Blog

On October 27, 2023, the Federal Trade Commission (FTC) announced sweeping amendments to its Safeguards Rule. Now non-banking financial institutions will be required to report information security breaches and related events. This includes entities such as mortgage brokers, accountants, investment advisers, car dealers, and payday lenders, all of whom hold significant consumer personal financial information.

All such entities will now be required to develop and maintain a comprehensive information security program to keep customer data secure. Further, covered entities must report breaches to the FTC no later than 30 days after discovering a security breach that involves unauthorized acquisition of unencrypted data of 500 or more consumers. This notification must disclose not only the exact number of consumers affected but also the number who may potentially be affected.

Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, noted that “Companies that are trusted with sensitive financial information need to be transparent if that information has been compromised…. The addition of this disclosure requirement to the Safeguards Rule should provide companies with additional incentive to safeguard consumers’ data.”  

The FTC developed the original 2003 Safeguards Rule to strengthen data security safeguards that financial institutions must put in place to protect their customers’ financial information. The Rule is based on the 1999 Gramm-Leach-Bliley Act, which required certain financial institutions (mainly banks) to meet defined data security requirements to protect the institutions’ sensitive information and consumer data. This amended breach notification requirement becomes effective 180 days after it’s published in the Federal Register.