of implementing appropriate safeguards based on the identified risks. This includes access controls, encryption of customer information, multi-factor authentication, secure disposal of information, monitoring authorized user activity, and maintaining logs of access.
  4. Testing and Training: Regular monitoring and testing of safeguards’ effectiveness will be crucial. Financial institutions will be required to conduct testing procedures for detecting actual and attempted attacks, including continuous monitoring or annual penetration testing. Additionally, employee training and security awareness programs will play a significant role in enhancing data protection.
  5. Incident Response Plan: A written incident response plan will be mandatory for businesses. This plan should outline the steps to be taken in the event of a security breach, including internal processes, roles and responsibilities, communication protocols, remediation procedures, and post-incident analysis to improve the information security program.


As businesses continue to handle and store customer information, complying with the FTC Safeguards Rule is of utmost importance. The upcoming updates in July 2023 aim to provide clearer guidelines for businesses to ensure the security and confidentiality of customer information. It is essential for covered financial institutions to understand their obligations, conduct risk assessments, implement appropriate safeguards, regularly test their security measures, and have a well-defined incident response plan in place. By adhering to these requirements, businesses can protect customer information and maintain trust in an era of increasing data security concerns.