FTC Safeguard Rules Make Data Security a Priority for Many Businesses by Brandon Bowers

Posted on July 27, 2023 by Brandon Bowers

Effective June 9, 2023, certain businesses engaged in financial services activities must comply with the Federal Trade Commission’s Standards for Safeguarding Customer Information Rule (Safeguard Rule), which requires the development, implementation and maintenance of appropriate policies, systems and other defenses to protect customers’ personal information from cyberattacks and other threats. However, many businesses remain unaware that they fall under these far-reaching regulations and are unsure of what they must do to come into compliance.

Who Must Comply with the Safeguard Rule?

Congress introduced the Standards Rule in 1999 as a part of the Gramm-Leach-Bliley Act, which aimed to reform the financial services industry and protect the privacy of consumers’ “nonpublic personal information” (NPI). The law broadly defines financial institutions to include those entities significantly engaged in activities that are “financial in nature or incidental to such financial activities,” including lending, exchanging, transferring, investing and safeguarding money and securities; providing financial, investment and economic advisory services; brokering and servicing loans; providing real estate settlement services; and debt collecting. Under this definition, the law applies to the following types of non-banking financial businesses:

How Can My Business Comply with the Safeguard Rule?

At the crux of the Safeguard Rule is the importance of securing and protecting sensitive customer data against threats and unauthorized access that could cause substantial harm to those customers. By adopting these measures, businesses may build trust with their customers and minimize their potential risks of legal action and reputational damage.

While the required level of compliance will depend on a variety of factors, including the size and complexity of the business and the extent of customer data it collects, all businesses must meet the following minimum requirements.

Businesses that fail to comply with these rules risk FTC investigations, legal action and steep penalties of as much as $11,000 per day per breach as well as an additional consent violation penalty that can be as high as $43,000 per day. To avoid these charges and the probability of irreparable reputational damage, organizations should instead meet with their trusted advisors to ensure they meet the rules of the law.

About the Author: Brandon Bowers is director of Managed Cyber Solutions with Berkowitz Pollack Brant Advisors + CPAs, where he provides businesses, professional services firms and family offices with business continuity and recovery, cybersecurity and fully outsourced help desk services. He can be reached at the CPA firm’s Ft. Lauderdale, Fla., office at (954) 712-7000 or