On October 27th, the Federal Trade Commission (the “FTC”) announced that it approved an amendment to the Safeguards Rule promulgated under the federal Gramm-Leach-Bliley Act (the “Safeguards Rule”) requiring non-bank financial institutions subject to the FTC’s jurisdiction to report to the FTC data breaches affecting 500 or more people (the “Amendment”). 

The Safeguards Rule requires non-bank financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security program to keep customer information safe. In the process of adopting certain amendments to the Safeguards Rule in October 2021, the FTC also sought comment on a proposed supplemental amendment to the Safeguards Rule that would require financial institutions to report certain data breaches and other security events to the FTC. The Amendment is the final version of the 2021 proposed supplemental amendment.

The Amendment requires financial institutions to notify the FTC as soon as possible and no later than 30 days after the discovery of a security breach involving the information of at least 500 people. A security breach will trigger the notification requirement if unencrypted “customer information” has been acquired without the authorization of the individual to which the information pertains. The Safeguards Rule defines “customer information” as “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of [the financial institution or its] affiliates.” Note that the terms “nonpublic personal information” and “customer” have nuanced definitions in the Safeguards Rule.

The Amendment provides that unauthorized acquisition will be presumed to include unauthorized access to unencrypted customer information unless there is reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information.

The notice to the FTC required by the Amendment must be submitted electronically on a form found on the FTC’s website, and it must include certain information about the event, including: 

  • a description of the types of information involved;
  • the date or date range of the data breach (if known);
  • a general description of the data breach; and
  • the number of consumers affected or potentially affected.

The Amendment becomes effective 180 days after publication in the Federal Register.

Last week, the Federal Trade Commission (the “FTC”) released a final rule amending the Standards for Safeguarding Customer Information (commonly referred to as the “Safeguards Rule”) promulgated under the Gramm-Leach-Bliley Act (“GLBA”). The final Safeguards Rule, approved by the FTC Commissioners along party lines, will require financial institutions to make significant changes in their information security programs. The FTC issued a Notice of Proposed Rulemaking proposing these changes in 2019.

The FTC has enforcement authority under the Safeguards Rule over financial institutions that are not banks, credit unions, insurance carriers, or SEC-registered investment advisers and investment companies.  Such financial institutions include non-bank lenders, check-cashing businesses, mortgage brokers, personal property or real estate appraisers, professional tax preparers and credit reporting agencies.

Under the current Safeguards Rule, these financial institutions are required to develop, implement, and maintain a reasonably designed, comprehensive, written information security program with appropriate administrative, technical, and physical safeguards relating to customer information. The final Safeguards Rule represents a significant shift towards more prescriptive requirements for information security, something towards which the FTC has been working for years.

“Financial institutions and other entities that collect sensitive consumer data have a responsibility to protect it,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The updates adopted by the Commission to the Safeguards Rule detail common-sense steps that these institutions must implement to protect consumer data from cyberattacks and other threats.”

The final Safeguards Rule amends the current rule in five primary ways:

  • By including more detailed requirements for the development and establishment of an information security program. The current rule requires financial institutions to undertake a risk assessment and develop and implement safeguards to address identified risks.  The final Safeguards Rule requires that such risk assessment be written and that such safeguards address:
    • access controls;
    • data inventory and classification;
    • encryption;
    • secure development practices;
    • authentication;
    • information disposal procedures;
    • change management;
    • testing; and
    • incident response.
  • Although financial institutions must comply with more specific requirements than under the current Safeguards Rule, they retain the flexibility to design an information security program that is appropriate to their size and complexity, the nature and scope of their activities, and the sensitivity of any customer information they possess.
  • By requiring the designation of a single individual responsible for implementing and overseeing the financial institution’s information security program (referred to as a “Qualified Individual”) and requiring periodic reports to boards of directors or other governing bodies by such Qualified Individual that will provide senior management with awareness of their financial institutions’ information security programs.
  • By exempting financial institutions that maintain information on fewer than 5,000 consumers from the requirements to perform a written risk assessment, conduct continuous monitoring or annual penetration testing and biannual vulnerability assessments, prepare a written incident response plan, and prepare annual written reports for boards of directors or other governing bodies.
  • By expanding the definition of “financial institution” to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities. The final Safeguards Rule now applies to “finders,” e., companies that bring together buyers and sellers of a product or service. Because the Safeguards Rule applies only to relationships and transactions that are “for personal, family, or household purposes,” finding services involving consumer transactions for customers (i.e., consumers with whom a financial institution has an ongoing relationship) will now be covered by the Safeguards Rule. This change will also bring the Safeguards Rule into harmony with other federal agencies’ safeguards rules, which include activities incidental to financial activities in their definition of financial institution.
  • By including several definitions and related examples, including of “financial institution,” in the Safeguards Rule itself rather than incorporate them by reference from the Privacy of Consumer Financial Information Rule promulgated under the GLBA (commonly referred to as the “Privacy Rule”). This will make the Safeguards Rule more self-contained and will allow readers to understand its requirements without having to reference the Privacy Rule.

