Amendment Overview

The Federal Trade Commission (the “FTC”) approved last week an amendment to its Safeguards Rule that will institute new data breach notification requirements for non-bank financial institutions. The Safeguards Rule, which was promulgated under the Gramm-Leach-Bliley Act, requires non-bank financial institutions (e.g. mortgage brokers, payday lenders, motor vehicle dealers) to develop, implement, and maintain comprehensive security programs to ensure the safety of consumer information.

This recent amendment (the “Amendment”) results from a 2021 rulemaking, and requires that non-bank financial institutions subject to the FTC’s jurisdiction report certain data breaches and other security events. Specifically, the Amendment requires these institutions to notify the FTC no later than 30 days after discovering a data breach involving information of 500 or more consumers. A data breach (“notification event”) is defined as the unauthorized acquisition of unencrypted customer information.

Notification must be electronically submitted via the FTC’s website and it must include information about the event as follows:

• A description of the types of information involved;
• The date or date range of the data breach (if known);
• A general description of the data breach; and
• The number of consumers affected or potentially affected.

The Amendment becomes effective 180 days after publication of this rule in the Federal Register.

Next Steps

Non-bank financial institutions should plan to incorporate processes and procedures into their regular breach response planning for reporting to the FTC the types of data breaches and other security events as described by the Amendment itself. Further, these institutions should put in place mechanisms to track the volume of consumers affected by any data breach or security event. This tracking will enable these institutions to decide whether reporting to the FTC is required under the Amendment.