16 CFR §314.3 — Standards for safeguarding customer information (FTC GLBA Safeguards Rule)
16 CFR §314.3 sets the core standard for the FTC Safeguards Rule: a written, comprehensive information security program with administrative, technical, and physical safeguards.
Verbatim regulatory text
Verbatim provisions from 16 CFR §314.3 — Standards for safeguarding customer information (FTC GLBA Safeguards Rule) — each quote is a verified substring of the regulator-published source snapshot, not retyped. Quoted for reference; this is not legal advice. The operational layer (P&P updates, prompts) lives in the regulation update kits.
16 CFR §314.3(a) — Written, comprehensive information security program
(a) Information security program. You shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue.
16 CFR §314.3(b) — Information security program objectives
(b) Objectives. The objectives of section 501(b) of the Act, and of this part, are to:
16 CFR §314.3(b) — Information security program objectives — enumerated items (chapeau recall fix)
(1) Insure the security and confidentiality of customer information ; (2) Protect against any anticipated threats or hazards to the security or integrity of such information; and (3) Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer . [ 67 FR 36493 , May 23, 2002, as amended at 86 FR 70307 , Dec. 9, 2021] CFR Toolbox Law about...