On May 13, 2024 the Federal Trade Commission's amendment to the Safeguards Rule (16 CFR Part 314) took full effect, requiring non-banking financial institutions to notify the FTC within 30 days of discovering a notification event involving the unencrypted personal information of 500 or more consumers. The amendment was published at 88 FR 77499 on November 13, 2023 and completes the multi-phase Safeguards Rule overhaul that began with the December 9, 2021 final rule and had its compliance dates extended to June 9, 2023 for most provisions. Combined with the original Gramm-Leach-Bliley Act of 1999 (Public Law 106-102) and the 2001 Privacy Rule, the FTC's current Safeguards Rule now constitutes one of the most prescriptive information security regimes for non-bank financial institutions — including mortgage brokers, auto dealers, tax preparers, investment advisers not SEC-registered, and an expanding set of fintech entities.
Who Is Covered by the FTC Safeguards Rule?
Section 314.1(b) applies the Rule to financial institutions as defined in 16 CFR 313.3(k) — entities that are significantly engaged in activities that are financial in nature as described in section 4(k) of the Bank Holding Company Act of 1956. The 2021 amendments added "finders" to the definition, sweeping in matchmaking services that connect buyers and sellers of financial products. Banks, credit unions, and most other depository institutions fall under their primary banking regulator's parallel Interagency Guidelines (12 CFR Part 30, Appendix B for OCC-regulated institutions, 12 CFR Part 364, Appendix B for FDIC-regulated, etc.), not the FTC Rule. Broker-dealers and investment advisers are under SEC Regulation S-P, which was substantially amended on May 16, 2024.
What Changed in the 2021 and 2023 Amendments?
The December 2021 amendment added the nine-element Information Security Program requirement in §314.4, including designation of a Qualified Individual, written risk assessment, access controls, encryption of customer information, multi-factor authentication, secure disposal, change management, monitoring, and penetration testing. The November 2023 amendment added §314.4(j) — the 30-day FTC notification requirement — and clarified that a "notification event" is the acquisition of unencrypted customer information without authorization. The notification must be submitted electronically to the FTC and must include specific elements including a description of the event, types of information involved, and number of consumers affected.
How Does §314.4(f) Flow Requirements to Service Providers?
Section 314.4(f) requires covered institutions to "oversee service providers" by (1) taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards; (2) requiring service providers by contract to implement and maintain such safeguards; and (3) periodically assessing service providers based on the risk they present and the continued adequacy of their safeguards. For software supply chain, this makes software vendors — including SaaS vendors and open-source commercial support providers — service providers when they handle customer information. Contracts signed or renewed after June 9, 2023 must flow the Safeguards Rule language down explicitly.
What Does §314.4(c) Access Controls and §314.4(d) Security Testing Mean for Software?
Section 314.4(c)(1) requires placing access controls on information systems, including authenticating and permitting access only to authorized users to protect against unauthorized acquisition of customer information. Section 314.4(d)(2) requires either continuous monitoring or annual penetration testing plus biannual vulnerability assessments. The FTC's 2023 blog post clarifying the rule confirmed that "vulnerability assessment" includes assessing the open-source and commercial software components used in the information system. Covered institutions that rely on cloud-hosted software must evidence that access controls and vulnerability assessments reach the software components in use.
What Is the Scope of the 30-Day FTC Notification?
Under §314.4(j), a notification event exists when unencrypted customer information of at least 500 consumers has been, or is reasonably believed to have been, acquired without authorization. The 30-day clock starts upon discovery. The notification must be submitted via the FTC's online reporting form, and the FTC has indicated it will make notifications public (with redactions) on its website. Customer notification is not federally mandated under GLBA itself, but state laws — including California Civil Code §1798.82, New York General Business Law §899-aa, and Massachusetts M.G.L. c. 93H §3 — impose their own timelines. The Securities and Exchange Commission's May 2024 amendments to Regulation S-P Rule 30 impose a parallel 30-day notification on broker-dealers and investment advisers.
What Are the Penalties for Non-Compliance?
The FTC enforces the Safeguards Rule under its Section 5 authority. Civil penalty authority was strengthened by the FTC Act and the 2021 amendments to the Federal Civil Penalties Inflation Adjustment Act: the maximum civil penalty for violations of Commission orders or Rules under FTC authority adjusted to USD 51,744 per violation as of 2024 (16 CFR 1.98). In the Drizly enforcement order (2022) and the Chegg order (2022), the FTC imposed comprehensive information security programs, 20-year compliance monitoring, and restrictions on data collection. State attorneys general retain concurrent authority under GLBA §507 for enforcement against their residents and often pursue parallel actions under state UDAP and data-breach statutes.
How Does This Intersect With SEC Regulation S-P and State Laws?
The SEC's May 16, 2024 amendment to Regulation S-P (Release No. 34-100155) harmonises broker-dealer and investment adviser obligations with the FTC Rule, adding a 30-day customer notification requirement as well as vendor oversight obligations. States are adding statutes: the New York DFS Cybersecurity Regulation (23 NYCRR Part 500) updated in November 2023 tightens MFA and SBOM-aligned expectations, and the California CPRA implementing regulations require contractual flow-down of security obligations to service providers. A covered financial institution operating across multiple states and with broker-dealer and FTC-regulated affiliates now faces a patchwork of obligations that share a common DNA.
How Safeguard Helps
Safeguard provides the SBOM-based asset inventory and continuous component vulnerability monitoring that §314.4(c) and §314.4(d) now demand, with evidence logged against each build and each deploy. Griffin AI reachability analysis focuses remediation on the components that actually reach customer information, meeting the risk-based expectations in §314.4(b) risk assessment. TPRM workflows keep §314.4(f) service-provider oversight evidence current across hundreds of vendors with contractual flow-down tracking, and policy gates enforce the access-control and vulnerability thresholds in CI/CD. Compliance mapping aligns the Safeguards Rule with SEC Regulation S-P, NYDFS 23 NYCRR 500, and NIST SP 800-53 so a single evidence pack supports examinations from multiple regulators.