What is the FTC Safeguards Rule?

In 1999, The Federal Trade Commission (FTC) initiated The FTC Gramm-Leach-Biley Act’s (GLBA) Safeguards Rule in an effort to safeguard consumers and protect personal information from getting into the wrong hands.

FTC Summary: “The Safeguards Rule requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure. In addition to developing their own safeguards, companies covered by the Rule are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care.”

Back then, a rather loosely framed rule which finally took effect in 2003, was considered adequate. 


Fast forward twenty years later, the cyber-landscape has changed. The volume and severity of data breaches worldwide have exploded. Leaked data has included social security numbers, home addresses, email addresses, phone numbers, birthdays, and other sensitive and personally identifiable information that, when compromised, could have harmful – even devastating – consequences for the individual, and for companies as well. Data breaches cost businesses an average of $4.35 million in 2022, and that number is expected to continue to rise.

So, the FTC realized that more needed to be done. Once guidelines were based on a kind of honor system where businesses were trusted to do the right thing. Now, because of breaches like the Equifax incident, where, despite adherence to FTC Safeguard Rule guidelines, millions of records were stolen, it became clear companies needed better security and to be held accountable.

The FTC Safeguards Rule was amended in 2021 and will go into effect in June of this year. It not only requires companies to be compliant but also to prove that they are. 

Here’s what the New Rule requires:

Designating a qualified security individual to oversee a proper information security program

Risk assessment.

Access restrictions. Financial institutions will be required to implement technical and physical access controls that authenticate only authorized users and limit authorized users’ access to information as required to perform their duties and functions. Financial institutions must also implement other access requirements, such as multifactor authentication for individuals’ access to information systems.

Encryption. Financial institutions will be required to encrypt all customer information in transit or at rest.

Training. Financial institutions will need to provide all personnel with security awareness training and update such training to reflect identified security risks.

Incident response plan. Financial institutions that maintain customer information for 5,000 consumers or more must establish a written incident response plan.

Periodic assessments. Financial institutions that maintain customer information for 5,000 consumers or more will be required to have continuous monitoring to detect changes in information systems that may create vulnerabilities.

Data minimization. Financial institutions are required to develop, implement, and maintain procedures for the secure disposal of customer information. …

What Does the FTC Mean by Financial Institution?

The FTC’s definition of a financial institution needs some clarification. Not the same term you hear in everyday conversation, a financial institution includes entities like ‘finders’ – companies that put buyers and sellers together before they finalize a transaction. 

To help you determine if your company is covered, Section 314.2(h) of the Rule lists 13 examples that the FTC does consider financial institutions, including: 

  • A retailer that extends credit
  • An automobile dealership
  • A Real Estate appraiser
  • A career counselor in the financial industry
  • A check casher
  • A collection agency
  • A wire transfer service
  • An accountant
  • A business that operates a travel agency in connection with financial services
  • A Real Estate settlement service
  • A mortgage broker
  • An investment advisory or credit counseling service
  • Finders

How can we help?

  1. The FTC specifically calls for the implementation of “multi-factor authentication [MFA] for anyone accessing customer information on your system. …”

While legacy systems and software struggle to enable an MFA solution that meets the criteria, without complicating the access process, TraitWare meets and exceeds the requirements, providing CISA-recommended Phishing-resistant MFA. TraitWare eliminates ‘Phishable’ knowledge factors like the password. This not only makes login vastly more secure but dramatically reduces friction for the user because the MFA is built-in to the solution, not simply layered on top of a legacy system.

TraitWare meets the criteria by deploying an agent on Windows devices operating on legacy systems and applications. This agent then integrates into a modern authentication platform delivering Passwordless MFA and Passwordless SSO combined for cloud applications. This meets and exceeds the guide recently put out by CISA

2. Another requirement in the rule is the following: 

“Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. Implement procedures and controls to monitor when authorized users are accessing customer information on your system and to detect unauthorized access.”

TraitWare will uniquely identify a user on a shared legacy application (multiple parts counter employees accessing the same account). We log each access request for the individual user while allowing them to access a joint account.

Customer Use Case:

TraitWare has successfully deployed to an auto group that is using the platform daily for strong authentication access control to Windows endpoints and servers along with cloud apps such as Google Workspace.  This was achieved through an MSP partner that was searching for a solution not previously available. 

The Bottom Line


It’s clear that it’s no longer just the big banks that need to adhere to these rules. It’s businesses of all sizes. As we’ve mentioned, 60% of small to mid-sized companies that suffer a security breach will fail within 6 months.

The Pushback

Even despite the requirements for the FTC and others for proper security practices like strong MFA, the adoption rate remains low. Microsoft recently reported that only 28% of its enterprise users were using MFA. Globally only over half of businesses have deployed MFA. …

The #1 reason for pushback? Friction for the user.

We’ve fixed Friction. You can have superior security while simplifying login and access control for users and admins.

But don’t take our word for it. Find out how our customers feel. OR, See it in action!

If you’d like to book a personalized demo, we’d love to show you how it works.