Skip to Content

FTC Sharpens Its Cyber Enforcement Tool by Amending and Expanding the Safeguards Rule

In the culmination of a process that began in 2016, the Federal Trade Commission (FTC) last week issued a final rule to amend the Standards for Safeguarding Customer Information under the Gramm-Leach-Bliley Act. The Safeguards Rule requires non-banking financial institutions under FTC jurisdiction, such as payday lenders and mortgage brokers, to have measures in place to keep customer information secure.

Amendments to the Safeguards Rule

On October 27, 2021, the FTC voted 3–2 to amend the Safeguards Rule to “better protect the American public from breaches and cyberattacks.” Using the New York State Department of Financial Services cybersecurity requirements as its model, the FTC has five main modifications to the existing Safeguards Rule.

  1. The amended rule requires covered institutions to implement specific safeguards as part of their written information security program (WISP), including access controls, authentication requirements, and “encryption to secure ... data.”
  2. The amended rule also aims to improve the accountability of WISPs by requiring institutions to explain their information-sharing practices in additional detail. It also requires periodic reporting to the board of directors of the overall status of the company’s WISP and compliance with the rule, among other material matters.
  3. The amended rule carves out an exemption for financial institutions that maintain customer information for fewer than 5,000 customers. Under the exemption, certain provisions, such as those requiring monitoring and periodic penetration testing, do not apply to those small businesses.
  4. It requires the designation of a single qualified individual to oversee the company’s WISP, whereas the prior version of the rule requires companies to designate “one or more” individuals for this role.
  5. Finally, the FTC expanded the rule’s scope by amending the definition of “financial institution” to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities, such as “finders” — companies that bring together buyers and sellers of a financial product (if that product falls within the scope of the rule). The updated definition aligns with other federal agencies’ safeguards rules, which already include such activities in their definition of a financial institution.


Proposed Notification Requirement

In addition to the issuance of the amended Safeguards Rule, the FTC issued a notice of supplemental rulemaking, for a rule that would require covered institutions to report certain cybersecurity events to the agency. Under the proposal, if the company determines that customer information has been, or is reasonably likely to be, misused and that 1,000 or more consumers have been, or reasonably may be, affected by the incident, it must report the event to the agency “as soon as possible and no later than 30 days” following discovery. The proposed standard for reporting harmonizes the current standard for customer notices under the Interagency Guidelines Establishing Information Security Standards.


Companies have 30 days or one year from publication in the Federal Register, depending on the provision, to comply with the amendments. Once the amended rule takes effect, the legal risk from noncompliance is substantial. In the meantime, covered institutions should familiarize themselves with the Safeguards Rule and review their WISPs to ensure compliance. As to the proposed notification requirement, commenters will have 60 days to submit comments once the notice is published in the Federal Register.

©2024 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.


The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.