TL;DR: FTC Section 5 civil penalties reached $51,744 per violation per day in 2026, and Safeguards Rule enforcement is active against small financial institutions that never wrote a formal information security program. The small business "exemption" is misunderstood — even businesses with fewer than 5,000 customer records must still have a written program, they are only exempted from the formal risk assessment, annual board report, and incident response plan requirements. Since June 2024, any breach involving 500 or more customers must be reported to the FTC within 30 days, and the notification becomes public. NC tax preparers, auto dealers, mortgage brokers, accountants, and financial advisors are directly in scope.
Key takeaway: The FTC's 2026 enforcement pattern targets one specific failure - the missing written information security program. That single deliverable, required since 2003, is the difference between routine oversight and a public consent order with recurring fines. It is also achievable in 30-60 days with the right MSP.
Does your NC financial business have a current written information security program? Contact Preferred Data Corporation for a Safeguards Rule readiness assessment. BBB A+ rated, serving NC since 1987. Call (336) 886-3282.
What Is the FTC Safeguards Rule in 2026?
The FTC Safeguards Rule requires every non-bank financial institution under FTC jurisdiction to develop, implement, and maintain a written information security program that protects customer information. The rule implements the Gramm-Leach-Bliley Act (GLBA) and applies to a much wider set of businesses than the name suggests. Tax preparers, auto dealers offering financing, mortgage brokers, personal financial planners, non-bank lenders, real estate settlement agents, collection agencies, career counseling services, and courier services for financial firms are all covered.
The Rule was substantially strengthened in 2023 and 2024, adding nine specific safeguards including access controls, encryption, MFA, penetration testing, incident response plans, and vendor oversight. The May 2024 amendment added a 30-day breach notification requirement for breaches involving 500 or more customer records — a notification that becomes public on the FTC's website.
For NC SMBs, the population of covered businesses is large. The Piedmont Triad alone hosts hundreds of tax preparation offices, dozens of independent auto dealers with in-house financing, and multiple regional mortgage brokerages. Every one of them is covered.
| Rule Element | Fewer than 5,000 records | 5,000+ records |
|---|---|---|
| Written information security program | Required | Required |
| Designated Qualified Individual | Required | Required |
| Access controls | Required | Required |
| MFA (or approved equivalent) | Required | Required |
| Encryption of customer info | Required | Required |
| Vendor oversight | Required | Required |
| Formal written risk assessment | Exempt | Required |
| Annual report to board / senior officer | Exempt | Required |
| Written incident response plan | Exempt | Required (formal) |
| Continuous monitoring or annual pen-test + biannual vuln scan | Exempt | Required |
| 30-day FTC breach notification (500+ records) | Applies | Applies |
| Section 5 civil penalty exposure | Applies ($51,744/day) | Applies ($51,744/day) |
How Does $51,744 Per Day Become a Real Financial Threat?
FTC Section 5 civil penalties are indexed to inflation and adjusted annually. The 2026 maximum reached $51,744 per violation per day. In practice, the FTC treats each covered customer whose information was affected as a potential separate violation and each day the noncompliance persisted as a separate day. Even a small enforcement action can compound quickly.
Illustrative math for a small NC tax preparer:
- 800 covered customers.
- Two months (60 days) of documented noncompliance with the Safeguards Rule (typical timeline from FTC investigation to consent).
- Maximum theoretical exposure: $51,744 × 60 × [multiple violations] — routinely in the millions before consent-order reductions.
Actual settlements are typically negotiated down significantly, but public consent orders still carry six-figure penalties, a 20-year compliance monitoring requirement, and executive-officer certifications. The reputational impact of a public FTC consent order for a tax preparer or mortgage broker is severe.
Key takeaway: The FTC pattern is not about maximum penalties; it is about certain penalties. Every 2024-2026 enforcement action started with the same finding: the covered business did not have a written information security program. That is the finding you can eliminate with a 30-60 day project.
What Are the Nine Safeguards Every NC SMB Must Implement?
The nine specific safeguards from 16 CFR 314.4 apply to every covered SMB, regardless of the small-business exemption on formal documentation. Each safeguard has a technical implementation and a documentation deliverable.
The nine safeguards:
- Designate a Qualified Individual to oversee the program. Can be a full-time employee, a contractor, or an outsourced MSP-provided vCISO.
- Base the program on a risk assessment. For 5,000+ record firms, this must be written and periodic. For sub-5,000 firms, the risk assessment can be informal but must still inform the program.
- Design and implement safeguards to control identified risks, including access controls (least privilege), inventory of customer information, encryption of customer information in transit and at rest, secure development for internally-built apps, MFA for anyone accessing customer info, secure disposal of customer info, change management, and monitoring / logging of authorized user activity.
- Regularly test and monitor the effectiveness of safeguards. For 5,000+ record firms, this means either continuous monitoring or annual penetration testing plus biannual vulnerability scans.
- Train personnel to enable them to enforce the program.
- Oversee service providers through due diligence and contract requirements.
- Evaluate and adjust the program based on changes in risk.
- Establish a written incident response plan (formal for 5,000+; sub-5,000 firms are exempt from the formal plan requirement but should still have one).
- Report to the board or senior officer annually (5,000+ only).
