The FTC recently published detailed compliance guidance for its revised Safeguards Rule, focusing on the characteristics of a reasonable information security program as required by the Rule. The Safeguards Rule sets forth the federal requirements for an information security program for “financial institutions” subject to the FTC’s jurisdiction with respect to the relevant provisions of the Gramm-Leach-Bliley Act. WBK previously covered the FTC’s late 2021 revision of the Rule, as well as the proposal leading to that revision.
The FTC’s guidance explains the elements (listed in Section 314.4 of the Safeguards Rule) that a company’s information security program must incorporate, and provides a glossary of key terms. This guidance is intended to serve as the small entity compliance guide with respect to the Safeguards Rule.