The FTC Safeguards Rule: Who's Covered and What It Demands

The FTC has moved from handing out security advice to enforcing it. The Safeguards Rule, which sits under the Gramm-Leach-Bliley Act, now expects proof that you actually run a security program, not a binder of theoretical plans. If you are covered, missing the basics is no longer a gray area. It is a finding with a price tag.

Does this apply to you?

The Rule covers businesses the FTC defines as financial institutions, and that definition is broader than it sounds. It pulls in tax preparers, accountants, auto dealers, mortgage brokers, payday and finance companies, and a long list of others that handle customer financial information. So this is not only banks. If you are an accounting firm or anyone touching financial data, assume you are in scope until someone proves otherwise. And even if you are not directly covered, these same standards now show up in cyber insurance applications and client contracts, so the bar applies to you either way.

What you have to have in place

A written information security program. A real document that maps where data lives and who is allowed to touch it.

A qualified individual. Someone has to own the security program, whether that is an internal hire or an outside provider.

Encryption everywhere. Customer data has to be encrypted at rest and in transit so it stays useless to anyone who grabs it.

Multi-factor authentication and access controls. MFA on the accounts that matter, and permissions limited to what each person actually needs.

An incident response plan. A written, step-by-step playbook covering detection, containment, investigation, notification, and recovery.

What noncompliance costs

The FTC can seek penalties of up to about $51,744 per violation, and the figure climbs with inflation each year. Each missing safeguard can count as its own violation, so gaps stack. If a breach happens and the FTC finds required protections like encryption or MFA were absent, the exposure runs into the millions. Beyond the fines, meeting the standard is what tells clients you take their information seriously.

This is squarely the kind of work we do for accounting firms and other regulated businesses around Wichita. See our IT for CPAs and accountants page, or book a call and we will map your setup against what the Rule requires.