Skip to content
Security Noah Stegman

FTC Safeguards Rule: A Small Business IT Compliance Guide

The FTC Safeguards Rule requires certain businesses to meet specific IT security standards. Here is what South OC firms must do to stay compliant.

The FTC Safeguards Rule catches more South Orange County small businesses off guard than almost any other compliance requirement. If your firm handles financial data for clients — as a tax preparer, insurance agent, mortgage broker, or accounting practice — federal law requires you to maintain a written information security program with specific IT controls. Not best practice. Required.

The rule has been on the books for years, but a significant set of amendments took effect in 2023 that added far more specific technical requirements. Many of the small firms we talk to in Mission Viejo, Laguna Niguel, and Irvine know vaguely that they have “compliance stuff,” but could not tell you whether they actually meet the updated standard. This guide covers what the rule requires, who it covers, and what a defensible IT program actually looks like for a small South OC firm.

Who Does the FTC Safeguards Rule Actually Apply To?

This is where most small businesses get tripped up. The Safeguards Rule, issued under the Gramm-Leach-Bliley Act, applies to any company that qualifies as a “financial institution” under federal law — and the FTC defines that term broadly enough to catch many businesses that do not think of themselves as financial companies.

Covered businesses include:

  • Tax preparers and CPA firms that file returns or advise on financial matters
  • Mortgage lenders and brokers, including independent brokers
  • Insurance agents and agencies of all sizes
  • Financial advisors and registered investment advisors
  • Auto dealers that arrange or broker financing
  • Accountants who handle bookkeeping and financial reporting for clients
  • Real estate settlement service providers
  • Payday and personal finance lenders

The test is whether your business receives nonpublic personal financial information from consumers as part of providing a financial product or service. If the answer is yes, you are covered. The FTC publishes the complete rule and accompanying guidance at its legal library.

South Orange County has a high concentration of exactly these businesses — accounting and tax practices near the Alicia Parkway corridor in Laguna Hills, financial advisory firms clustered around Crown Valley in Laguna Niguel, mortgage and insurance offices throughout Irvine and Mission Viejo. The rule applies to them all, regardless of how many employees they have.

What the Safeguards Rule Requires: The Written Security Program

The centerpiece of the rule is a written information security program (WISP) — a documented plan that describes how your business identifies, assesses, and manages risks to the customer financial data in your care. You must designate a qualified individual to oversee it. That person can be an employee or an outside service provider, but someone has to own it.

The 2023 amendments layered specific technical requirements on top of the general WISP obligation. The updated rule now requires covered businesses to implement and maintain:

  • A formal, written risk assessment identifying where customer financial data lives and what realistic threats it faces
  • Access controls that limit employee access to only the data each person needs for their role
  • Multi-factor authentication (MFA) on any system that stores or accesses customer financial data
  • Encryption of nonpublic personal information, both in transit and at rest
  • A change management process governing how your systems are modified
  • Continuous monitoring or periodic testing to detect unauthorized activity
  • A patch management process to keep software current
  • A written and tested incident response plan
  • Vendor oversight — written agreements with service providers who handle your data on your behalf
  • Periodic employee security awareness training
  • Annual penetration testing and vulnerability assessments for businesses above a certain threshold

If you look at that list and think none of those things are in place or documented, you are far from alone — and you are exactly who the rule is designed to reach.

What Does a Risk Assessment Actually Look Like?

The risk assessment is the starting point for everything else, and in practice it means asking one honest question: where does client financial data actually live in our business?

The answer is almost always longer than expected. It typically includes email inboxes (often without adequate encryption), laptop and desktop hard drives, cloud storage with loose sharing permissions, accounting or tax preparation software, paper records, and backups that may themselves be unprotected. Each location is a risk surface.

From there, you document the realistic threats — phishing attacks that steal credentials, laptops lost or stolen from a car, unauthorized employee access to files beyond their role, ransomware that locks everything down, and breaches at third-party vendors. For each threat, you describe what controls you have in place and whether they are adequate.

The assessment does not have to be a hundred pages. It does have to be written, specific, and revisited at least annually or after any significant change to your business or systems. We help firms across South Orange County complete this as part of the work we do when we take over their managed IT environment.

Access Controls and Multi-Factor Authentication

Two of the most concrete and enforceable requirements in the rule are access controls and MFA. Both are achievable for any small firm, but most businesses we see for the first time have neither properly in place.

