[co-author: Skylar Stoudt*]

The FTC recently amended the Safeguards Rule to make non-banking institutions such as mortgage brokers, motor vehicle dealers, and payday lenders notify the FTC as soon as possible, and no later than 30 days after discovery, of a security breach involving the information of at least 500 consumers. The FTC plans to provide an online form that will be used to report certain information, including the type of information involved in the security event and the number of consumers affected or potentially affected. The FTC’s Safeguards Rule also requires non-banks to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe.

As reported by our sister blog here, in October 2021, the FTC announced it had finalized changes to the Safeguards Rule to strengthen the data security safeguards that financial institutions are required to put in place to protect their customers’ financial information.

*Skylar Stoudt is a law clerk in the firm’s Washington, D.C. office.

Putting It Into Practice: Companies collecting sensitive consumer data should be reminded that they have a responsibility to protect such data, as well as be transparent if that information has been compromised. Non-banks may wish to develop steps into their regular data incident response planning for reporting to the FTC the types of data breaches and other security events as described in the amendment.