On October 27th, the Federal Trade Commission (the “FTC”) announced that it approved an amendment to the Safeguards Rule promulgated under the federal Gramm-Leach-Bliley Act (the “Safeguards Rule”) requiring non-bank financial institutions subject to the FTC’s jurisdiction to report to the FTC data breaches affecting 500 or more people (the “Amendment”). 

The Safeguards Rule requires non-bank financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security program to keep customer information safe. In the process of adopting certain amendments to the Safeguards Rule in October 2021, the FTC also sought comment on a proposed supplemental amendment to the Safeguards Rule that would require financial institutions to report certain data breaches and other security events to the FTC. The Amendment is the final version of the 2021 proposed supplemental amendment.

The Amendment requires financial institutions to notify the FTC as soon as possible and no later than 30 days after the discovery of a security breach involving the information of at least 500 people. A security breach will trigger the notification requirement if unencrypted “customer information” has been acquired without the authorization of the individual to which the information pertains. The Safeguards Rule defines “customer information” as “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of [the financial institution or its] affiliates.” Note that the terms “nonpublic personal information” and “customer” have nuanced definitions in the Safeguards Rule.

The Amendment provides that unauthorized acquisition will be presumed to include unauthorized access to unencrypted customer information unless there is reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information.

The notice to the FTC required by the Amendment must be submitted electronically on a form found on the FTC’s website, and it must include certain information about the event, including: 

  • a description of the types of information involved;
  • the date or date range of the data breach (if known);
  • a general description of the data breach; and
  • the number of consumers affected or potentially affected.

The Amendment becomes effective 180 days after publication in the Federal Register.