Access controls mean each person in your firm can only reach what they need for their specific job. A junior bookkeeper does not need access to every client file. A part-time receptionist does not need the ability to export client lists. Getting this right requires reviewing every user account and permission — something most small firms have not done systematically since they were founded.

Multi-factor authentication is required on any account that connects to customer information. If your team logs into your tax software, practice management platform, or accounting system with only a username and password, that does not meet the current standard. MFA adds a second verification step — a code sent to a phone or generated by an authenticator app — that stops an attacker from using a stolen password on its own.

Our post on why multi-factor authentication matters for small businesses covers how MFA works and how to roll it out without disrupting your team’s workflow. It is one of the first things we configure when we take over IT for a covered firm.

Encryption, Monitoring, and Incident Response

Encryption under the Safeguards Rule means covering two scenarios. Data in transit — anything moving across a network or the internet — must be encrypted, including email, file transfers, and remote access sessions. Data at rest — anything sitting on a hard drive, server, or in cloud storage — must also be encrypted.

For a small firm, that translates to: full-disk encryption turned on for every business computer and laptop, cloud services configured to encrypt stored files by default, email sent over secure encrypted connections, and backups that are encrypted before they leave the building or go to a cloud provider.

Monitoring means having a mechanism to detect unusual activity — repeated failed logins, file access outside normal hours, large data exports that do not match typical patterns. This is difficult to maintain reliably without dedicated tooling and someone watching the results, which is one of the core reasons small firms use a managed IT provider rather than trying to handle it themselves.

The incident response plan is a document you write before anything goes wrong. It answers: who in our firm is responsible for declaring an incident, what systems get isolated first, who are we legally required to notify, and how fast must we act? For firms covered by the Safeguards Rule, the FTC expects this plan to exist, to be tested, and to be updated as your business changes. Our post on what to do after a data breach is a useful starting point, but the rule requires you to formalize it before an event — not improvise through one.

Vendor Management and Employee Training

The Safeguards Rule extends to your vendors. If you use a cloud accounting platform, a payroll provider, a document storage service, or any other third party that handles client financial data on your behalf, you need a written service provider agreement that covers how they protect that data. Clicking through a standard terms of service is not sufficient. You are expected to select vendors with appropriate safeguards and to document your due diligence.

Employee training is the other ongoing obligation. Your staff are both your strongest security asset and your highest-risk entry point. The rule requires periodic security awareness training, which means your team understands how to spot phishing attempts, how to handle client information appropriately, and exactly who to contact if something seems wrong.

Phishing emails are the most common entry point for small business breaches, and training staff to recognize them is one of the highest-return security investments a small firm can make. It also directly supports your Safeguards Rule documentation — a training log shows regulators you are taking the requirement seriously.

How Managed IT Supports a Safeguards Rule Program

A compliant information security program is not a one-time project. It requires ongoing work — monthly patching, annual risk assessments, regular training, continuous monitoring, vendor reviews, and updates whenever your business changes significantly. For most small firms in South Orange County, this is exactly the type of work that falls through the cracks because no single person owns it and the day job always takes priority.

Our managed IT services cover the technical layer of a Safeguards Rule program: user access controls, MFA deployment, disk encryption, patch management, log monitoring, and incident response planning — all documented in a way that creates a defensible paper trail. We work with accounting, insurance, and financial services practices across Laguna Niguel, Mission Viejo, Irvine, Laguna Hills, and the surrounding cities.

If you want a straight look at where your firm currently stands relative to the Safeguards Rule, reach out through our contact page. We will tell you what we see without the jargon or a sales pitch attached.

This post covers IT practices relevant to the FTC Safeguards Rule and is intended as general guidance. It is not legal advice. For formal compliance assessments, consult a qualified attorney or compliance professional familiar with GLBA requirements.

Need a hand with this?

Coastal Growth Co. is your local IT department in South Orange County. Need help, or just have a question? Reach out, no pressure.

Let's talk arrow_forward
// Reach out

Let'stakeIToffyourplate.

Tell us what's going on: a recurring headache, a project, or just a hunch that your setup needs a second look. We'll reply by email, text, or a quick call and set up your free assessment.

This is a conversation, not a sales pitch. If you decide we're not the right fit, we won't push it. No chasing, no follow-up sequences, no pressure to close. We'll take no for an answer.

No spam. We reply within one business day, by email, text, or call.

Or skip the form and reach us directly

Call or text · email replies in <1 business day

call Call sms Text bolt Quote