HB Ad Slot
HB Mobile Ad Slot
Reminder: FTC Safeguards Rule Notification Requirement Now in Effect
Friday, May 17, 2024

On May 13, the FTC’s amendment to the Safeguards Rule relating to the reporting of data breaches and security incidents, which were announced in October of 2023, became effective.

As a reminder, the FTC’s Safeguards Rule requires non-banks, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe. In October 2021, the FTC announced it had finalized an amendment to the Safeguards Rule to reinforce the data security safeguards that financial institutions are required to put in place to protect their customers’ financial information (see our previous post on this final rule here).

The October 2023 amendment (previously discussed here) requires financial institutions to notify the FTC as soon as possible, and no later than 30 days after discovery, of a security breach involving the information of at least 500 customers. The notification obligation applies to “customer information,” which the FTC defines as nonpublic, personally identifiable financial information that is maintained about a “customer,” which is a consumer with whom the company has a continuing relationship to provide financial products or services for personal, family, or household uses. The notice to the FTC reporting the breach must include the following information:

  • the name and contact information of the reporting financial institution;
  • a description of the types of information exposed in the notification event;
  • if the information is [available to identify], the date or date range of the notification event;
  • the number of consumers affected; and
  • a general description of the notification event.

The FTC has released guidance to assist companies to comply with Safeguards Rule requirements.

Putting It Into PracticeA couple things to remember about the FTC Safeguards Amendment. First, there is no harm threshold. As such, any type of data breach that impacts 500 or more customers falls under the Amendment’s scope. Second, the FTC will publish notification event reports in a publicly available database, with only a limited exception if a law enforcement agency indicates that notice to the public would impede a criminal investigation or harm national security.

Listen to this post

HB Ad Slot
HB Ad Slot
HB Mobile Ad Slot
HB Ad Slot
HB Mobile Ad Slot
 
NLR Logo
We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins