BizCare Portal - Serving Bay Area Industrial Filtration

FTC Amends Safeguards Rule to Require Non-Banking Financial Institutions to Report Data Security Breaches

The amendment will require non-bank financial institutions to report when they discover that information affecting 500 or more people has been acquired without authorization.

The Federal Trade Commission has approved an amendment to the Safeguards Rule requiring non-banking institutions to report certain data breaches and other security events to the agency.

The FTC’s Safeguards Rule requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe. In October 2021, the FTC announced it had finalized changes to the Safeguards Rule to strengthen the data security safeguards financial institutions must implement to protect their customers’ financial information. The FTC also sought comment on a proposed supplemental amendment to the Safeguards Rule that would require financial institutions to report certain data breaches and other security events to the Commission.

“Companies that are trusted with sensitive financial information need to be transparent if that information has been compromised,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Adding this disclosure requirement to the Safeguards Rule should provide companies with additional incentive to safeguard consumers’ data.”

The amendment announced today requires financial institutions to notify the FTC as soon as possible and no later than 30 days after the discovery of a security breach involving the information of at least 500 consumers. Such an event requires notification if unencrypted customer information has been acquired without the authorization of the individual to which the information pertains. The notice to the FTC must include specific information about the event, such as the number of consumers affected or potentially affected.

The breach notification requirement becomes effective 180 days after publication of the rule in the Federal Register.

The Commission voted 3-0 to publish the notice amending the Safeguards Rule in the Federal Register.

The FTC’s Bureau of Consumer Protection lead staffers are David Lincicum and Mark Eichorn.

The Federal Trade Commission works to promote competition and protect and educate consumers. Learn more about consumer topics at consumer.ftc.gov, or report fraud, scams, and bad business practices at ReportFraud.ftc.gov. Follow the FTC on social media, read consumer and business blog alerts, and sign up to get the latest FTC news and alerts.