A2Z Business IT
| Carl de Prado
FTC Safeguards Rule compliance cybersecurity small business

FTC Safeguards Rule Compliance: What Every Small Business Needs to Know in 2026

The FTC Safeguards Rule isn’t new, but the updated requirements that took effect in 2023 have caught many small businesses off guard. If your business handles customer financial information — and that includes law firms, accounting practices, insurance agencies, and financial advisors — you’re required to maintain a comprehensive information security program.

Here’s what that actually means and what you need to do about it.

Who Needs to Comply

The Safeguards Rule applies to “financial institutions” as defined by the FTC. That definition is broader than most people expect. It includes:

  • Tax preparation firms and accounting practices
  • Mortgage lenders and brokers
  • Insurance companies and agencies
  • Financial advisors and investment companies
  • Auto dealers that extend credit
  • Law firms that handle financial transactions or client funds
  • Real estate settlement companies
  • Collection agencies

If your business is involved in financial activities, even tangentially, you likely need to comply.

The Core Requirements

The updated Safeguards Rule requires nine specific elements in your information security program:

1. Designate a Qualified Individual

Someone needs to be responsible for your security program. This can be an internal employee or an outsourced provider — but they need to be qualified and accountable. Many small businesses designate their managed IT provider for this role.

2. Conduct a Risk Assessment

You need a written risk assessment that identifies internal and external threats to customer information. This isn’t a one-time checklist — it needs to be updated regularly as your business and threat landscape change.

3. Implement Safeguards

Based on your risk assessment, you must implement controls including:

  • Access controls — limit who can access customer information
  • Encryption — protect data in transit and at rest
  • Multi-factor authentication — required for anyone accessing customer information
  • Secure development practices — if you develop software
  • Data disposal — secure deletion of customer information you no longer need

4. Monitor and Test

Continuous monitoring of your safeguards is required. This means logging access to customer information, testing your security controls regularly, and conducting vulnerability assessments or penetration testing.

5. Train Your Staff

Every employee who handles customer information needs security awareness training. Not a one-time slideshow — ongoing training that keeps pace with evolving threats.

6. Monitor Service Providers

Any third-party vendor that accesses your customer data needs to meet your security standards. You need written contracts specifying their obligations and a process for evaluating their compliance.

7. Keep Your Program Current

Your security program must evolve. Annual reviews at minimum, with updates whenever there’s a material change to your business operations, threats, or technology.

8. Create an Incident Response Plan

You need a written plan for responding to security events. Who does what, how you contain the breach, how you notify affected customers, and how you prevent recurrence.

9. Report to Leadership

Your Qualified Individual must report to your board or senior leadership at least annually on the status of the security program.

What Happens If You Don’t Comply

The FTC has enforcement authority and has used it. Penalties can include:

  • Fines up to $50,120 per violation
  • Required compliance monitoring
  • Mandatory third-party security audits
  • Public consent orders that damage your reputation

Beyond regulatory penalties, a data breach at a non-compliant business creates significant liability exposure.

Getting Started

If you haven’t started your compliance program, here’s the practical path forward:

  1. Get a risk assessment — understand your current security posture
  2. Identify gaps — compare your current controls against the nine requirements
  3. Prioritize remediation — address the highest-risk gaps first
  4. Document everything — compliance requires written policies and evidence
  5. Establish ongoing monitoring — this isn’t a one-time project

Most small businesses find it practical to partner with a managed IT provider who specializes in compliance. The cost of building and maintaining an internal compliance program typically exceeds the cost of outsourcing it to a qualified firm.

Need Help With FTC Compliance?

A2Z Business IT has helped dozens of law firms, financial advisors, and small businesses in Westchester County and throughout New York build compliant security programs. Contact us for a free compliance assessment, or book a call directly.

Carl de Prado is the founder of A2Z Business IT and a regular speaker on FTC Safeguards Rule compliance at bar associations and professional organizations across New York State.

CD

Carl de Prado

Founder of A2Z Business IT. 19+ years in managed IT and cybersecurity. Microsoft Partner. Regular speaker on FTC compliance at NY bar associations.

Need help with your IT?

Schedule a free consultation and get practical advice for your specific situation.

Book Your Free Consultation