Skip to main content
FTC Compliance
FTC Compliance
Test existing security controls with consistent and ongoing penetration testing to meet the FTC's Revised Safeguards Rule and stay ahead of evolving security threats with FTC penetration testing.

Overview of FTC Safeguards Rule

The Federal Trade Commission (FTC) "Standards for Safeguarding Customer Information" (commonly referred to as Safeguards Rule) is a set of requirements issued under Section 501(a) of the Gramm-leach-Bliley Act (GLBA) which requires financial institutions (now to include dealerships) to implement and maintain a comprehensive and documented information security program. Issued to protect consumer information and mitigate identity theft, privacy violations, and misuse of confidential data, the Safeguards Rule was issued in 2002 and officially took effect on May 23rd, 2003.

By now all financial institutions and dealerships have become familiar with the requirements of the Federal Trade Commission (FTC) "Standards for Safeguarding Customer Information" (Safeguards Rule) which requires organizations to develop, implement, and maintain a comprehensive written information security program. But due by December 9, 2022, the Revised Safeguards Rule will require organizations to revise their information security programs and implement new compliance measures.

Meet FTC Safeguards Rule Revision Requirements with Penetration Testing
Schedule a Consultation Schedule a Consultation

FTC Safeguards Rule Revisions

December 9, 2022 - Required Revisions Take Effect

Effective December 9, 2022, financial institutions (including dealerships) are required to revise their information security programs and implement new security measures including annual periodic penetration testing or continuous monitoring of information systems to remain compliant.

The new requirements include:

  • The designation of a "Qualified Individual" to oversee information security and implement specific technical measures.
  • Preparation of a series of written documents, including:
    1. A written security risk assessment
    2. A written information security program (revised to include new requirements)
    3. A written incident response plan
    4. Written reports to the board of directors or equivalent regarding information security
  • Implementation of specific IT technical requirements, including:
    1. Encryption
    2. Multifactor authentication
    3. Systems monitoring, penetration testing, and vulnerability assessments.
  • Implementation of specific procedural requirements, including the development and ongoing monitoring of:
    1. Access controls to customer information
    2. Inventory of systems that handle customer information
    3. Secure software development and utilization practices
    4. Disposal procedures for customer information
    5. Change management procedures
  • Employee training and management
    1. Security awareness training that is updated when necessary to reflect and educate employees on current risks facing the organization.
  • Periodic review of service providers' security practices

Note: Organizations must take steps throughout 2022 and in advance of this date to comply by this deadline.

  • January 10, 2022 - The Revised Safeguards Rule Takes Effect
  • December 9, 2021 - FTC Publishes Revised Safeguards Rule

    The FTC publishes revisions to Safeguards Rule (also referred to as Revised Safeguards Rule or Revised Rule), which expanded upon and added new revision requirements.

    Original Safeguards Rule
    • Requirement of conducting risk assessments.

    • Requirement of regular testing and/or monitoring of key controls, systems, and procedures used to protect client information.

    Revised Safeguards Rule
    • Assessments must be conducted regularly going forward.

    • Testing must be done with the goal of detecting actual and attempted attacks or intrusions on information systems.

  • May 23, 2003 -The FTC Safeguards Rule Takes Effect
  • 2002 - The FTC Safeguards Rule is First Issued

Next Steps to Compliance

Our team of testers are certified processionals, ready to help you uncover exploitable security vulnerabilities and meet FTC Safeguards Rule requirements. At the end of your project, we will deliver a comprehensive report of our findings, including remediation recommendations. We even offer remediation re-testing for FREE for up to six findings, within six months of project completion. Schedule a call with our team to discuss your unique security needs.

FTC Safeguards Rule FAQs

Contact Us