Certain provisions of the final Safeguards Rule, including those relating to implementing safeguards, undertaking a written risk assessment, appointing a Qualified Individual, and conducting continuous monitoring or annual penetration testing, are effective one year after the date of publication of the final rule in the Federal Register; the remainder of the provisions are effective 30 days following publication.

In addition to the amendments to the Safeguards Rule described above, the FTC is also seeking comment on whether to amend the Safeguards Rule to require financial institutions to report certain data breaches and other security events to the FTC. The proposed amendment would require financial institutions to report a data breach affecting or reasonably likely to affect at least 1,000 consumers.  This notice must be provided via a webform on the FTC’s website within 30 days of discovery of the breach and must include certain specified disclosures. The FTC announced that it would soon publish a supplemental Notice of Proposed Rulemaking, after which the public will have 60 days to submit comments.

As we reported in our post about the Minnesota Customer Data Privacy Act, the Rhode Island Data Transparency and Privacy Protection Act (RI-DTPPA) was passed by the state legislature on June 13th.  Governor McKee did not either sign or veto but transmitted it to the Rhode Island Secretary of State. i.e., it is effective without the Governor’s signature. 


The RI-DTPPA effective date is January 1, 2026 – the same date as the customer privacy laws in Indiana and Kentucky. 

Since Vermont’s consumer privacy law was vetoed, the RI-DTPPA makes 20 state consumer privacy laws.  The 19 state customer privacy laws preceding RI-DTPPA (collectively, the State Customer Privacy Laws) are in force as follows.

StateState Customer Privacy Law TitleEffective Date
CaliforniaCalifornia Customer Privacy Act (CCPA)January 1, 2020; CCPA Regulations effective January 1, 2023
ColoradoColorado Privacy ActJuly 1, 2023
ConnecticutConnecticut Personal Data Privacy and Online Monitoring ActJuly 1, 2023
DelawareDelaware Personal Data Privacy ActJanuary 1, 2025
FloridaFlorida Digital Bill of RightsJuly 1, 2024
IndianaIndiana Customer Data Protection ActJanuary 1, 2026
IowaIowa’s Act Relating to Customer Data ProtectionJanuary 1, 2025
KentuckyKentucky Customer Data PrivacyJanuary 1, 2026
MarylandMaryland Online Data Privacy ActOctober 1, 2025
MinnesotaMinnesota Customer Data Privacy ActJuly 31, 2025
MontanaMontana Customer Data Privacy ActOctober 1, 2024
NebraskaNebraska’s Data Privacy ActJanuary 1, 2025
New HampshireAct Relative to the Expectation of PrivacyJanuary 1, 2025
New JerseyNew Jersey Data Protection ActJanuary 15, 2025
OregonOregon Customer Privacy ActJuly 1, 2024 (July 1, 2025, for in-scope non-profit organizations)
TennesseeTennessee Information Protection ActJuly 1, 2025
TexasTexas Data Privacy and Security ActJuly 1, 2024
UtahUtah Customer Privacy ActDecember 31, 2023
VirginiaVirginia Customer Data Protection ActJanuary 1, 2023
Continue Reading Rhode Island Makes it an Even 20

In a final push before adjourning for the summer, state legislators across the country contemplated consumer privacy laws.  Three legislatures made it to the finish line.  One – Minnesota’s state legislature passed the Minnesota Consumer Data Privacy Act on May 19th as part of an appropriations bill, which was signed by Minnesota’s governor on May 24th.  Of the other two, one is pending gubernatorial action, and the other was vetoed.

The Rhode Island Data Transparency and Privacy Protection Act (RI-DTPA) was passed by the state legislature on June 13th.  Before RI-DTPA becomes law, Governor McKee must either sign, take no action or veto it.  If signed, RI-DTPA is in force on January 1, 2026, like the Indiana Consumer Data Protection Act and Kentucky Consumer Data Privacy.

We are not, however, making assumptions about RI-DTPA’s passage.  This post was originally planned to cover the Minnesota Consumer Data Privacy Act and the Vermont Data Privacy Act, not the RI-DTPA.  On June 13th (the same day that RI-DTPA was passed), Vermont’s Governor Phil Scott vetoed the Vermont Data Privacy Act.  In his letter to Vermont’s General Assembly, Governor Scott noted that the Vermont Data Privacy Act created “big and expensive new burdens and competitive disadvantages for the small and mid-sized businesses Vermont communities rely on.”  He also noted that the private right of action is “a national outlier, and more hostile” than any other state privacy law, notwithstanding its limited scope and sunset.  He raised the possibility of a First Amendment challenge to the Age-Appropriate Design Code (Section 6), noting that “similar legislation in California has already been [preliminarily enjoined] for likely First Amendment violations.” (See here.)  A veto override was not successful.

