What FTC Consent Orders Reveal About Safeguards Rule Enforcement

The FTC sent enforcement letters to small businesses in the first half of 2026 for failures under the Safeguards Rule. The targets weren’t banks or Fortune 500 companies. They were businesses with 25 to 250 employees that handle customer financial data and assumed partial compliance was enough.

Two recent consent orders, one against Illuminate Education and one against Illusory Systems (the company behind Nomad), show exactly what the FTC considers a violation. The findings weren’t exotic. They were the same basic security gaps that thousands of Texas auto dealerships, accounting firms, tax preparers, and mortgage companies have right now.

What the Illuminate Education and Nomad Cases Reveal

The FTC finalized consent orders against both Illuminate Education and Illusory Systems in the past year. Both companies handled sensitive financial and personal data. Both failed to implement what the FTC considers reasonable security.

The findings against Illuminate Education included failure to encrypt sensitive data in transit and at rest, no written information security program, inadequate access controls that allowed unauthorized employees to access student financial records, and no formal incident response plan. The company was ordered to implement a comprehensive security program under FTC oversight for 20 years.

The Illusory Systems case followed a similar pattern. The FTC found that the company failed to conduct risk assessments, didn’t implement basic access controls, stored sensitive data in clear text, and had no monitoring or logging to detect unauthorized access. The consent order requires 10 years of mandatory security reporting to the FTC.

These cases establish a clear precedent: the FTC treats cybersecurity failures as unfair business practices under Section 5 of the FTC Act. The agency doesn’t need a specific data breach to take action. If your security program has gaps that put customer data at risk, that alone can trigger enforcement.

What “Reasonable Security” Actually Means

The FTC has never published a single checklist that defines “reasonable security.” Instead, the agency defines the standard through enforcement. Each consent order adds to a growing body of precedent that shows what the FTC expects.

Based on recent enforcement actions and the FTC’s National Small Business Week 2026 guidance, reasonable security includes:

• Multi-factor authentication on every system that handles customer financial data. Not just email. Not just VPN. Every system, including accounting software, CRM platforms, and document management tools. Partial MFA deployment is one of the most common findings in enforcement actions.
• Written vendor security requirements. If a third-party vendor accesses your customer data, your contracts must include specific security obligations. A handshake and a verbal assurance don’t satisfy the standard.
• A written, tested incident response plan. Having a plan document in a filing cabinet doesn’t count. The FTC expects businesses to test their plans through tabletop exercises or simulations and update them based on the results.
• A designated Qualified Individual. Someone, whether internal or external, must be formally responsible for your information security program. The Safeguards Rule is explicit about this requirement, and the absence of a QI is a straightforward enforcement finding.

The FTC’s 2026 guidance also emphasizes that business size doesn’t reduce obligations. A 30-person tax preparation firm has the same Safeguards Rule requirements as a national bank. The scale of implementation can differ, but the requirements themselves don’t shrink.

We covered the complete nine-element Safeguards Rule breakdown in a previous post. If you haven’t reviewed those requirements against your own environment, that’s the place to start.

The Four Gaps That Get Flagged First

Across the FTC’s enforcement record, four findings appear more consistently than any others. If your business handles customer financial data, these are the areas most likely to trigger an enforcement letter.

Partial MFA deployment. MFA is enabled for Office 365 or Gmail, but not for the practice management software, accounting platform, or CRM that actually stores customer financial records. The FTC’s position is clear: MFA must protect every system that touches customer financial information, without exceptions.

No vendor security requirements. Most SMBs sign vendor agreements without any language about data security. Your IT vendor, cloud storage provider, and payroll processor all need documented security requirements in their contract. If a vendor breach exposes your customer data and you had no contractual security requirements, the FTC will hold your business accountable.

No written incident response plan. Many small businesses assume they’ll figure it out if a breach happens. The FTC requires a documented plan that identifies who does what, how affected customers get notified, and how the business coordinates with law enforcement and regulators. The plan must be tested periodically, not just written and filed away.

No designated Qualified Individual. The Safeguards Rule requires that someone be formally accountable for the entire security program. In many SMBs, this responsibility falls to nobody in particular, or to an IT generalist who doesn’t have the training or authority to run a security program. The QI doesn’t have to be an employee. An external managed security provider can serve as your designated QI, which is often the most practical option for businesses with fewer than 200 employees.

Texas Adds Another Compliance Layer with the TDPSA

If your business operates in Texas, you’re not just subject to the FTC Safeguards Rule. The Texas Data Privacy and Security Act (TDPSA), which took full effect in July 2024, creates overlapping obligations around data protection, consumer rights, and breach response.

The TDPSA applies to businesses that process the personal data of Texas residents and meet certain revenue or data volume thresholds. For financial services firms that already collect Social Security numbers, bank account details, and tax information, the TDPSA’s data protection requirements run parallel to the Safeguards Rule.

The practical impact is that you need to satisfy both federal and state requirements simultaneously. A gap in your Safeguards Rule compliance is almost certainly a gap in your TDPSA compliance too, because both frameworks require written security programs, access controls, risk assessments, and incident response capabilities. Our TDPSA compliance checklist covers the state-specific requirements in detail.

The Texas Attorney General’s office has enforcement authority over the TDPSA and has signaled willingness to pursue violations. Combined with the FTC’s federal enforcement, Texas businesses handling financial data face regulatory pressure from two directions at once.

How a Managed Security Provider Closes These Gaps

Most businesses in the 50 to 500 employee range don’t have dedicated compliance staff or a full-time security team. Building one from scratch to satisfy the Safeguards Rule costs more than most SMBs can justify, and the rule’s requirements don’t wait for your next budget cycle.

A managed IT and security provider can fill the specific gaps the FTC targets. The Qualified Individual role maps directly to a virtual CISO or security program manager. Risk assessments, MFA deployment across all systems, vendor security reviews, continuous monitoring, and incident response planning are standard deliverables for a provider that works with regulated industries.

The difference between hiring internally and working with a provider isn’t just cost. An external provider brings documentation practices and audit experience that most individual hires won’t have. When the FTC asks for evidence of your security program, “we have a person who handles IT” isn’t sufficient. You need documented risk assessments, access control reviews, training records, and incident response test results. That documentation is what a compliance-focused IT provider maintains as a standard part of the engagement.