The Graham Leach Bliley Safeguards Rule, as written by the FTC, requires that all financial services institutions have written policies and procedures for protecting personal financial information.  The Safeguards Rule policies must:

  • Designate one or more employees to coordinate the company’s information security program;
  • Identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks;
  • Design and implement a safeguards program, and regularly monitor and test it;
  • Select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards and oversee their handling of customer information; and
  • Evaluate and adjust the program in light of relevant circumstances including changes in the firm’s business or operations, or the results of security testing and monitoring.


The Safeguards Rule applies to all businesses, regardless of size, that are “significantly engaged” in providing financial products or services.