Earlier this year we wrote about amendments made to the Safeguards Rule. The rule is applicable to financial institutions and their data security covering nonpublic personal information subject to the federal Gramm-Leach-Bliley Act (GLBA).

One of the takeaways from that article is that a “financial institution” under the rule is far broader than a bank or credit union. In fact, many businesses that do not provide a financial product or service are considered “financial institutions.”

As a result, the amended Safeguards Rule captures all sorts of businesses that would never identify themselves as “financial institutions.” The amended rule gives examples of travel agencies, career counselors, and accountants, which can be covered by the rule if they engage in certain activities.

Determining whether your business engages in activities that can trigger coverage is discussed by the Federal Trade Commission in just released guidance entitled “FTC Safeguards Rule: What Your Business Needs to Know.”


The FTC does a good job of explaining the scope of the types of entities covered by the rule:

First, consider that the Rule defines “financial institution” in a way that’s broader than how people may use that phrase in conversation. Furthermore, what matters are the types of activities your business undertakes, not how you or others categorize your company.

With this in mind, the FTC reminds us that it has been nearly 20 years since the Safeguards Rule was first adopted so “[e]ven if your company wasn’t covered by the original Rule, your business operations have probably undergone substantial transformation in the past two decades.” By focusing on “the types of activities” a business engages in, the rule captures businesses “significantly engaged in financial activities.” If you are not a financial services compliance professional or attorney, this language does not help in explaining the scope of covered activities.

But the amended rule does provide some examples of the types of activities that could cause your business to be covered by the rule, as well as examples of business activities that are not covered. For example, even if your business activities bring you within the rule, if you “maintain customer information concerning fewer than five thousand consumers,” then your business gets an exemption from certain portions of the rule.

However, the exemption does not extend to one of the most time consuming and possibly expensive requirements of the rule — oversight of service providers. Service providers are entities your business engages that receive, maintain, process, or you allow to access your customer information that is covered by the rule.


Even if your business is not itself subject to the rule, it can still be impacted by these amendments if you provide services to covered entities. The “service provider” oversight could mean you will soon be receiving inquiries from your customers or clients that are subject to the rule. The amended rule requires covered entities to:

  • Choose service providers “that are capable of maintaining appropriate safeguards for the customer information at issue;”
  • Require “service providers by contract to implement and maintain such safeguards;” and
  • Periodically assess their service providers based on certain criteria.

If your company “receives, maintains, processes” or has access to your client’s covered customer information, between now and December you should be receiving inquiries from your customers concerning whether your business has “appropriate safeguards” in place to protect their covered information. These inquiries will address many of the same topics that apply to covered entities such as whether you maintain an information security program based on a risk assessment, the data security safeguards you have in place, and whether you subject these safeguards to testing and monitoring, to name a few.

The rule already requires covered entities to require data security safeguards by contract. And with the enhanced requirements of the amended rule coming into effect in a few months, a vendor’s failure to have adequate data security protections in place could lead to contract termination.