Why does this site appear as text-only?

Protecting Customers' Personal Information: The Safeguards Rule

Many companies collect personal information from their customers, including names, addresses, and phone numbers; bank and credit card account numbers; income and credit histories; and Social Security numbers. The Gramm-Leach-Bliley (GLB) Act requires companies defined under the law as “financial institutions” to ensure the security and confidentiality of this type of information.  The definition of “financial institution” under the Act is broad, and includes many businesses that may not normally describe themselves that way.

As part of its implementation of the GLB Act, the FTC issued the Safeguards Rule , which requires financial institutions to have measures in place to keep customer information secure.

You'll find advice about how to protect sensitive information in your care in the FTC brochure Protecting Personal Information: A Guide for Business.

Who must comply with the Safeguards Rule?

The Safeguards Rule applies to all businesses, regardless of size, that are “significantly engaged” in providing financial products or services. These include, for example, check-cashing businesses, payday lenders, mortgage brokers, nonbank lenders, real estate appraisers, and professional tax preparers. The Safeguards Rule also applies to companies like credit reporting agencies and ATM operators that receive information about the customers of other financial institutions.

How do companies comply with the Safeguards Rule?

The Safeguards Rule requires each financial institution to develop a written information security plan to protect customer information. The plan must be appropriate to the company’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles.

For more detailed information about the Safeguards Rule please click here

back to top