If you run a business in the financial, accounting, insurance, or real estate (FAIRE) industries, there’s a critical new regulation on the books that you can’t afford to ignore: the Federal Trade Commission’s (FTC) Safeguards Rule.
This rule requires non-banking financial institutions, including mortgage brokers, tax preparers, financial advisors, insurance agents, and others, to put specific measures in place to protect consumer data from breaches and misuse. Every business operating in these industries in San Diego, Phoenix, or Tucson should understand the FTC Safeguards Rule and ensure they’re in compliance to avoid incurring fines, protect their business reputation, and maintain the trust of their customers.
In this article, we’ll explain what the FTC Safeguards Rule is, who it applies to, and offer a practical checklist to help your business comply with the new regulations.
What Is the FTC Safeguards Rule?
The FTC Safeguards Rule (originally adopted in 2003, updated in 2021) is part of the Gramm-Leach-Bliley Act (GLBA) that sets requirements for any company that handles consumer financial information.
What is the purpose of the Rule?
The Safeguards Rule ensures that businesses have a written information security plan and implement reasonable administrative, technical, and physical safeguards to protect their customers’ data.
When must businesses comply with the Rule?
Updates to the Rule went into effect on June 9, 2023, expanding the scope and specificity of its requirements.
Where can I find the full text of the Rule?
You can find a full overview of the Rule on the FTC’s website: FTC Safeguards Rule: What Your Business Needs to Know
Who Must Comply?
The Rule applies to any non-banking financial institution. This includes any business engaged in providing financial products or services and includes:
- Mortgage brokers & lenders.
- Tax preparation firms.
- Financial advisors and planners.
- Accountants & CPA firms.
- Insurance agencies.
- Real estate settlement services.
- Auto dealerships offering financing.
- Any company that stores or transmits customer financial information.
If you’re not sure whether your business falls under this category, Tower 23 IT can help you assess your risk and responsibilities.
Why Does Compliance Matter?
Failing to comply with the Safeguards Rule exposes businesses to:
- FTC enforcement actions and fines.
- Civil lawsuits & legal fees.
- Loss of customer trust and reputational damage.
- Increased risk of data breaches and financial theft.
San Diego, Tucson, and Phoenix are competitive markets with stringent state privacy laws already on the books, so meeting the requirements set forth in the Safeguards Rule is even more important for companies operating in these regions.
FTC Safeguards Rule Compliance Checklist
The updated Rule includes nine specific elements your business must implement. Here’s a checklist of steps you can take to ensure you’re in compliance:
1. Designate a Qualified Individual
Assign a person (internal or external) who can oversee and enforce your security program. This person should have the authority and expertise necessary to manage data security efforts.
2. Conduct a Risk Assessment
Identify any risks to customer information in your business operations, including the strength of your IT systems, safety of employee practices, and effectiveness of any third-party service providers.
Your risk assessment should:
- Categorize the customer data your business collects.
- Evaluate where and how data is stored and transmitted.
- Identify susceptibility for phishing, strengthen weak passwords, and fix any unpatched software.
3. Implement Safeguards to Control Identified Risks
Once you’ve identified any potential risks, implement administrative, technical, and physical measures you can take to mitigate them.
For example:
- Implement multi-factor authentication (MFA) for all employees with system access.
- Encrypt customer data in transit and at rest.
- Install and maintain firewalls, antivirus, and endpoint protection.
- Limit data access to authorized personnel only.
4. Regularly Monitor and Test Safeguards
Develop a plan to test the effectiveness of your safeguards via regular:
- Penetration testing.
- Vulnerability scans.
- Monitoring for suspicious activity.
5. Train Staff
Employers should provide regular training on recognizing risks, such as phishing scams, and ensure all staff are aware of your company’s data handling policies.
6. Monitor Service Providers
If third-party vendors handle customer data on your behalf, ensure they are complying with your security standards. Include data protection clauses in contracts and monitor their activities for compliance.
7. Keep Your Program Up to Date
Stay current. As technology and risks evolve, your information security program should be updated regularly to address new threats.
8. Prepare a Written Incident Response Plan
Your plan should specify:
- How to contain and assess data breaches.
- How to notify affected customers and regulators.
- How to restore operations securely.
9. Require Board Reporting
If your business has a board of directors, the “qualified individual” you chose in step one should provide them with regular updates on the state of the company’s information security program and any incidents or updates.
How Tower 23 IT Can Help
At Tower 23 IT, we specialize in helping San Diego, Tucson, and Phoenix businesses implement comprehensive, compliance-driven IT solutions.
For over a decade, we’ve partnered with organizations in healthcare, legal, financial, engineering, and other regulated industries to manage their IT systems and protect sensitive information.
Here’s how we can help your business comply with the FTC Safeguards Rule:
- Perform a risk assessment and recommend safeguards.
- Implement and manage security tools like encryption, MFA, and monitoring systems.
- Provide employee cybersecurity awareness training.
- Audit and secure your cloud and on-premise systems.
- Help you develop and test your written incident response plan.
- Document and report your security posture for board and regulatory reviews.
With 24/7 monitoring, proactive management, and deep compliance expertise, Tower 23 IT ensures your business stays ahead of evolving security and regulatory demands.
Don’t Risk Non-Compliance—Act Today
If your business is in the financial, accounting, insurance, or real estate industries, the time to act is now.
The FTC Safeguards Rule is here, and the penalties for falling short can be steep.
Whether you’re in San Diego, Tucson, or Phoenix, Tower 23 IT stands ready to help you assess your current position, implement proper safeguards, and provide ongoing support to keep your business secure and compliant.
Ready to Get Started?
Contact Tower 23 IT today to schedule an FTC Safeguards Rule readiness assessment and learn how we can help you protect your customers and your business.
