The Federal Trade Commission’s (FTC) Safeguards Rule has undergone major updates, requiring non-banking financial institutions to implement comprehensive information security programs, including data disposal policies, vendor oversight, and mandatory breach-notification obligations. ITAD vendors now play a frontline role in ensuring secure end-of-life data destruction and compliance reporting for their clients.
key regulatory dates that give full context to the FTC Safeguards Rule timeline and its 2024–2025 updates:
Original Rule Adoption #
The Safeguards Rule was first implemented in 2003 under the Gramm-Leach-Bliley Act (GLBA), setting baseline security requirements for non-banking financial institutions.
Major Modernization #
The FTC issued sweeping amendments in October 2021, updating the rule to align with current cybersecurity standards and technology. Source: FTC
Compliance Deadline Extension #
The initial compliance deadline for most new requirements was December 9, 2022, but was extended to June 9, 2023, due to workforce and supply chain constraints.
Breach Notification Amendment Finalized #
The FTC published its final breach-notification amendment to the Safeguards Rule on December 3, 2023, with the new requirement—mandating reports to the FTC within 30 days of discovering an event affecting 500 or more consumers—taking effect on May 13, 2024. Source: FTC
Public Database Activation & Guidance #
The FTC confirmed that the breach-notification reporting requirement became fully effective on June 8, 2025, and issued implementation guidance on September 18, 2025.Source: FTC
Together, these changes have elevated the Safeguards Rule into a top compliance priority by mid‑2025, linking breach reporting, vendor oversight, and secure data disposal into unified, auditable requirements for U.S. organizations handling consumer financial information.
Trump Administration Update #
Based on current sources and regulatory activity as of October 2025, there have been no substantive rollbacks or reversals of the FTC Safeguards Rule or its breach notification and data disposal requirements directly attributable to the Trump administration following the 2024 election. While President Trump has shifted regulatory priorities in other areas—most notably in competition policy, financial regulatory enforcement, and non-compete rules—the FTC’s data security rule (including the breach notification provisions effective in May and June 2025) remains in force, with recent guidance and enforcement continuing under the new administration.Source: FTC
Sharp Drop in Enforcement Actions #
However, overall enforcement actions against financial services firms have decreased sharply since President Trump’s inauguration, and the FTC’s current leadership has signaled a more “business-friendly” orientation in its communication and regulatory guidance, prioritizing certainty for regulated entities and reducing regulatory burdens where possible. Federal agencies under Trump’s second term, including the CFPB and FTC, have restructured some priorities—but the Safeguards Rule itself and its major amendments have not been revoked, delayed, or defunded as of October 2025.
In summary: the rule’s requirements are still active, but future agency enforcement could be lighter, with some risk of further easing depending on future executive or legislative actions. For now, all compliance deadlines and obligations for financial institutions remain unchanged.
