The Gramm-Leach-Bliley Act did more than regulate banks and large financial institutions; it imposed security standards on "non-banks" that offer financial services. The scope of coverage is larger than most people believe. I don't think automobile dealerships and mortgage lenders are what people think of when they consider federal compliance standards. However, they are explicitly mentioned as being affected.
Case Study
Qualified Individual for a Midsized Fintech Company
Case Study: Serving as the Qualified Individual Under the FTC Safeguards Rule
A mid-sized financial services company, handling sensitive customer data every day, reached a point where compliance could no longer be treated as a periodic exercise. The expectations under the FTC Safeguards Rule required something more structured, more accountable, and more continuous.
Specifically, the company needed a Qualified Individual, someone responsible not just for documenting compliance, but for actively overseeing the information security program, assessing risk, validating controls, and reporting directly to the board of directors.
The Situation
The company had many of the right pieces in place. Security tools existed. Policies had been drafted over time. Prior risk assessments had been conducted. The technology team was capable and responsive.
But like many growing organizations, these elements weren’t fully unified. Risk assessments had identified issues, but not all had been tracked to resolution. Policies existed, but weren’t always aligned to actual practice. And while security efforts were happening, there wasn’t a single, accountable function ensuring everything tied together into a coherent, compliant program.
The Approach
As the Qualified Individual, my role was to bring discipline and clarity to the company’s information security program, without disrupting day-to-day operations.
I began by conducting a comprehensive risk assessment. This wasn’t built from a single source. Instead, it combined multiple perspectives to create a complete and credible view of risk:
-
Independent observation of systems and workflows
-
Research into regulatory expectations and industry standards
-
Interviews with staff across technology and business functions
-
Review of prior risk assessments, including unresolved findings
This layered approach allowed us to move beyond a static checklist and towards creating a better picture of where risk actually existed in the organization.
From there, I evaluated existing controls against both real-world practices and the expectations of the Safeguards Rule. Some controls were strong but undocumented. Others were documented but inconsistently applied. And in a few cases, controls needed to be reintroduced or strengthened entirely.
At the same time, I maintained and refined the company’s information security program, the collection of policies, procedures, and controls that define how the organization protects data. The goal wasn’t to create documentation for its own sake, but to ensure that what was written accurately reflected how the company operated, and that it aligned with regulatory expectations.
Changing Incident Response
One of the most important enhancements involved the company’s incident response process. While a response plan existed, it did not fully account for updated regulatory requirements, specifically, the obligation to notify the FTC in the event of a breach involving unencrypted customer information.
We updated the process to explicitly include:
-
Clear criteria for determining when notification is required
-
Defined escalation paths
-
Integration with legal and executive stakeholders
-
This change ensured that, in the event of an incident, the company could respond not only quickly, but correctly.
The Outcome
By the end of the engagement, the risk assessment was complete, comprehensive, and grounded in how the business actually operated. Identified risks had been evaluated and addressed in alignment with regulatory expectations. The information security program was a cohesive system that reflected real controls and real practices.
As the Qualified Individual, I delivered:
-
A written risk assessment documenting methodology, findings, and mitigation efforts
-
A letter of attestation to the board of directors, affirming that the company’s program met the requirements of the FTC Safeguards Rule
This was the culmination of a structured process that connected risk identification, control implementation, and executive oversight into a single, defensible program.
Why This Matters
Compliance frameworks like the Safeguards Rule are often misunderstood as documentation exercises. In reality, they require something much more fundamental: alignment between how a company operates and how it protects sensitive data.
Having the right Qualified Individual means the difference between just checking the boxes at a surface level or having the real controls that can protect your business.