The rule requires a written information security program overseen by a designated Qualified Individual. It also requires a risk assessment and access controls with multi-factor authentication for anyone accessing your information systems, unless a documented equivalent is approved. Customer information must be encrypted in transit and at rest.
You must apply secure development practices if you build your own software. You need continuous monitoring of your systems. Without it, you need annual penetration testing and vulnerability assessments at least every six months. The remaining elements are security awareness training, a written incident response plan, and an annual written report to your board or governing body. You must also notify the FTC within 30 days of a notification event. A notification event is the unauthorized acquisition of unencrypted customer information involving at least 500 consumers.
Organizations maintaining information on fewer than 5,000 consumers are exempt from four of these elements: the written risk assessment, the penetration testing and twice-yearly vulnerability assessments, the written incident response plan, and the annual board report. They must still maintain a written program with the remaining safeguards. Those include access controls and MFA, encryption, audit logging of access to customer information, secure disposal, and training. The FTC breach-notification duty applies regardless of size.