New FTC Safeguards are being amended to the GLBA law that's been around for many years. The problem with GLBA is that it's viewed more as recommendations rather than compliance requirements due to lacking some specific controls. The FTC instead of passing a new compliance law, found the ability to expand the existing law by adding some pain points to it - Including $10,000 fines and possible jail for executives.
Many companies do not think they would need to follow or be under the current GLBA guidance, however, organizations should carefully review the new expanded requirement umbrella that is going to cover many more companies than originally designed. Currently, financial institutions and car dealerships, which hold or maintain private financial data are immediately falling under these new guidelines.
However, these new guidelines are very broad, and you shouldn't think 'Well I'm not a financial institution so these aren't going to apply' so quickly. Below are two quick check lists for the core financial and car dealership models, but I would recommend everyone review what the new FTC Safeguards rules are and decide if your organization falls into one of those categories based on the 'new' definitions.
Level5, has always recommended to our clients that if they are not a government compliancy control to either abide by NIST or CIS at a minimum as a standard posture in dealing with best practice computing. It also puts your company on a good track for getting cyber-liability insurance, which is becoming more stringent and harder to adhere to (future post coming).