We break down what leadership needs to know about the latest data security rules — and how to avoid a nasty surprise during an audit.
If your business qualifies as a “financial institution”—for example, you provide financial products or services like loans, credit, investment advice, or tax preparation—you may be subject to the FTC Safeguards Rule if you collect nonpublic personal information from customers. And if you’re not actively tracking this, you’re not alone. Many such businesses aren’t aware of the recent updates, let alone what they’re expected to do about them.
But here’s the catch: ignorance won’t protect you during an audit, a client dispute, or a data breach. And the cost of non-compliance? It’s not just fines. It’s potential legal exposure, reputational harm, and a loss of trust you can’t easily buy back.
What Are the FTC Safeguards — and Who Needs to Pay Attention?
The FTC Safeguards Rule is part of the Gramm-Leach-Bliley Act and was created to make sure businesses put reasonable protections in place to secure customer financial information. While it originally focused on traditional financial institutions, recent updates have expanded the scope — and now it includes a wider range of businesses that handle consumer financial data.
Think mortgage brokers, tax prep services, payday lenders, and even auto dealerships that offer financing. These businesses may not think of themselves as “financial institutions,” but if they’re involved in helping customers get credit, loans, or other financial services — and they collect personal financial information in the process — they’re now on the hook to comply.
The bottom line?
If your business is significantly involved in providing financial services — even if that’s not your main focus — you may fall under the Safeguards Rule. But just collecting names or contact info isn’t enough to trigger it. The rule specifically applies to businesses that collect, store, or share nonpublic personal financial information in the course of offering financial products or services.
What’s Changed — and Why It Matters for Business Leaders
The 2023 update to the rule raised the bar significantly. It’s no longer enough to have a basic password policy and hope for the best. The FTC now expects businesses to:
- Designate a qualified individual to oversee information security
- Conduct regular risk assessments
- Implement multi-factor authentication (MFA)
- Encrypt customer data at rest and in transit
- Develop written incident response plans
- Provide security awareness training for employees
- Monitor and test systems regularly
These are not “IT-only” tasks — they are operational expectations that require leadership buy-in and budgeting. And non-compliance can lead to penalties, lawsuits, or the invalidation of cyber insurance coverage.
What Happens If You Ignore It?
Let’s break down the business-level risk:
- 🔒 Insurance Denial: Your cyber insurance provider may refuse coverage if you’re not following established safeguards.
- ⚖️ Legal Trouble: Non-compliance opens the door to lawsuits — from customers, partners, or even your own board.
- 📉 Reputational Damage: Clients trust you with their data. One breach or disclosure of non-compliance can shake that trust permanently.
- 💰 Financial Penalties: The FTC can (and does) impose financial penalties for failure to comply, particularly when harm results.
You wouldn’t run payroll without understanding tax rules. Treat data the same way.
What Business Leaders Can Do Right Now
You don’t need to be a data security expert. But you do need to ensure someone is overseeing it — and that your organization has a documented plan. Here’s how to get started:
- Schedule a Cybersecurity Risk Assessment
Identify how your current practices measure up to FTC expectations and create a clear action plan. - Appoint a Security Lead
This doesn’t have to be a full-time hire — but someone needs clear responsibility for implementation and oversight. - Update Policies and Employee Training
Make sure everyone understands how to protect data and what’s expected — not just your IT staff.
Review and Document Everything
The FTC doesn’t just want action — they want proof. Make sure your plans, processes, and reviews are documented and easy to present during an audit.
Compliance Isn’t Just About Avoiding Trouble — It’s About Building Trust
Clients are getting smarter. They want to know their data is safe. Meeting FTC Safeguards requirements isn’t just about regulation — it’s about sending the right message to the market: your business takes security seriously.
Want to make sure your business is ready?
Schedule a compliance check-in or Risk Assessment with BizCom Global. We’ll help you understand exactly where you stand — and what to do next, without the tech overwhelm.