For a Greensboro accounting firm or a Charlotte auto dealer, the technical work maps naturally onto standard MSP deliverables: MFA rollout, encryption at rest on file servers and cloud, EDR / MDR on every endpoint, quarterly patch reporting, vendor questionnaires, and quarterly IR tabletop.
Explore Preferred Data's managed IT services
How Does the 30-Day Breach Notification Change SMB Incident Response?
Since May 13, 2024, any Safeguards-covered institution must notify the FTC within 30 days of discovering a security event involving the unencrypted customer information of 500 or more consumers. The notification is filed via the FTC's Notification Portal and becomes public on the FTC's website within days.
Practical implications:
- Speed of investigation matters more. A 45-day forensics engagement is now a compliance failure. Retained incident response with a defined 24-hour engagement start is standard.
- Definition of "discovery" matters. The clock starts when the institution becomes aware, or should reasonably have become aware, of the event. Delayed notification because leadership was informed late is not a defense.
- State AG notification does not substitute for FTC notification. Both must happen.
- Encryption is a get-out-of-notification card. If the exposed data was encrypted and the decryption key was not also compromised, the notification obligation is materially reduced.
For NC SMBs, the practical consequence is that encryption at rest for every system holding customer information is no longer optional. It is the difference between quiet remediation and a public FTC notice.
Need incident response and 30-day compliance readiness? Call Preferred Data Corporation at (336) 886-3282 or schedule a consultation.
What Does a 90-Day Path to Compliance Look Like?
Ninety days is realistic for an SMB working with an experienced MSP. The critical path runs written program first, then technical controls, then testing.
Days 1-30: Foundation.
- Designate the Qualified Individual (internal or vCISO).
- Draft the written information security program.
- Complete the initial risk assessment (formal or informal per size).
- Inventory customer information (locations, systems, backups, vendors).
Days 31-60: Technical controls.
- Deploy MFA on every account touching customer info.
- Enable encryption at rest on file servers, endpoints, and cloud storage.
- Roll out EDR / MDR to every endpoint.
- Implement least-privilege access controls.
- Document vendor list and initiate due-diligence questionnaires.
Days 61-90: Testing and closeout.
- Complete initial penetration test or vulnerability scan.
- Conduct tabletop exercise of incident response plan.
- Train all personnel with role-specific content.
- Deliver first annual report to board / senior officer (if 5,000+).
Ongoing:
- Quarterly vulnerability scans (or continuous monitoring).
- Annual pen test (5,000+).
- Annual board report (5,000+).
- Quarterly IR tabletop.
- Vendor re-attestation on renewal.
Learn about Preferred Data's cybersecurity services
How Does Preferred Data Help NC SMBs Achieve Safeguards Compliance?
Preferred Data Corporation delivers a full Safeguards Rule compliance stack for NC tax preparers, auto dealers, mortgage brokers, accountants, financial advisors, and other covered SMBs. Our approach combines vCISO services (Qualified Individual role coverage), MSP-delivered technical controls (MFA, encryption, EDR / MDR), managed backup, and 24/7 SOC monitoring for continuous-monitoring compliance.
With 37+ years serving North Carolina businesses, an average client retention of 20+ years, and on-site response within 200 miles of High Point, we deliver Safeguards compliance as an ongoing service, not a one-time consulting project.
For SMBs across the Piedmont Triad, Charlotte, and Raleigh, we translate the FTC's requirements into an operational program that stands up to enforcement scrutiny.
Review our cybersecurity checklist
Frequently Asked Questions
Am I covered by the FTC Safeguards Rule?
If your business is a non-bank financial institution — including tax preparer, auto dealer with in-house financing, mortgage broker, personal financial planner, non-bank lender, real estate settlement agent, collection agency, or courier for a financial firm — you are almost certainly covered. Ask your compliance counsel or your MSP for a covered-entity determination.
What is the actual cost of a written information security program?
For a small NC financial services firm, the initial written program plus 90-day technical implementation typically runs $15,000-$50,000. Ongoing compliance services (vCISO, monitoring, testing) typically run $2,500-$10,000 per month depending on size. Compare to the $51,744-per-day potential exposure.
What if I use QuickBooks Online, TurboTax, or another cloud tool?
Cloud tools do not shift your compliance obligation. You must document the vendor in your vendor list, obtain a SOC 2 report or equivalent attestation, and confirm the tool's technical controls meet the Safeguards Rule requirements. Vendor oversight is one of the nine explicit safeguards.
Does my cyber insurance cover FTC penalties?
Generally no. Most policies expressly exclude civil regulatory fines. Insurance may cover response costs, breach notification, and legal defense. Read the policy language and confirm with your broker.
How does the FTC know if I have a written program?
Enforcement is typically triggered by a data breach, a customer complaint, or a whistleblower. Once triggered, the FTC's civil investigative demand requires production of the program, risk assessment, and other artifacts. There is no way to produce documents that do not exist.
Can Preferred Data serve as our Qualified Individual?
Yes. Our vCISO services fulfill the Qualified Individual requirement for many NC covered SMBs. This includes program governance, annual board reporting (for 5,000+ firms), risk assessment oversight, and coordination with in-house staff and other vendors. Call (336) 886-3282.