FTC Safeguards Rule (Gramm-Leach-Bliley Act)
The FTC Safeguards Rule under GLBA requires financial institutions to maintain a documented information security program with risk assessments, encryption, MFA, monitoring, and incident response. The 2023 update added specific technical controls.
What the GLBA Safeguards Rule Is
The Safeguards Rule implements the security provisions of the Gramm-Leach-Bliley Act (GLBA), requiring covered financial institutions to develop, implement, and maintain a comprehensive information security program to protect customer information. Enforced by the Federal Trade Commission (FTC), the Rule was substantially updated, with revised requirements taking effect in 2023, to specify concrete technical and administrative controls rather than general expectations.
It exists because financial institutions hold sensitive personal and financial data whose compromise can cause serious harm, and because earlier, vaguer requirements proved inconsistent in practice.
Who It Applies To
The Rule applies to non-bank financial institutions under FTC jurisdiction, a category interpreted broadly to include mortgage lenders and brokers, payday lenders, finance companies, account servicers, collection agencies, tax preparers, financial advisors, and many businesses "significantly engaged" in financial activities. Banks and similar entities are regulated by other agencies under parallel rules.
Key Requirements
- Written security program — Maintain a documented information security program appropriate to the institution's size and complexity.
- Qualified individual — Designate a single qualified individual responsible for overseeing the program.
- Risk assessment — Conduct and document periodic risk assessments.
- Technical safeguards — Implement access controls, encryption of customer data at rest and in transit, and multi-factor authentication.
- Monitoring and testing — Continuously monitor or conduct periodic penetration testing and vulnerability assessments.
- Incident response — Maintain a written incident response plan and report certain breaches to the FTC.
- Oversight — Train staff, oversee service providers, and report to governing bodies.
Penalties for Non-Compliance
The FTC can bring enforcement actions for violations, resulting in consent orders, mandated security improvements, ongoing audits, and civil penalties. Beyond direct penalties, breaches caused by inadequate safeguards can lead to litigation, reputational damage, and follow-on state enforcement.
How to Comply
Designate a qualified individual, perform a documented risk assessment, and build a written security program that covers the required technical controls, including encryption, access management, and multi-factor authentication. Implement continuous monitoring or regular testing, oversee third-party providers contractually, and maintain a tested incident response plan with breach reporting to the FTC. Train staff and report program status to leadership to demonstrate accountability.