The FTC Safeguards Rule Amendments Becomes Effective May 13, 2024


Roseanne Harford

Publish Date



  • Compliance

Exempt reporting advisers, state-registered advisers, and private funds will need to comply with amendments to the Federal Trade Commission’s (FTC's) Standards for Safeguarding Customer Information Rule, known as the “Safeguards Rule,” starting May 13, 2024.

Subject firms will need to report notification events to the FTC that involve 500 or more customers as soon as possible, and no later than 30 days after discovery.

The amended Safeguards Rule defines a notification event as the “acquisition of unencrypted customer information without the authorization of the individual to which the information pertains.” This definition is intended to reach beyond pure data breaches to cover any unauthorized disclosure of unencrypted data unless the firm can prove that there was no unauthorized access to the data.

Notice of notification events must be sent electronically through a form on the FTC's website. The notification must include:

  • The name and contact information of the reporting firm
  • A description of the types of information that were compromised
  • The date or date range of the notification event if it can be determined
  • The number of consumers affected by the notification event
  • A general description of the notification event
  • If applicable, whether any law enforcement official has provided the firm with a written determination that notifying the public would impede a criminal investigation or cause damage to national security and a means for the Federal Trade Commission to contact the law enforcement official.

The FTC intends to make the notices it receives public, although firms may request that public disclosure be delayed for law enforcement or national security purposes. For some state-regulated advisers, this may bring them within a carve-out from state disclosure requirements.

Safeguard Rule requirements

Exempt reporting advisers, state-registered advisers, and private funds are subject to the Safeguards Rule if they have customers who are individuals using their financial products or services for personal, family, or household purposes in the context of an ongoing customer relationship.

The Safeguards Rule requires firms to develop, implement, and maintain a comprehensive information security program that consists of administrative, technical, and physical safeguards to protect customer information when it is accessed, collected, distributed, processed, protected, stored, used, transmitted, disposed of, or otherwise handled. Firms with fewer than 5,000 customers, however, are exempt from several of the rule’s most burdensome provisions.

Our guidance

Firms should assess whether the amendments to the FTC Safeguards Rule are relevant to their business and update their policies and procedures to ensure compliance, as applicable.

How we help

The compliance environment has never been more complex or demanding. We can help you to navigate the evolving regulatory landscape while considering the complexity of your firm’s unique compliance requirements. ACA Signature can help.

With ACA Signature, you can choose the combination of compliance advisory,  innovative technology, managed services, and cybersecurity to create a scalable solution that is right for your firm and gain expert insight, guidance, and support as you navigate emerging compliance and risk challenges. 

Reach out to your ACA consultant, or contact us to find out how ACA Signature can help transform your firm’s compliance program. 

Contact us