Reminder: FTC Safeguards Rule Notification Requirement Now In Effect

A.J.S. Dhaliwal, Mehul Madia
Sheppard Mullin Richter & Hampton LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Sheppard Mullin Richter & Hampton LLP

On May 13, the FTC’s amendment to the Safeguards Rule relating to the reporting of data breaches and security incidents, which were announced in October of 2023, became effective.

As a reminder, the FTC’s Safeguards Rule requires non-banks, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe. In October 2021, the FTC announced it had finalized an amendment to the Safeguards Rule to reinforce the data security safeguards that financial institutions are required to put in place to protect their customers’ financial information (see our previous post on this final rule here).

The October 2023 amendment (previously discussed here) requires financial institutions to notify the FTC as soon as possible, and no later than 30 days after discovery, of a security breach involving the information of at least 500 customers. The notification obligation applies to “customer information,” which the FTC defines as nonpublic, personally identifiable financial information that is maintained about a “customer,” which is a consumer with whom the company has a continuing relationship to provide financial products or services for personal, family, or household uses. The notice to the FTC reporting the breach must include the following information:

  • the name and contact information of the reporting financial institution;
  • a description of the types of information exposed in the notification event;
  • if the information is [available to identify], the date or date range of the notification event;
  • the number of consumers affected; and
  • a general description of the notification event.

The FTC has released guidance to assist companies to comply with Safeguards Rule requirements.

Putting It Into Practice: A couple things to remember about the FTC Safeguards Amendment. First, there is no harm threshold. As such, any type of data breach that impacts 500 or more customers falls under the Amendment’s scope. Second, the FTC will publish notification event reports in a publicly available database, with only a limited exception if a law enforcement agency indicates that notice to the public would impede a criminal investigation or harm national security. 

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sheppard Mullin Richter & Hampton LLP | Attorney Advertising

Written by:

Sheppard Mullin Richter & Hampton LLP
Sheppard Mullin Richter & Hampton LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Sheppard Mullin Richter & Hampton LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide