On October 27, the FTC has approved an amendment to the Safeguards Rule that would require non-banking institutions to report certain data breaches and other security events to the agency. The amendment requires financial institutions to notify the FTC as soon as possible, and no later than 30 days after discovery, of a security breach involving the information of at least 500 consumers. Such an event requires notification if unencrypted customer information has been acquired without the authorization of the individual to which the information pertains. The notice to the FTC will need to include certain information about the event, including:

1. the name and contact information of the reporting financial institution;
2. a description of the types of information exposed in the notification event;
3. if the information is [available to identify], the date or date range of the notification event;
4. the number of consumers affected; and
5. a general description of the notification event.

If applicable, the notification must include whether any law enforcement official has provided the financial institution with a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security, and a means for the FTC to contact the law enforcement official.

The FTC’s Safeguards Rule requires non-banks, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe. In October 2021, the FTC announced it had finalized changes to the Safeguards Rule to strengthen the data security safeguards that financial institutions are required to put in place to protect their customers’ financial information (see our previous post on this amendment here).

The breach notification requirement becomes effective 180 days after publication of the rule in the Federal Register. The Commission voted 3-0 to publish the notice amending the Safeguards Rule in the Federal Register.

Putting It Into Practice: This latest amendment reinforces the FTC’s position that financial institutions and other entities that collect sensitive consumer data have a responsibility to protect it, as well as be transparent if that information has been compromised. Non-banks should consider developing processes and procedures into their regular data incident response planning for reporting to the FTC the types of data breaches and other security events as described in the amendment. Further, these institutions should put in place mechanisms to track the volume of consumers affected by any data breach or security event.