FTC Safeguards Rule: SMB Compliance Guide

FTC Safeguards Rule: What Small Businesses Need to Know in 2026

Got a letter from the FTC? Or heard from your accountant that you need to comply with the “Safeguards Rule”? You’re not alone. Thousands of small business owners across the US are discovering that this rule applies to them — and that the penalties for ignoring it are steep.

This guide breaks it all down in plain English. No legal jargon. No 50-page whitepapers. Just what you need to know and do.

---

🔍 What Is the FTC Safeguards Rule?

The FTC Safeguards Rule is a federal regulation that requires certain businesses to develop, implement, and maintain a written information security program. Its purpose is simple: protect customer financial data from unauthorized access.

The rule was originally part of the Gramm-Leach-Bliley Act (GLBA) passed in 1999, but the FTC significantly updated it in June 2023 with much more specific requirements. The old version was vague — it basically said “have reasonable security.” The updated version spells out exactly what you need to do.

Why the 2023 update matters

Before the update, small businesses could get away with a general security policy and call it a day. Now the FTC requires 9 specific safeguards with measurable outcomes. Think of it as going from “try to be secure” to “here’s exactly what secure looks like.”

The updated rule also gave the FTC sharper teeth for enforcement. They’ve been sending warning letters and filing complaints at a pace we haven’t seen before.

If you’re already working on cybersecurity compliance for your small business, many of those same practices apply here.

---

🏢 Does the FTC Safeguards Rule Apply to Your Business?

This is where most small business owners get surprised. The rule uses the term “financial institution” — but the FTC defines that much more broadly than you’d think. You don’t need to be a bank.

Businesses covered by the Safeguards Rule:

• ✅ Auto dealerships (one of the biggest groups affected)
• ✅ Tax preparation services
• ✅ Accountants and bookkeepers
• ✅ Mortgage brokers and lenders
• ✅ Real estate settlement/title companies
• ✅ Payday lenders
• ✅ Credit counselors and debt collectors
• ✅ Retailers that issue store credit cards
• ✅ Travel agencies that arrange financing
• ✅ Financial advisors and investment firms
• ✅ Insurance companies (not covered by state regulators)
• ✅ Businesses that wire money or cash checks

The quick test:

Ask yourself: “Does my business handle customer financial information?” If you collect Social Security numbers, bank account details, credit card numbers, income data, or credit reports as part of your services — the rule likely applies to you.

Even if you only handle a handful of customer financial records, you’re covered. The FTC doesn’t have a minimum size threshold for applicability.

Small business exemption

There is one important carve-out: businesses that maintain customer information on fewer than 5,000 consumers are exempt from some (not all) requirements. Specifically, you don’t need to do a written risk assessment, conduct continuous monitoring, or perform annual penetration testing. But you still need most of the other safeguards.

---

📋 The 9 Key Requirements (Plain-English Breakdown)

Here’s what the updated Safeguards Rule actually requires. We’ve translated the legal language into practical steps.

1. Designate a Qualified Individual

You need one person responsible for your information security program. This can be an employee, your IT provider, or even a part-time consultant. They don’t need a cybersecurity degree — they need to understand your systems and take ownership.

What to do: Name someone in writing. Document their role and responsibilities.

2. Conduct a Risk Assessment

Identify what customer data you have, where it lives, and what threats could compromise it. This doesn’t need to be a 100-page report. For a small team, a simple spreadsheet listing your data, systems, and risks works fine.

What to do: List your data types, storage locations, and potential threats. Prioritize by likelihood and impact.

3. Implement Access Controls

Only the people who need access to customer financial data should have it. This means no shared logins, no “everyone is admin,” and proper offboarding when someone leaves.

What to do: Review who has access to what. Remove unnecessary access. Set up role-based permissions.

4. Know What Data You Have (Data Inventory)

You can’t protect what you don’t know about. The rule requires you to inventory customer information — what you collect, where you store it, and how it flows through your business.

