FTC Safeguards: What Southern California Law Firms Need to Know

When most attorneys think about data security regulations, HIPAA comes to mind first. But there's another rule that's increasingly relevant to law firms across Southern California, the FTC Safeguards Rule, and many practices still don't know it applies to them.

The Federal Trade Commission's Standards for Safeguarding Customer Information, commonly called the Safeguards Rule, was updated in 2023, expanding its reach well beyond financial institutions. Today, it covers any business that handles certain types of consumer financial data. This includes a broader range of law firms.

Here's what California law firms need to know about the FTC Safeguards Rule and what compliance looks like in practice.

Does the FTC Safeguards Rule Apply to Your Law Firm?

The short answer: possibly yes, and you should find out for certain before assuming otherwise.

The FTC Safeguards Rule applies to "financial institutions" as defined under the Gramm-Leach-Bliley Act (GLBA). That definition is broader than most people realize. The FTC has made clear that law firms engaged in certain activities qualify as financial institutions for the this rule. These activities include:

• Providing tax or financial planning advice
• Handling real estate closings or settlement services
• Managing client trust accounts or escrow funds
• Assisting clients with debt collection or creditor negotiations
• Advising on mergers, acquisitions, or financing transactions
• Providing accounting or bookkeeping services alongside legal work

The Core Requirements of the FTC Safeguards Rule

Compliance with the FTC Safeguards Rule is built around developing, implementing, and maintaining a comprehensive written Information Security Program. This includes:

1. Designate a Qualified Individual

You must assign a specific person, either in-house or an outsourced provider, to oversee your information security program. This person is responsible for ensuring your firm stays compliant and for reporting to leadership regularly. For many small and mid-size Southern California firms, this role is filled by a trusted IT partner, such as Shift Computer Services.

2. Conduct a Written Risk Assessment

Your firm must identify and evaluate the risks to the security, confidentiality, and integrity of customer information. This assessment must be in writing and must cover:

• Where customer financial information is stored, processed, and transmitted
• Internal and external threats to that information
• The likelihood and potential damage from those threats
• The sufficiency of your current safeguards

3. Implement Specific Technical Safeguards

The 2023 rule is unusually specific about the technical controls required. Your firm must implement:

• Encryption of customer information, both in transit and at rest
• Multi-factor authentication (MFA) for any individual accessing customer financial information
• Secure development practices for any in-house software or applications
• Procedures for securely disposing of customer data that is no longer needed
• Access controls that limit who can access sensitive information and why
• Monitoring and testing your safeguards to ensure they remain effective

4. Oversee Service Providers

Your firm is responsible for the security practices of the vendors and service providers you work with. You must select service providers that maintain appropriate safeguards, require them to do so by contract, and periodically monitor their compliance. This means your IT vendor, cloud storage provider, and document management platform all need to meet the standard.

5. Create an Incident Response Plan

You must have a written plan in place for how your firm will respond to a security event. This plan should define roles and responsibilities, outline how breaches will be detected and contained, specify how affected clients will be notified, and include a post-incident review process.

6. Train Your Staff

Every member of your team who handles customer information must receive regular, ongoing security awareness training. This isn't optional, and it isn't a one-time onboarding task. The rule requires training that is updated as threats evolve.

California Consumer Privacy Act (CCPA) Adds Another Layer

Southern California law firms don't just have the FTC to follow. California's privacy landscape adds meaningful obligations on top of federal requirements.

CCPA / CPRA: Law firms that collect personal information about California residents through their websites, intake forms, or client portals may have CCPA obligations. This includes providing privacy notices, honoring opt-out, requests and implementing reasonable security measures.

The Cost of Non-Compliance

The FTC has the authority to pursue civil penalties for violations of the Safeguards Rule. But financial fines are often the least damaging consequence for a law firm. Consider the full picture:

• Civil penalties issued by the FTC for each violation
• State AG enforcement actions under California's own privacy laws
• Client lawsuits following a data breach, particularly where sensitive financial or personal information was exposed
• State Bar disciplinary proceedings for failure to protect client confidentiality
• Reputational damage in a competitive market where client trust is everything
• Operational disruption from a security incident that your firm was unprepared to handle

Common Compliance Gaps We See at Southern California Law Firms

After working with legal practices throughout the region, these are the issues that come up most often:

• No written Information Security Program in place
• Multi-factor authentication is not yet deployed across all systems that access client financial data
• No designated qualified individual responsible for information security oversight
• Service provider contracts that don't include required data security language
• Risk assessments that were done once and never revisited
• Staff who haven't received formal security awareness training
• No incident response plan, so when a breach happens, the firm is improvising

Shift Computer Services Will Help You Be FTC Compliant

The FTC Safeguards Rule isn't going away, and enforcement activity is increasing. For Southern California law firms handling real estate transactions, trust accounts, financial planning matters, or any other financially sensitive client work, the question isn't whether you need to comply with it; it's whether you already are.

We've helped law firms across Los Angeles, Orange County, San Diego, and the broader Southern California region build information security programs that satisfy both federal and state requirements. We understand the operational realities of running a legal practice, and we know how to implement the right safeguards without disrupting the way your firm works.

Click Here or give us a call at 714-369-8197 to Book a FREE 15-Minute Discovery Call