The RI-DTPA already faces opposition from privacy advocacy organizations claiming that RI-DTPA is too weak (see, e.g., here).  Advertising associations also reportedly oppose RI-DTPA.  Nonetheless, we have highlighted some key elements of RI-DTPA in this post so you can decide for yourself, together with answers to FAQs about the Minnesota Consumer Data Privacy Act (MN-CDPA) and how it is similar to and different from the other state consumer privacy laws.

Continue Reading Minnesota Makes 19: Will Rhode Island’s Privacy Law Replace Vermont’s Vetoed Privacy Law as #20?

This week, House Committee on Energy and Commerce Chair Cathy McMorris Rodgers (R-WA) and Senate Committee on Commerce, Science and Transportation Chair Maria Cantwell (D-WA) unveiled their bipartisan, bicameral discussion draft of the American Privacy Rights Act (APRA draft).[1] Chair Rodgers’ and Chair Cantwell’s announcement of the APRA draft surprised many congressional observers after comprehensive privacy legislation stalled in 2022.

Continue Reading April’s APRA: Could Draft Privacy Legislation Blossom into Law in 2024?

Hot on the tail of California Attorney General Rob Bonta’s announcement of an investigative sweep targeting streamlining services (see our blog post here), Connecticut’s Office of the Attorney General (“OAG”) is making headlines with its recent report covering its preliminary enforcement actions under the Connecticut Data Privacy Act (“CTDPA”). We’ve previously covered Colorado and California enforcement activity here.

Continue Reading Connecticut Attorney General Report: CTDPA Enforcement Insights & Takeaways

2023 was another busy year in the realm of data event and cybersecurity litigations, with several noteworthy developments in the realm of disputes and regulator activity.  Privacy World has been tracking these developments throughout the year.  Read on for key trends and what to expect going into the 2024.

Growth in Data Events Leads to Accompanying Increase in Claims

The number of reportable data events in the U.S. in 2023 reached an all-time high, surpassing the prior record set in 2021.  At bottom, threat actors continued to target entities across industries, with litigation frequently following disclosure of data events.  On the dispute front, 2023 saw several notable cybersecurity consumer class actions concerning the alleged unauthorized disclosure of sensitive personal information, including healthcare, genetic, and banking information.  Large putative class actions in these areas included, among others, lawsuits against the hospital system HCA Healthcare (estimated 11 million individuals involved in the underlying data event), DNA testing provider 23andMe (estimated 6.9 million individuals involved in the underlying data event), and mortgage business Mr. Cooper (estimated 14.6 million individuals involved in the underlying data event). 

Continue Reading 2023 Cybersecurity Year In Review

The Consumer Financial Protection Bureau (the “CFPB”) recently issued a Notice of Proposed Rulemaking to implement Section 1033 of the Dodd-Frank Act (“Section 1033”). Section 1033 generally requires covered persons to make information concerning a financial product or service that a consumer has obtained from such person available to the consumer, subject to CFPB rulemaking.

The rule recently proposed by the CFPB to implement Section 1033 (the “Proposed Rule”) would require that certain entities make transaction and other account data more readily available to consumers and authorized third parties. It also would impose privacy and information security obligations and limitations on these entities, as well as on third parties authorized to collect and use that data. These requirements and limitations are discussed in more detail below.

Continue Reading CFPB Issues Notice of Proposed Rulemaking on Open Banking

On October 10, 2023, Governor Newsom signed into law SB 362, known as the “California Delete Act” or “Delete Act”, which had been passed by the legislature at the end of the 2023 legislative session on September 14. The Delete Act amends California’s existing Data Broker Registration law (Cal. Civ. Code Section 1798.99.80 et. seq). Among other things, the law imposes additional registration requirements on top of those that already exist, doubles the administrative fine for failure to register, requires the California Privacy Protection Agency (CPPA) to set up a one-stop shop deletion mechanism that allows consumers to make requests to all registered data brokers, and obligates data brokers to access the mechanism every 45 days and process each and every deletion request made by consumers within a prescribed timeframe (including directing all service providers and contractors of the request).

Continue Reading California Delete Act Imposes New Obligations on Data Brokers

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Privacy Challenges for Digital Advertising, Particularly in Europe

The Online Safety Act: Does this present a difficult balancing act for online service providers?

Simplified Sanction Procedure Used by the CNIL To Sanction Geolocation and Video Surveillance of Employees in France

Scott Warren and Kristin Bryan to Speak at the Society for the Policing of Cyberspace (POLCYB) Conference

Two Significant AI Announcements:  Spooky for AI Developers?

Last Chance to Register for In-Person CLE: The Important Role Legal Plays in an Era of Growing Data Risks: Key Findings From the 2023 ACC CLO Report

Cyber and AI talks in Tokyo

Join us for a Roundtable: Preparing for the EU Artificial Intelligence Act – Brussels

UPDATED BLOGPOST: Online Safety in Digital Markets Needs a Joined-Up Approach with Competition Law in the UK

FTC Amends GLBA Safeguards Rule to Require Reporting of Certain Data Breaches

Unclear on AI Contracting in the EU – the European Commission Is Pleased to Help