What the FTC Safeguards Rule Means for Your Business in 2026

If you run a business that handles any kind of financial information, there’s a good chance the FTC Safeguards Rule applies to you. And if you haven’t taken a hard look at your IT security posture recently, 2026 is the year to do it.

We talk to business owners across the Inland Empire every week, and the most common reaction we get when we bring up the Safeguards Rule is something like: “Wait, that applies to us?” The short answer is probably yes, and the penalties for non-compliance aren’t theoretical anymore.

What Is the FTC Safeguards Rule?

The FTC Safeguards Rule is part of the Gramm-Leach-Bliley Act, and it requires “financial institutions” to develop, implement, and maintain a comprehensive information security program. Now, before you tune out because you’re not a bank, here’s the thing: the FTC defines “financial institution” way more broadly than you’d expect.

If your business is involved in any of the following, you’re likely covered:

• Tax preparation or accounting services
• Auto dealerships that arrange financing
• Mortgage brokers and real estate settlement services
• Investment advisory firms
• Insurance agencies
• Payday lenders and check cashing services
• Businesses that wire money or provide financial data processing
• Collection agencies

That’s a lot of businesses that don’t think of themselves as “financial institutions.” But the FTC does.

What the Rule Actually Requires

The updated rule, which went into full effect in 2023 and continues to be actively enforced, lays out specific technical and administrative requirements. This isn’t a “do your best” situation. There are concrete things you need to have in place.

Designate a Qualified Individual. Someone needs to be responsible for your information security program. This can be an internal employee or an outsourced provider like a managed IT partner. But there has to be a named person accountable.

Conduct a Risk Assessment. You need a written risk assessment that identifies internal and external threats to customer information. This needs to be updated regularly, not just done once and filed away.

Implement Specific Safeguards. This is where it gets technical. The rule requires:

• Access controls to limit who can view customer information
• Encryption of customer data both in transit and at rest
• Multi-factor authentication for anyone accessing customer information
• Inventory of all systems and devices that store or process customer data
• Continuous monitoring or annual penetration testing and vulnerability assessments
• Secure disposal procedures for customer data
• Change management processes for your information systems

Employee Training. Your team needs regular security awareness training. Not a one-time video they click through during onboarding, but ongoing education about phishing, social engineering, and data handling procedures.

Incident Response Plan. You need a documented plan for what happens when (not if) a security incident occurs. Who do you call? How do you contain the damage? How do you notify affected customers?

Vendor Management. If you share customer data with service providers, you need to assess their security practices and contractually require them to maintain appropriate safeguards.

Common Compliance Gaps We See

After working with dozens of businesses on compliance, we see the same gaps over and over:

No MFA on critical systems. Multi-factor authentication is non-negotiable under the Safeguards Rule, but we still find businesses where email, accounting software, and even network access are protected by passwords alone.

No encryption on laptops and mobile devices. If an employee’s laptop gets stolen from their car, is the data on it encrypted? For a surprising number of businesses, the answer is no.

No documented policies. Many businesses have decent security practices in place informally but nothing written down. The FTC wants to see documentation. If it’s not documented, it didn’t happen.

Stale risk assessments. A risk assessment from 2022 doesn’t cut it. Your business has changed, the threat landscape has changed, and your assessment needs to reflect current reality.

No incident response plan. This is one of the most commonly missing pieces. Businesses assume they’ll figure it out if something happens. That’s not a plan, and it’s not compliant.

A Practical Compliance Approach

Getting compliant doesn’t have to be overwhelming, but it does require a systematic approach. Here’s how we walk businesses through it:

Step 1: Assess where you stand. We do a gap analysis comparing your current security posture against the Safeguards Rule requirements. This gives you a clear picture of what’s missing.

Step 2: Prioritize by risk. Not everything needs to happen at once. We help you prioritize based on what poses the greatest risk to customer data and what the FTC is most likely to look for.

Step 3: Implement the technical controls. This is where we deploy MFA, encryption, monitoring tools, access controls, and backup systems. For most businesses, this takes 4 to 8 weeks.

Step 4: Build the documentation. Policies, procedures, risk assessments, incident response plans. We help you create these so they’re thorough but practical, not 200-page documents nobody reads.

Step 5: Train your team. We set up ongoing security awareness training that keeps your employees sharp without eating up their entire workday.

Step 6: Monitor and maintain. Compliance isn’t a one-time project. We provide continuous monitoring, regular assessments, and policy updates so you stay compliant as things change.

The Cost of Getting It Wrong

The FTC has been increasingly aggressive about enforcement. Fines can reach into the millions, and that’s before you factor in the reputational damage of a breach. For businesses in the Inland Empire competing for local trust and relationships, a compliance failure can be devastating.

But here’s what we tell clients: the cost of compliance is a fraction of the cost of a breach. The same controls that make you compliant also make you significantly harder to attack. It’s not just a checkbox exercise. It’s genuinely better security for your business.

Let’s Figure Out Where You Stand

If you’re not sure whether the Safeguards Rule applies to your business, or you know it does and you’re not sure where you stand, we can help. We offer a free compliance assessment that gives you a clear picture of your gaps and a practical roadmap to close them. No pressure, no scare tactics. Just a straightforward look at where you are and what it takes to get compliant.