FTC Safeguards Rule: What Small Businesses Must Do
The FTC Safeguards Rule is one of the most consequential — and most overlooked — security regulations for small businesses, in part because so many businesses do not realize it applies to them. If your business handles consumer financial information in almost any capacity, you may be a “financial institution” under the Rule and required to maintain a formal security program. Here is what the FTC Safeguards Rule requires and how a small business complies.
What the Safeguards Rule is
The Safeguards Rule, enforced by the Federal Trade Commission, requires covered “financial institutions” to develop, implement, and maintain a written information security program to protect customer information. It was significantly strengthened in recent years, adding specific, prescriptive requirements that go well beyond “be reasonable.” For affected small businesses, it turned data security from a vague good idea into a concrete legal obligation with defined elements.
Who it covers (probably more businesses than you think)
The Rule’s definition of “financial institution” is far broader than banks. It covers non-bank businesses significantly engaged in financial activities, including mortgage brokers and lenders, auto dealers that arrange financing, tax preparers, accountants, payday lenders, debt collectors, financial advisors, and many others. If your business extends credit, arranges financing, prepares taxes, or handles consumer financial data as a meaningful part of what you do, you should determine whether you are covered — many small businesses are caught by surprise.
What the Rule requires
The strengthened Safeguards Rule lays out specific elements your written security program must include:
- Designate a Qualified Individual to oversee and be accountable for the program.
- Conduct a written risk assessment identifying the threats to customer information.
- Implement access controls so only authorized people can reach sensitive data.
- Encrypt customer information in transit and at rest (or use an approved alternative).
- Use multi-factor authentication for anyone accessing customer information.
- Maintain secure development and change practices for systems that handle the data.
- Dispose of customer information securely when it is no longer needed.
- Monitor and test your safeguards, including penetration testing or continuous monitoring.
- Train staff on security, and oversee your service providers.
- Maintain a written incident response plan and report certain events.
Taken together, these elements amount to a formal program — in practice, a Written Information Security Plan (WISP) is how most businesses document and satisfy them.
The penalties for ignoring it
Non-compliance carries real risk. The FTC can pursue enforcement actions, and the financial and reputational consequences of a penalty — or of a breach you failed to guard against — can be severe for a small business. Beyond regulators, customers and partners increasingly expect documented security, so compliance is both a legal and a competitive matter.
How a small business complies
Start by confirming whether you are covered. If you are, designate your Qualified Individual, perform and document a risk assessment, and build a written program that addresses each required element — closing gaps in access control, encryption, and multi-factor authentication first, since those are common weak spots. Train your team, formalize how you vet and monitor vendors, and stand up an incident response plan. Document everything; under this Rule, if it is not written down, it effectively does not count. Our cybersecurity policy guide helps with the supporting policies, and if you would rather have the program built for you, Veteran Forge Strategies develops and maintains Safeguards-compliant security programs for small businesses.
Common compliance gaps and how to close them
When small businesses fall short of the Safeguards Rule, it is usually in a handful of predictable places, and knowing them lets you focus your effort. The most common gap is multi-factor authentication — many businesses still rely on passwords alone for systems that hold customer information, when the Rule specifically requires MFA. Turning on MFA across email, remote access, and any system touching customer data is often the single highest-impact step. The second frequent gap is encryption: customer information sitting unencrypted on laptops, drives, or in transit. Enabling full-disk encryption and securing data in transit closes it. A third is the missing or informal risk assessment; the Rule requires a written assessment, so an undocumented “we know our risks” does not satisfy it. Fourth is vendor oversight — businesses often hand data to service providers without vetting their security or putting it in the contract, which the Rule does not allow. Fifth is the absence of a designated Qualified Individual, leaving no one clearly accountable. And sixth is incident response: many businesses have no written plan, so a breach becomes chaos. Closing these gaps is largely a matter of working through them in order: designate your Qualified Individual, document a risk assessment, switch on MFA and encryption, formalize vendor requirements, and write an incident response plan. None of these requires enterprise budgets — they require deliberate execution. Documenting each step as you go is what turns scattered good practices into a defensible, Safeguards-compliant program you can prove if a regulator ever asks.
Key takeaways
- The FTC Safeguards Rule requires covered “financial institutions” to maintain a written information security program.
- “Financial institution” is broad — auto dealers, tax preparers, mortgage brokers, collectors, and more are covered.
- Required elements include a Qualified Individual, risk assessment, access controls, encryption, MFA, monitoring, training, and incident response.
- A WISP is how most businesses document compliance; penalties for ignoring the Rule are real.
Frequently asked questions
Does the FTC Safeguards Rule apply to my small business? If you are significantly engaged in financial activities — financing, lending, tax prep, handling consumer financial data — you may be a covered “financial institution.” Check carefully.
What is a Qualified Individual? The person you designate to oversee and be accountable for your information security program; it can be an employee or a qualified third party.
Is multi-factor authentication really required? Yes — MFA for anyone accessing customer information is one of the Rule’s specific requirements.
When did the strengthened FTC Safeguards Rule take effect? Its more prescriptive requirements — like the Qualified Individual, MFA, and encryption — phased in over recent years, so covered businesses are expected to comply now. Confirm the current deadlines for your situation.
This article is for general informational purposes only and is not legal advice. Verify the requirements that apply to your business.
Get your WISP done — the easy way
Our WISP & FTC Safeguards Pack gives you a ready-to-tailor Written Information Security Program plus a compliance checklist, risk assessment, and vendor oversight log.
Get the WISP Pack ($39) →From Veteran Forge · editable template · instant download