FTC Safeguards Rule compliance for businesses - who is covered, what the nine program elements require, and what operational compliance looks like for regulated firms in PA, NJ and DE

FTC Safeguards Rule Compliance: Which Businesses Are Covered and What It Actually Requires

by

The FTC Safeguards Rule applies to more businesses than most expect – and compliance requires more than most have documented.

FTC Safeguards Rule compliance is an active federal obligation for any organization that qualifies as a financial institution under the Gramm-Leach-Bliley Act – a category that is considerably broader than it sounds. The rule is enforced by the Federal Trade Commission (FTC) and requires covered organizations to develop and maintain a written information security program addressing nine specific elements. What makes FTC Safeguards Rule covered businesses a more interesting question than most expect is that qualification depends on what an organization does, not what it calls itself or what industry it considers itself part of.

Auto dealerships that arrange consumer financing are financial institutions under the rule. Law firms that handle real estate closings, estate planning, or tax preparation are likely financial institutions. Accounting and tax preparation practices are financial institutions. Registered investment advisers, wealth managers, and broker-dealers are financial institutions. Many of these organizations are currently operating under the compliance obligation without having formally assessed whether their security program satisfies it in practice.

What the Gramm-Leach-Bliley Act IT Security Requirements Actually Cover

The FTC Safeguards Rule is the Federal Trade Commission’s implementation of the Gramm-Leach-Bliley Act’s security requirements. Gramm-Leach-Bliley Act IT security requirements apply to any organization that is engaged in financial activities – which the statute defines more broadly than banking or investment management. The key question is not whether an organization is in the finance industry. It is whether the organization engages in activities that are financial in nature, which can include arranging financing, handling tax-related data, managing investments, or facilitating real estate transactions involving consumer financial information.

The FTC substantially strengthened the Safeguards Rule in 2023, adding specific technical and organizational requirements that replaced the original rule’s more general language. The updated rule now specifies nine required program elements – including written risk assessment, access controls, encryption, multi-factor authentication, vendor oversight, penetration testing, incident response planning, and designation of a qualified individual responsible for the information security program. These are enforceable requirements, not recommendations, and the FTC has been actively pursuing compliance since the updated rule took effect.

The full nine-element framework and what each requires operationally is documented on the FTC Safeguards Rule Compliance page. This article focuses on the coverage question — which organizations are subject to the rule – and the operational gap that most covered businesses have not fully addressed.

The FTC Safeguards Rule Written Information Security Program – What Coverage Requires

At the centre of FTC Safeguards Rule compliance is the written information security program — a documented set of policies and procedures that addresses how the organization protects customer information. The FTC Safeguards Rule written information security program is not a template exercise. It is a firm-specific document that must accurately describe the organization’s actual security environment: its specific systems, its current staff responsibilities, its vendor relationships, and the controls it has implemented to satisfy each of the FTC Safeguards Rule nine elements.

That distinction matters considerably in enforcement. A written program that was developed to satisfy a compliance deadline and has not been reviewed since does not satisfy the rule’s requirements if the organization’s environment has changed — and most organizations’ environments change continuously. Staff turns over. Systems are added. Vendor relationships evolve. The access controls documented in the program may no longer reflect who actually has access to what. The incident response plan may reference systems or personnel that no longer exist in the same form.

The FTC’s enforcement posture makes clear that the adequacy of a compliance program is assessed against the environment that currently exists — not the one that existed when the program was written. This is the operational gap that creates compliance exposure for most covered businesses: not ignorance of the rule, but the distance between the written program and the environment it is supposed to describe.

Which Businesses Are Covered – Four Categories That Often Surprise

The FTC Safeguards Rule covered businesses category includes four types of organizations that are frequently surprised to find themselves within scope. In each case, coverage depends on the specific activities the organization performs rather than its general industry classification.

Auto dealerships

Auto dealerships that arrange or facilitate consumer financing are financial institutions under the Gramm-Leach-Bliley Act and are expressly covered under the FTC Safeguards Rule. This includes dealerships that work with lenders to provide financing to car buyers, process credit applications, or collect consumer financial information in connection with vehicle purchases. The FTC has published dealership-specific guidance addressing how the rule applies to OEM relationships, DMS vendor access, and combined customer databases.

The specific IT security and compliance requirements for dealership environments are addressed in detail on the IT Security Services for Auto Dealerships page.

Law firms

Law firms engaged in financial-adjacent practice areas – real estate transactions, estate planning, business formation involving consumer financial information, or tax preparation – are likely financial institutions under the Gramm-Leach-Bliley Act and subject to the FTC Safeguards Rule. This is one of the less widely understood coverage determinations. The FTC’s position is that the nature of the activity, not the professional license of the practitioner, determines whether the Safeguards Rule applies.

How the Safeguards Rule applies to law firm environments alongside ABA professional obligations is addressed on the IT Security Services for Law Firms page.

Financial services firms

Registered investment advisers, wealth managers, broker-dealers, and other financial services firms are financial institutions under the Gramm-Leach-Bliley Act and subject to both the FTC Safeguards Rule and, for registered investment advisers, the SEC’s amended Regulation S-P, which adds a 30-day breach notification obligation. Financial services firms operating in the private markets space face the additional complexity of managing non-public information across fund structures and external relationships that each require governed access.

The specific IT security and compliance requirements for financial services environments are addressed on the IT Security Services for Financial Services Firms page.

Accounting and tax preparation practices

Accounting firms and tax preparers filing 11 or more federal returns annually are financial institutions under the Gramm-Leach-Bliley Act and are required to maintain a written information security plan under both the FTC Safeguards Rule and IRS Publication 4557. The IRS’s enforcement of this requirement specifically addresses tax professionals as a high-value target for cybercriminals seeking taxpayer data for use in fraudulent returns.

The specific IT security and compliance requirements for accounting firm environments, including the WISP requirement, are addressed on the IT Security Services for Accounting Firms page.

Why Compliance Is Operational, Not Documentary

The most consequential insight about FTC Safeguards Rule compliance is also the most consistently overlooked: the rule requires controls that function, not controls that are documented. A written information security program that accurately describes an environment the organization has not maintained is not a compliant program. It is a record of what compliance was once intended to look like.

Operational FTC Safeguards Rule compliance means that access controls reflect current staff and current roles. Vendor contracts include the security provisions the rule requires for the vendors that currently have access to customer information. MFA is enforced consistently across all systems accessing covered data, not selectively, and not only for internal staff where service provider access pathways exist. The incident response plan names the current systems, the current responsible parties, and the current notification procedures.

These are not conditions that can be established once and left in place. They require the same kind of ongoing oversight that any operational function demands – review as conditions change, documentation that reflects those reviews, and a designated responsible individual who is accountable for whether the program remains current. For most small and mid-size organizations in the covered business categories, that level of ongoing discipline is more difficult to maintain without structured IT security oversight than with it.

Where to Go from Here

For organizations that are uncertain whether they are covered under the FTC Safeguards Rule, or that have a written information security program in place but have not assessed whether it currently satisfies the rule’s requirements, the most practical starting point is an honest examination of the gap between what the program documents and what the organization’s security environment actually reflects today.

Tera Partners works with regulated businesses across Pennsylvania, New Jersey, and Delaware to provide IT security services and managed IT services structured around both the technical controls that the Safeguards Rule requires and the ongoing oversight that keeps those controls current. The FTC Safeguards Rule Compliance page documents the full nine-element framework and what operational compliance requires across all covered business categories.

For organizations ready to discuss their current security posture and compliance obligations, an introductory conversation is a practical starting point.