FTC Safeguards Rule Enforcement: What Texas Financial Firms Need Now

The FTC’s revised Safeguards Rule is no longer a compliance exercise you can delay. The agency issued multiple enforcement actions in 2025 and has publicly stated that company size will not be a factor in enforcement decisions. Penalties reach $51,744 per violation per day, and consent orders require businesses to overhaul their security programs under FTC oversight for up to 20 years.

If your business handles customer financial information, whether you’re an auto dealership in Fort Worth, a CPA firm in Dallas, or a mortgage broker in Houston, you are subject to this rule. Here’s what you need to have in place right now.

Who the Safeguards Rule Covers

The FTC Safeguards Rule applies to “financial institutions,” but that term is far broader than most business owners realize. Under the FTC’s definition, a financial institution is any company “significantly engaged in financial activities.” That includes:

• Auto dealerships that offer financing, leasing, or extended warranties
• Tax preparation firms and CPAs who handle client financial records
• Mortgage brokers and lenders
• Insurance agencies (non-federally regulated)
• Payday lenders and finance companies
• Real estate settlement services and title companies
• Collection agencies
• Financial advisors and investment firms not regulated by the SEC

The common thread is handling customer financial information. If your customers share Social Security numbers, bank account details, credit reports, or tax records with your business, the Safeguards Rule almost certainly applies to you.

Many auto dealers and tax preparers in Texas still assume the rule targets banks and large financial institutions. That assumption is incorrect, and the FTC’s enforcement actions have made this clear. In 2024 and 2025, the FTC brought enforcement actions against auto dealer groups specifically for Safeguards Rule violations, resulting in consent orders that require comprehensive security overhauls and decades of FTC monitoring.

What the Rule Requires

The revised Safeguards Rule, finalized in 2023, replaced many of the original rule’s flexible standards with specific, prescriptive requirements. Nine core elements that every covered business must implement:

1. Designate a Qualified Individual. Someone must be accountable for your information security program. This can be an employee or an outside provider, but the responsibility must be formally assigned and documented.

2. Conduct a written risk assessment. You must identify reasonably foreseeable risks to customer information and document how your security controls address each one. Generic template assessments don’t satisfy this requirement. The assessment must reflect your actual systems, data flows, and threats. A cybersecurity risk assessment is the foundation of Safeguards Rule compliance.

3. Implement access controls. Limit who can access customer financial information to only those employees who need it for their job functions. Review access privileges periodically and revoke access when employees change roles or leave.

4. Encrypt customer information. All customer financial data must be encrypted both at rest (on servers, workstations, and devices) and in transit (over networks and email). The FTC has specifically cited failure to encrypt as a basis for enforcement actions.

5. Require multi-factor authentication. MFA is mandatory for anyone accessing systems that contain customer information. A username and password alone is no longer sufficient. If your staff accesses customer records, your CRM, or your financial systems without a second authentication factor, that’s a violation. Our guide to common Microsoft 365 security gaps covers how to enable MFA properly across your organization.

6. Maintain an asset inventory. Document all systems, devices, platforms, and applications that store, process, or transmit customer information. Keep this inventory current.

7. Monitor and log activity. Implement logging and monitoring on systems that handle customer data. You need the ability to detect unauthorized access or anomalous activity.

8. Train your workforce. Security awareness training is required for all employees who handle customer information. Training must cover your specific policies and the threats relevant to your industry.

9. Develop an incident response plan. You must have a written plan that describes how your business will detect, respond to, and recover from security events. The plan must be tested periodically.

The Breach Notification Requirement

A new amendment to the Safeguards Rule, finalized in 2024, adds a mandatory breach notification obligation. If your business experiences a breach involving the information of 500 or more customers, you must notify the FTC within 30 days. That notification becomes part of the public record.

This is a significant change. Previously, the Safeguards Rule required you to protect customer data but didn’t mandate notification when protection failed. Now, the FTC will know about your breach, and so will anyone who checks the public notice.

The 30-day window is tighter than it sounds when you factor in the time needed to discover a breach, assess its scope, and confirm the number of affected individuals. Businesses without adequate monitoring and detection capabilities in place often take weeks or months just to identify that a breach occurred, leaving almost no time for the notification process.

For organizations also subject to HIPAA or other regulatory frameworks, the breach notification timelines stack. A single incident could require notification to the FTC, state regulators, your cyber insurance carrier, and affected individuals, each with different deadlines and information requirements.

Self-Assessment: Where Does Your Business Stand?

Use this checklist to evaluate your current compliance posture. If you answer “no” to any of these, you have a gap that needs attention.

• [ ] You have designated a specific person (or outside firm) as your Qualified Individual for information security
• [ ] You have conducted a written risk assessment within the past 12 months that addresses your actual environment
• [ ] Customer financial data is encrypted on all devices and in all transmissions
• [ ] MFA is enabled on every system that accesses customer information
• [ ] You maintain a current inventory of all systems that store or process customer data
• [ ] Access to customer information is limited to employees with a documented business need
• [ ] Activity on systems containing customer data is logged and monitored
• [ ] All employees who handle customer data receive security awareness training at least annually
• [ ] You have a written, tested incident response plan
• [ ] You have a process to notify the FTC within 30 days if a breach affects 500 or more customers

Most auto dealers, tax preparers, and financial services firms with 50 to 500 employees will find at least two or three gaps on this list. The most common deficiencies are missing or outdated risk assessments, lack of encryption on endpoint devices, and no formal incident response plan.

Why Most SMBs Need a Compliance Partner

The Safeguards Rule requires ongoing work, not a one-time project. Risk assessments must be updated. Access controls need periodic review. Monitoring must run continuously. Training needs annual refreshes. Incident response plans need testing.

For a 100-person auto dealership or a 60-person accounting firm, maintaining this program in-house means hiring dedicated security staff or pulling existing IT employees away from their core responsibilities. Most SMBs in this size range don’t have a full-time security team and can’t justify building one solely for Safeguards Rule compliance.

A managed IT and security provider can serve as your Qualified Individual, conduct your risk assessments, deploy and manage encryption and MFA, run continuous monitoring, and handle incident response. All of those responsibilities map directly to the Safeguards Rule’s requirements. The cost is typically a fraction of hiring equivalent in-house talent.

Infonaligy works with financial services firms across Texas to build and maintain security programs that satisfy the FTC Safeguards Rule. Our team handles the technical controls and documentation so that business owners can focus on operations instead of interpreting federal compliance requirements.

The FTC is not waiting for businesses to catch up. Enforcement actions are being filed now, penalties are accumulating, and consent orders are being issued. The businesses that act now avoid fines and two decades of mandatory FTC oversight. The ones that delay are gambling that the FTC won’t come looking, and that is not a bet worth taking.