FTC Safeguards Rule Compliance for Regulated Businesses in PA, NJ & DE
The Federal Trade Commission’s Safeguards Rule now applies to law firms, financial services firms, CPA and accounting practices, and auto dealerships. For organizations that handle consumer financial information, compliance is not optional – and the FTC is actively enforcing it since 2026.
Tera Partners provides structured managed IT services and IT security support designed to help regulated businesses across Pennsylvania, New Jersey, and Delaware meet Safeguards Rule requirements with documented controls, appropriate oversight, and clear accountability.
What Is the FTC Safeguards Rule?
The FTC Safeguards Rule, issued under the Gramm-Leach-Bliley Act (GLBA), requires covered organizations to develop, implement, and maintain a written information security program designed to protect consumer financial information.
The rule was significantly strengthened in 2023, adding specific technical requirements including multi-factor authentication, encryption of data in transit and at rest, annual penetration testing, and designation of a qualified individual responsible for overseeing the program. The FTC began active enforcement in 2024 and has continued to pursue violations through 2026.
For many professional firms and businesses, the critical issue is not whether compliance is required — it is whether their current IT environment, access controls, vendor relationships, and documentation actually meet the rule’s requirements in practice.
Which Organizations Are Covered
The FTC’s definition of “financial institution” is broader than most business owners expect. Coverage is determined by the nature of the activity — not the organization’s primary identity.
Law Firms
Law firms engaged in real estate transactions, estate planning, business formation, or any activity involving consumer financial information are covered. The 2023 amendments made this explicit, and the FTC has issued guidance specifically addressing law firm obligations.
Financial Services & Advisory Firms
Registered investment advisers, wealth management firms, mortgage brokers, insurance agencies, tax preparers, and lenders are covered under the Safeguards Rule and subject to GLBA’s broader privacy and security requirements.
CPA & Accounting Firms
CPA firms and accounting practices that handle consumer financial data — including tax preparation, financial planning, and payroll services — are covered. The IRS Publication 4557 requirements align with and reinforce Safeguards Rule obligations.
Auto Dealerships
Auto dealers that arrange or facilitate consumer financing are explicitly covered. The FTC released dealer-specific Safeguards Rule guidance in 2025. The CDK Global incident demonstrated how exposed dealership IT environments can be when controls are insufficient.
The Nine Required Elements of a Safeguards Rule Program
The FTC Safeguards Rule specifies nine elements that every covered organization’s information security program must include. Tera Partners addresses each element through structured managed IT services, security oversight, and documented controls.
✓ Tera Partners can serve in this function or support an internal designee with the documentation, reporting, and oversight they need.
✓ Risk assessments are conducted as part of onboarding and reviewed on a defined cycle.
✓ Role-based access, Active Directory governance, and periodic access reviews are managed as part of ongoing IT oversight.
✓ Encryption standards are applied across endpoints, cloud storage, and data in transit as part of standard security configuration.
✓ MFA deployment and enforcement are managed across Microsoft 365 and all connected systems.
✓ Vendor and application vetting procedures are established as part of IT governance practice.
✓ Annual third-party penetration testing is coordinated and monitoring is maintained through managed security services.
✓ Vendor security review and contract requirements are part of IT governance and vendor coordination services.
✓ Incident response planning is developed and reviewed as part of security and continuity oversight, coordinated with Backup & Disaster Recovery planning.
A Structured Approach to FTC Safeguards Rule Compliance
The FTC Safeguards Rule is not a checklist exercise. Regulators evaluate whether an organization has a functioning, documented information security program — not simply whether individual controls exist.
For professional firms and regulated businesses, that distinction matters. A written risk assessment sitting in a folder, disconnected from actual IT practice, does not constitute a defensible compliance posture. Neither does MFA applied inconsistently, or vendor contracts that do not address security responsibilities.
Tera Partners provides managed IT services and IT security support that translate compliance requirements into operational practice — across access control, endpoint management, Microsoft 365 configuration, vendor oversight, documentation, and ongoing security review.
This work is delivered through a coordinated model that connects:
- Managed IT Services — day-to-day support, monitoring, and infrastructure management that forms the operational foundation of a compliant environment
- IT Security Services — access control, MFA enforcement, endpoint security, and risk-aware oversight
- IT Infrastructure Management — network, cloud, and endpoint environments maintained in documented, auditable configurations
- Backup & Disaster Recovery — continuity planning aligned with incident response obligations
- Virtual CIO (vCIO) & IT Consulting — senior-level oversight and qualified individual support for leadership
Tera Partners does not provide legal counsel or serve as a compliance attorney. The information on this page describes how structured managed IT services address the technical and operational requirements of the FTC Safeguards Rule. Organizations should work with qualified legal counsel on their specific compliance obligations.
Compliance Looks Different Across Regulated Industries
The Safeguards Rule applies the same core requirements to all covered organizations, but the operational context — the systems in use, the data being handled, the vendors involved, and the workflows at risk — differs significantly by industry. Tera Partners provides industry-specific IT support that reflects those differences.
Matter confidentiality, document management security, remote attorney access, and compliance with ABA Model Rule 1.6 and FTC Safeguards obligations.
RIA and wealth management IT environments, SEC cybersecurity requirements, GLBA obligations, and secure client data handling for advisory and financial planning practices.
Tax season IT readiness, written information security plan (WISP) support, IRS Publication 4557 requirements, and FTC Safeguards compliance for accounting practices.
DMS platform security, F&I data protection, FTC Safeguards Rule compliance for dealer financing operations, and network security for multi-system dealership environments.
If Your Organization Is Covered, the Conversation Is Worth Having
Many organizations operating under the FTC Safeguards Rule are not certain whether their current IT environment – access controls, vendor contracts, MFA configuration, documentation, and incident response planning – is actually aligned with what the rule requires.
Tera Partners works with law firms, financial services firms, accounting practices, and auto dealerships across PA, NJ, and DE to provide the IT structure and security oversight that makes compliance practical, not just documented.
If you’d like to discuss how your current environment aligns with Safeguards Rule requirements, we’re open to an introductory conversation. The goal is to understand your operating environment and determine whether our approach is a fit.