The Federal Trade Commission (FTC) recently adopted a final rule amending its Standards for Safeguarding Customer Information (commonly referred to as the “Safeguards Rule”) to require financial institutions to report certain data breaches and other security events to the FTC.

These amendments come shortly after the Securities and Exchange Commission (SEC) adopted rules on mandatory cybersecurity disclosures as discussed in a prior LawFlash, demonstrating a focus by the US government on transparency regarding data breaches and other cybersecurity events. The FTC amendments become effective on May 13, 2024.

Background

The purpose of the FTC’s Safeguards Rule is to ensure that entities covered by the Safeguards Rule maintain safeguards to protect customer information. The Safeguards Rule applies to financial institutions that are subject to the FTC’s jurisdiction and are not subject to the enforcement authority of another regulator under Section 505 of the Gramm-Leach-Bliley Act, 15 USC § 6805.

Examples of financial institutions that are covered by the Safeguards Rule include, without limitation, mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors that are not required to register with the SEC.

Originally effective in 2003, the FTC amended the Safeguards Rule in 2021 to bring it up to date with current technology. In connection with the 2021 amendments to the Safeguards Rule, the FTC published a supplemental notice of proposed rulemaking in the Federal Register, which proposed further amending the Safeguards Rule to require financial institutions to report to the FTC certain security events as soon as possible, and no later than 30 days after discovery of the event.

In response to the notice, the FTC received 14 comments from various parties, including industry groups, consumer groups, and individual consumers, and finalized the rule with minor changes.

New Requirements

The final rule requires financial institutions to report notification events, defined as the unauthorized acquisition of unencrypted customer information, involving at least 500 customers to the FTC within 30 days after discovery of the notification event.

The notice to the FTC must include (1) the name and contact information of the reporting financial institution; (2) a description of the types of information that were involved in the notification event; (3) if the information is possible to determine, the date or date range of the notification event; (4) the number of consumers affected; (5) a general description of the notification event; and, if applicable, (6) whether any law enforcement official has provided the financial institution with a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security, and a means for the FTC to contact the law enforcement official.

The notice must be provided electronically through a form located on the FTC's website.

With the approaching deadline for the new FTC rule, all financial institutions subject to these requirements should review and, if necessary, update their policies and procedures to be in a position to comply with these new federal data breach reporting requirements.