What to do: Create a simple data map. Include physical files, cloud storage, email, and any third-party tools.

5. Encrypt Customer Data

Customer financial information must be encrypted both when stored (at rest) and when transmitted (in transit). This applies to files on your computers, data in your cloud apps, and anything sent over email or the internet.

What to do: Enable encryption on your devices and cloud services. Use encrypted email for sensitive data. Check that your software vendors encrypt data in transit.

6. Implement Multi-Factor Authentication (MFA)

MFA is required for anyone accessing customer information on your systems. This means a password alone isn’t enough — users also need a second factor like a phone code or authentication app.

What to do: Turn on MFA for email, cloud storage, accounting software, and any system containing customer data.

7. Secure Development Practices (If Applicable)

If your business develops software or applications that handle customer data, you need to follow secure development practices. For most small businesses this doesn’t apply — but if you run a custom web portal for clients, it might.

What to do: If applicable, implement code reviews and security testing for customer-facing applications.

8. Employee Security Training

Everyone on your team who handles customer data needs security awareness training. The rule doesn’t specify frequency, but annual training is the minimum standard. Training needs to cover recognizing threats, handling data properly, and reporting incidents.

What to do: Deliver security training at least annually. Document completion with sign-off records.

9. Create an Incident Response Plan

You need a written plan for what happens if customer data is compromised. Who do you call? What steps do you take? How do you notify affected customers? This plan needs to exist before an incident happens.

What to do: Write a step-by-step response plan. Include contact information, notification procedures, and recovery steps.

---

⚠️ Penalties for Non-Compliance

The FTC isn’t just issuing guidelines and hoping for the best. They’re actively enforcing the Safeguards Rule with real consequences.

What you’re facing:

• Up to $50,120 per violation — and each affected customer record can count as a separate violation
• FTC enforcement actions that become public record (bad for your reputation)
• Consent orders requiring years of supervised compliance
• Personal liability for business owners in some cases
• Civil lawsuits from affected customers

Recent enforcement examples:

The FTC has taken action against auto dealerships, tax preparation companies, and financial services firms that failed to protect customer data. In several cases, the FTC didn’t wait for a breach — they took action simply because the businesses lacked adequate security programs.

In 2024 alone, the FTC sent warning letters to over 100 businesses about Safeguards Rule deficiencies. These letters often precede formal enforcement actions.

The bottom line:

The cost of compliance is a fraction of the cost of a single penalty. A basic information security program costs a small business a few hundred dollars and a weekend of work. A single FTC violation can cost tens of thousands.

If you’re also dealing with US cyber insurance requirements, the good news is that FTC compliance and insurance requirements overlap significantly.

---

🛠️ How Small Businesses Can Comply (Practical Steps)

You don’t need a $50,000 cybersecurity consultant to comply with the Safeguards Rule. Here’s what actually works for small teams.

Step 1: Get your documentation in order

The FTC expects written evidence. That means policies, procedures, training records, and assessment reports — all documented and signed.

What you need:

• Written information security policy
• Risk assessment document
• Employee training records with completion dates
• Incident response plan
• Access control procedures

Our Compliance Kits include ready-to-use templates for all of these. You fill in your company details, deliver the training, and you’ve got audit-ready documentation. The training modules, quizzes, and policy templates map directly to FTC Safeguards requirements.

Step 2: Implement technical controls

Turn on the security features you probably already have access to:

• Enable MFA on all business accounts
• Turn on device encryption (BitLocker for Windows, FileVault for Mac)
• Review user permissions and remove unnecessary access
• Ensure your cloud providers encrypt data in transit

Step 3: Train your team

Deliver security awareness training and document it. You need:

• Training completion records for every employee
• Signed acknowledgment forms
• Quiz or assessment results showing comprehension

For detailed guidance on building your cybersecurity documentation for insurance and compliance, our documentation guide walks you through the process step by step.

Step 4: Test and review

The Safeguards Rule requires ongoing monitoring. Schedule quarterly reviews to:

• Check that access controls are current
• Verify MFA is still active on all accounts
• Review any security incidents that occurred
• Update your risk assessment if anything changed

---

🌍 FTC Safeguards Rule vs GDPR: Quick Comparison

If your business operates in both the US and EU (or serves customers in both markets), you may need to comply with both. Here’s how they compare:

Requirement	FTC Safeguards Rule	GDPR
Scope	Customer financial data (US)	All personal data (EU/EEA)
Written security program	✅ Required	✅ Required
Risk assessment	✅ Required	✅ Required (DPIA)
Designated responsible person	✅ Qualified Individual	✅ Data Protection Officer (in some cases)
Employee training	✅ Required	✅ Required
Encryption	✅ Required	✅ Recommended / expected
MFA	✅ Required	Not specifically mandated
Incident response plan	✅ Required	✅ Required (72-hour notification)
Breach notification	Varies by state	✅ 72 hours to supervisory authority
Penalties	Up to $50,120 per violation	Up to €20M or 4% of global revenue

The overlap is significant. If you’re already GDPR compliant, you’re most of the way to FTC Safeguards compliance. The main additions are the MFA requirement and the specific “Qualified Individual” designation.

For a deeper dive into compliance frameworks, see our SMB Cybersecurity Compliance Guide.

---

📅 30-Day FTC Safeguards Compliance Plan

Here’s a realistic week-by-week action plan for a small business with 1–20 employees.

Week 1: Foundation

• Designate your Qualified Individual (put it in writing)
• Create a data inventory — list all customer financial data you hold
• Identify where that data is stored (computers, cloud, paper files, email)
• Download or prepare your policy templates

Week 2: Risk Assessment & Policies

• Complete your risk assessment using your data inventory
• Write (or customize) your information security policy
• Draft your incident response plan
• Document your access control procedures

Week 3: Technical Controls

• Enable MFA on all accounts that access customer data
• Verify encryption is active on all devices and cloud services
• Review and tighten access permissions (remove old accounts, shared logins)
• Set up backup verification if not already in place

Week 4: Training & Finalization

• Deliver security awareness training to all employees
• Collect signed training acknowledgment forms
• Compile all documentation into a compliance binder (digital or physical)
• Schedule your first quarterly review date

That’s it. Four weeks, a few hours each week, and you’re compliant. You can use our cyber insurance renewal checklist to double-check your documentation — most of the same documents serve both purposes.

---

❓ Frequently Asked Questions

”My business has fewer than 10 employees. Do I still need to comply?”

Yes. The FTC Safeguards Rule has no minimum employee count. If your business meets the definition of a “financial institution” (which is very broad), you need to comply regardless of size. The only partial exemption is for businesses with fewer than 5,000 customer records — and even then, most requirements still apply.

”Can I designate myself as the Qualified Individual?”

Absolutely. For most small businesses, the owner is the Qualified Individual. You don’t need a security certification or technical background. You just need to take responsibility for overseeing the security program and stay informed about the basics.

”How often do I need to update my risk assessment?”

The rule doesn’t specify a fixed schedule, but best practice is to review your risk assessment at least annually — or whenever something significant changes (new software, new employee, new type of customer data, a security incident). Annual reviews also satisfy most cyber insurance requirements.

”What if I use a third-party IT provider for everything?”

You can outsource your security program management to a vendor or MSP, but you can’t outsource accountability. The FTC holds your business responsible for compliance. Make sure your provider gives you documentation you can show to regulators if asked.

---

📚 Related Resources

US Compliance & Insurance

• US Cyber Insurance Requirements for Small Business — What US insurers expect from small businesses
• Cybersecurity Documentation for Insurance Renewals — How to build audit-ready documentation
• Cyber Insurance Renewal Checklist — Step-by-step renewal preparation

Compliance Foundations

• SMB Cybersecurity Compliance Guide — Complete compliance overview for small teams
• Compliance Kits — Training modules, policy templates, and checklists

---