What is the Safeguards Rule?

As the name suggests, the purpose of the Federal Trade Commission’s (FTC) Standards for Safeguarding Customer Information – the Safeguards Rule, for short – is to ensure that entities covered by the Rule maintain safeguards to protect the security of customer information. The Safeguards Rule was enacted on November, 2001, but after public comment, the FTC amended it in 2021 to make sure the Rule keeps pace with current technology. While preserving the flexibility of the original Safeguards Rule, the revised Rule provides more concrete guidance for businesses. It reflects core data security principles that all covered companies need to implement.

The Safeguards Rule requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards

Who is subject to the Rule?

The Safeguards Rule applies to “financial institutions” over which the Commission has rulemaking authority pursuant to section 501(b) of the Gramm-Leach-Bliley Act.

According to Section 314.1(b), an entity is a “financial institution” if it’s engaged in an activity that is “financial in nature” or is “incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C § 1843(k).”
This includes:

  • Mortgage lenders
  • Financial advisors and Tax preparation firms
  • Auto Dealerships
  • Travel agencies, Check cashiers, Wire transferors, Collection agencies
  • Title IV schools
  • Credit card companies
  • Car rental companies

What does the Safeguards Rule require you to do?

The Safeguards Rule requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information. The Rule defines customer information to mean “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.” (The definition of “nonpublic personal information” in Section 314.2(l) further explains what is – and isn’t – included.) The Rule covers information about your own customers and information about customers of other financial institutions that have provided that data to you.

Section 314.4 of the Safeguards Rule identifies nine elements that your company’s information security program must include. Let’s take those elements individually.

  • Designate a qualified Individual

  • Conduct a risk assessment

  • Design and implement Safeguards to control risks

  • Risk Assessment

  • System Monitoring/Testing

  • Security Awareness Training

  • Vendor Monitoring

  • Information Security Program Management

  • Incident Response Plan

  • Compliance Reporting

Why Comply?

Why Comply?

GLBA compliance is mandatory, and all institutions covered by the law must have policies and controls in place to protect customer information from foreseeable threats.

The FTC, the federal banking agencies other federal regulatory authorities,  and state insurance authorities enforce the GLB Act. Each agency has issued substantially similar rules implementing GLB’s privacy provisions. The states are responsible for issuing regulations and enforcing the law with respect to insurance providers. The FTC has jurisdiction over any financial institution or other person not regulated by other government agencies.

Some non-compliance penalties can include:

  • Financial institutions found in violation face fines of $100,000 for each violation.
  • Fines of $10,000 for each violation for officers and directors in charge of institutions found to be in violation of GLBA regulation.
  • Up to 5 years in prison for officers and directors in charge of institutions found in violation of GLBA regulation.

Steps to Compliance

1.Scope/Assess

A risk assessment must be completed and the security policies must appropriately address the risks.

2.Safeguard

Review that all risks have appropriate controls and safeguards to mitigate the risk.

3.Test/Report

Controls should be tested regularly with a yearly compliance reporting.

Why Necessary Solutions?

Why Necessary Solutions?

Necessary Solutions, LLC, is a cybersecurity firm specializing in the financial and law industries.  We have built solutions specifically targeting ways to allow companies to meet compliance and audit requirements.  We provide solutions that allow companies to protect their customers’ information and be compliant.  Highlighted Solutions include:  GLBA Safeguards Compliance, SOC Readiness, Penetration Testing, Incident Response Review/Testing, Email Compliance, and Security Awareness Training. We bring enterprise solutions to small and medium sized businesses.

Depending on your internal resources’ expertise and availability, we can implement the entire road map, position you to execute the road map independently, or supplement the your team.

Our services

Other services we offer

View all servicesView all services
Vulnerability Assessments

Find where you are vulnerable BEFORE they do so it can be remedied.

Security Awareness Training

we provide effective and engaging cybersecurity awareness training that makes people Unhackable.

Email Security

Protect your people, your business, and your customers from advanced email security threats, including phishing, spear phishing, and ransomware.