What You Need to Know

The purpose of the Federal Trade Commission’s Standards for Safeguarding Customer Information, aka the Safeguards Rule, is to ensure that entities covered by the Rule maintain safeguards to protect the security of customer information.

The deadline for the expanded safeguards was June 9, 2023.

How do you know if your business is subject to the Safeguards Rule?

The Rule defines “financial institution” as the types of activities your business undertakes, not how you or others categorize your company.

The Rule lists examples of the kinds of businesses that are classified as financial institutions.

Entities such as:

  • mortgage lenders
  • finance companies
  • mortgage brokers
  • personal property or real estate appraisers
  • real estate settlement services
  • account servicers
  • wire transferors
FTC Safeguards Rule

What does the Safeguards Rule require companies to do?

The Safeguards Rule requires covered financial institutions to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information.

The Rule defines customer information to mean “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.”

What is a reasonable information security program?

Your information security program must be written and it must be appropriate to the size and complexity of your business, the nature and scope of your activities, and the sensitivity of the information at issue.

The objectives of your company’s program are:

  • to ensure the security and confidentiality of customer information;
  • to protect against anticipated threats or hazards to the security or integrity of that information; and
  • to protect against unauthorized access to that information that could result in substantial harm or inconvenience to any customer.

Why devote time to this problem?

Violations can carry severe financial and reputational consequences, even if there is no evidence of deliberate misconduct.

In addition to the $100,000 fine for organizations, a company’s directors and officers can be personally liable for up to $10,000 per violation and may be sentenced to up to five years in prison.

Download the one page form.

Considerations for you and your business stakeholders.


A mortgage broker or lender experiences an event resulting in unauthorized access and misuse of customer information stored on an information system. 6500 records were involved with the incident.

  • $100,000 fine for the company
  • $10,000 X 6500 records = $65M civil fine for the CEO
  • $7,500 X 6500 records = $48.75M civil fine for the COO
  • $5,000 X 6500 records = $32.5M civil fine for the CFO
  • CEO three year prison sentence
  • COO one year prison sentence
  • CFO federal plea deal with reduced fine and no prison time
  • Business files for bankruptcy, and the corporation is liquidated.
Your Nest Eggs

Yes, we can save you time, energy, and money.

There are structural reasons why this is harder than it may seem. The deadline for these rules was June 9, 2023. 

The annual written report must be submitted to the Board of Directors or governing body. If your company doesn’t have a Board or its equivalent, the report must go to a senior officer who is responsible for the information security program.

First, it must include an overall assessment of your company’s compliance with its information security program. In addition, it must cover specific topics related to the program – for example:

  • designate a qualified person to oversee their information security program
  • develop a written risk assessment
  • control decisions to limit and monitor who can access sensitive customer information
  • encrypt all sensitive information
  • train security personnel
  • develop and test an incident response plan
  • periodically assess the security practices of service providers
  • implement multi-factor authentication or another method with equivalent protection for anyone accessing customer information
  • recommendations for changes in the information security program

Decisions of Consequence

Your leadership is the pivotal key.

Future disruption events will force decisions. Will you be prepared?

We offer you a process to build a credible information security program as a continuation of trust and viability.

Safeguards operational compliance will further protect your customers, reputation, and business. 

you are the key

What is your vision for the future?

Criminals know you care about your stakeholders, reputation, and career. They will use any advantage as leverage to extract money from your company, including the notification of the breach to the FTC. 

If you want to protect your customers, reputation, and business, we are here to support you. We will partner with you to work through the decisions required for Safeguards Rule compliance. 

The alternative is delaying action and crossing your fingers that the fines and prison time do not disrupt your family and business.