The amended FTC Safeguards Rule (16 CFR Part 314) has been in force since June 9, 2023. Three years in, FTC enforcement is picking up — specifically against tax-prep firms, mortgage brokers, auto dealers, accountants, insurance agencies, and any other "financial institution" under the broad Gramm-Leach-Bliley Act definition that collects customer financial information. Most North Central Florida firms we audit are partially compliant — they have MFA and encryption, but they are missing the Qualified Individual designation, the annual board report, or the continuous-monitoring requirement. Each of those gaps is a finding in an FTC enforcement action. This post is the 9-element implementation in plain English.
$100K
Per-violation FTC Safeguards penalty
9
Required program elements (16 CFR 314.4)
30 DAYS
Breach-notification window to FTC (314.4(j))
5,000+
Florida firms newly in scope after 2023 amendment
Who Is Actually Covered
The FTC Safeguards Rule applies to any "financial institution" under the GLB Act definition that is not regulated by a federal banking agency. That includes: CPA firms preparing tax returns, mortgage brokers, auto dealers offering financing, retail installment lenders, debt collectors, payday lenders, check cashers, financial planners, investment advisors below $100M AUM, insurance agencies, title insurance companies, and even some property managers handling tenant escrow. If your firm collects customer financial information and is not directly regulated by the Fed, OCC, FDIC, or state banking authority, you are almost certainly in scope.
The 9 Required Program Elements
01
Designate a Qualified Individual
One named person responsible for the information security program. Can be an employee, an officer, or an outsourced service provider (your MSP can hold this role). The person must have the authority and qualifications to oversee the program. Cite this in the written program — not just "Steve handles IT".
02
Conduct a written risk assessment
Identify reasonably foreseeable internal and external risks to customer information. Score them by likelihood and impact. Update at least annually and whenever there is a material change. Most enforcement actions cite a missing or stale risk assessment as the foundational failure.
03
Implement safeguards based on the risk assessment
Access controls limiting data to those who need it, identification and authentication (MFA), encryption of customer information in transit and at rest, application security review, secure-development practices for in-house apps, change-management procedures, multi-factor authentication for individuals accessing any system that touches customer information, and periodic review of access rights.
04
Train your staff
Security awareness training at hire and at least annually for every employee. Phishing simulation is best practice but not explicitly required. Training records by employee with completion dates — auditors WILL ask to see this.
05
Oversee your service providers
Written vendor inventory of every service provider with access to customer information. Due-diligence review at onboarding. Contracts must require the provider to implement appropriate safeguards. Periodically reassess. The vendor list IS the document the FTC will ask for first.
06
Keep your program current
Update the information security program based on the results of testing, material changes to operations, new threats, or changes in regulatory guidance. Document each update with date and reason.
07
Develop and implement an incident response plan
Written plan defining roles, internal escalation, external communications (customers, law enforcement, regulators), evidence preservation, and post-incident review. The plan must be dated and signed off — not just a Google Doc in the IT person's drive.
08
Annual written report to the board (or senior officer)
Yearly report covering the status of the program, risk assessment results, testing results, security events, recommendations for material changes, and incident response and recovery activity. For firms without a board, the report goes to the senior governing officer. This is the single most commonly missed element.
09
Continuous monitoring OR annual penetration test + biannual vulnerability scan
EITHER deploy continuous monitoring (EDR, SIEM, log analysis) that detects unauthorized access in real time, OR conduct an annual penetration test by an external firm PLUS vulnerability assessments at least every six months. Most small firms choose continuous monitoring via their MSP since the pen-test-plus-scan path is more expensive at the scale of a small business.
The Breach-Notification Add-On (Effective May 2024)
16 CFR 314.4(j), added by FTC in late 2023 with a May 13, 2024 effective date, requires covered firms to notify the FTC within 30 days of discovering a security event affecting 500 or more consumers' unencrypted customer information. The notification is filed via the FTC's online form and triggers public disclosure on the FTC's website — meaning a breach is no longer a private matter. Coordinate this notification with your cyber-insurance breach coach and counsel before filing.
// The Three Most-Missed Elements
In every FTC Safeguards audit we have walked Florida CPA, insurance, and tax-prep firms through, three elements are missing more often than the others: the Qualified Individual designation (element 1), the annual board report (element 8), and continuous monitoring / pen-test cadence (element 9). The technical controls usually exist — the formal program documentation usually does not. Audit-prep is mostly a documentation exercise.
The 90-Day Implementation Sprint
For a firm starting from partial compliance, a clean 90-day sprint covers all 9 elements:
Days 1-15
Designate Qualified Individual, conduct written risk assessment, build vendor inventory
Days 15-45
Deploy missing technical controls (MFA gaps, encryption verification, access control review), refresh staff training
Days 45-60
Document the incident response plan, schedule the first tabletop, formalize the continuous monitoring path
Days 60-75
Vendor due-diligence review and updated BAAs / Safeguards-aligned vendor contracts
Days 75-90
Assemble the annual report, present to board (or senior officer), file board-signoff acknowledgment, calendar next year's update
"FTC enforcement is no longer hypothetical. Document the program, sign the board report, and keep the vendor inventory current — that paperwork is what protects the firm."
Steve Condit, Simply IT
How Simply IT Acts as the Qualified Individual
For CPA, insurance, mortgage, tax-prep, and similar covered firms in North Central Florida, Simply IT can serve as the Qualified Individual under 16 CFR 314.4(a) — an option explicitly permitted under the Rule. We handle the written program, the annual risk assessment, the staff training, the vendor inventory, the continuous monitoring, the incident response plan, and the annual written report to your senior officer. You keep the responsibility for accepting the report and approving changes — we do the operational work and provide the documentation an FTC examiner will recognize as a mature program.
// Key Takeaway
Most North Central Florida firms covered by the FTC Safeguards Rule already have most of the technical controls. The gaps are formal: a named Qualified Individual, a current written risk assessment, the annual board report, and the documented continuous-monitoring path. Close those four documentation gaps and the program goes from “mostly there” to defensible.
