If you run a small business that handles customer financial information — like a tax prep firm, mortgage brokerage, or auto dealership — there’s a federal rule you need to know about. It’s called the FTC Safeguards Rule, and it requires you to have a written plan for protecting your customers’ data.
I know what you’re thinking: “Another regulation? I’m already doing everything I can.” And I believe you. You lock your doors. You use passwords. You’re careful. But here’s the thing — the FTC wants to see that you have a documented plan for data security. Not just good habits. An actual written program.
Let me walk you through what this rule is, who it applies to, and why it matters — without the legal jargon.
What Is the FTC Safeguards Rule?
The FTC Safeguards Rule is a federal regulation that says: if your business handles people’s financial information, you need to protect it. And you need to prove you’re protecting it by having a Written Information Security Program — or WISP for short.
Think of a WISP like a fire escape plan. You hope you never need it, but if something goes wrong, everyone knows exactly what to do. Your WISP is the same thing — except instead of fires, it’s data breaches.
The rule was first created back in 2003, but the FTC updated it significantly in 2021 and 2023 to keep up with modern threats like phishing, ransomware, and cloud security risks. As of May 2024, there’s also a new requirement: if you have a data breach affecting 500 or more customers, you must report it to the FTC within 30 days.
Who Does This Apply To?
Here’s the tricky part: the FTC defines “financial institution” much more broadly than you might think. It’s not just banks. If your business does any of the following, the rule probably applies to you:
- Prepare tax returns
- Offer loans or mortgages
- Sell cars (yes, auto dealerships count)
- Collect debts
- Provide credit counseling or financial advice
- Cash checks or transfer money
- Handle investment accounts (if you’re not registered with the SEC)
If you handle Social Security numbers, bank account info, credit reports, or income records — you’re almost certainly covered.
What About Small Businesses?
A lot of small business owners assume they’re exempt because they’re “too small.” Unfortunately, that’s not quite how it works.
If you have information on fewer than 5,000 consumers (note: that’s not the same as current customers — it includes past clients and even people who applied but were denied), you get some relief from the rule’s more complex requirements. For example, you don’t need to do formal annual penetration testing or write a super-detailed incident response plan.
But here’s what you still need, even as a small business: a written plan that shows what data you have, what threats you face, and how you’re protecting against them. You still need to use multi-factor authentication. You still need to train your staff. And you still need to report breaches.
Why Should You Care?
Three reasons:
- It’s the law. The FTC can fine you up to $100,000 per violation. Individual owners can be fined up to $10,000 personally. And if you’re found to be willfully ignoring the rule, those fines can stack up fast.
- It protects your reputation. In industries like tax prep or mortgage lending, trust is everything. One data breach can destroy years of goodwill overnight. Your clients’ Social Security numbers, bank accounts, and tax returns are only as safe as your weakest security link.
- It actually works. A good security plan isn’t just paperwork. It genuinely protects you from the most common threats small businesses face — phishing, stolen passwords, vendor breaches, and employee mistakes.
What Goes in a WISP?
Your WISP doesn’t need to be 50 pages long. For a small business, it might be just 5-10 pages. But it needs to cover these basics:
Someone in charge. Designate one person (probably you, if you’re a small operation) who’s responsible for your security program. The FTC calls this person the “Qualified Individual.”
A risk assessment. Write down what data you have, where it lives (your computer, the cloud, filing cabinets), and what could go wrong. This doesn’t need to be fancy. Just honest.
Access controls. Make sure only the people who actually need access to customer data can get to it. Your front desk person probably doesn’t need access to tax files, for example.
Multi-factor authentication (MFA). This is non-negotiable now. MFA means that even if someone steals a password, they still can’t get into your systems. Most software platforms already support it — you just need to turn it on.
A plan for breaches. If something does go wrong — a laptop gets stolen, an employee clicks a phishing link — what do you do? Who do you call? How do you notify customers? Write it down now, before you’re in crisis mode.
Employee training. Your team needs to know the basics: how to spot phishing emails, why they can’t share passwords, and what counts as sensitive data. A quick 20-minute training session once a year — documented — goes a long way.
What Happens If You Skip This?
Let me give you a real-world example — names changed, but this scenario plays out all the time.
|
Meet Joy Joy runs a small tax prep firm in Southern California. Four employees, about 800 clients, solid reputation. She’s heard of the FTC Safeguards Rule but figured it was “for the big guys.” She doesn’t have a written security plan. She doesn’t have multi-factor authentication turned on. Her part-time bookkeeper has the same access to client files as Joy does. Then one Tuesday in March, it happens. A phishing email lands in the bookkeeper’s inbox. It looks like it’s from their cloud storage provider. The bookkeeper clicks and enters their password. Within hours, hackers have access to over 600 clients’ data — Social Security numbers, bank accounts, income records, everything. Here’s what the next 90 days look like: Days 1-30: Joy has 30 days to notify the FTC and every affected client. But she has no plan. No process. No idea who’s supposed to do what. She’s scrambling to figure out the scope while hiring a lawyer and trying to keep her business running. Days 31-60: Clients are furious. Some have already seen fraudulent charges. Three file complaints with the FTC. A local news outlet picks up the story. Joy’s Google reviews tank. Days 61-90: The FTC opens an investigation. Joy learns she was out of compliance on multiple fronts. Fines start adding up. Two clients hire attorneys. Her business insurance doesn’t cover what she thought it would. And some of her longtime clients quietly move their business elsewhere. |
Here’s the thing: all of this could have been avoided. A basic WISP — appropriate for Joy’s size — would have included multi-factor authentication, simple access controls, and a breach response plan. For a firm her size, that’s not a massive lift. It’s manageable. And it would have changed everything.
Where Do You Start?
The biggest mistake small businesses make is thinking their WISP needs to look like what a big bank would have. It doesn’t. The FTC explicitly says your program should be “appropriate to the size and complexity of your business.”
A solo tax preparer needs a different WISP than a regional mortgage company. And that’s okay. The key is making sure yours actually fits your business — not too big, not too small, just right.
If you’re not sure where to begin, that’s what we do. We build right-sized WISPs for small financial service providers — from solo practitioners to mid-size firms. No enterprise bloat. No cookie-cutter templates. Just a plan that fits your actual business and keeps you compliant.
|
Ready to Get Compliant? Let us help you build a WISP that protects your business, checks the compliance box, and doesn’t keep you up at night. |
———
Want to Learn More?
FTC Safeguards Rule Overview: ftc.gov/business-guidance/resources/ftc-safeguards-rule-what-your-business-needs-know
Full Rule Text: ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314
RebootTwice LLC | FTC Safeguards Rule Compliance Specialists