Reminder: FTC Safeguards Rule Notification Requirement Now In Effect

SM
Sheppard Mullin Richter & Hampton

Contributor

Sheppard Mullin is a full service Global 100 firm with over 1,000 attorneys in 16 offices located in the United States, Europe and Asia. Since 1927, companies have turned to Sheppard Mullin to handle corporate and technology matters, high stakes litigation and complex financial transactions. In the US, the firm’s clients include more than half of the Fortune 100.
On May 13, the FTC's amendment to the Safeguards Rule relating to the reporting of data breaches and security incidents, which were announced in October of 2023, became effective. As a reminder, the FTC's Safeguards...
United States Finance and Banking
To print this article, all you need is to be registered or login on Mondaq.com.

On May 13, the FTC's amendment to the Safeguards Rule relating to the reporting of data breaches and security incidents, which were announced in October of 2023, became effective.

As a reminder, the FTC's Safeguards Rule requires non-banks, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security program to keep their customers' information safe. In October 2021, the FTC announced it had finalized an amendment to the Safeguards Rule to reinforce the data security safeguards that financial institutions are required to put in place to protect their customers' financial information (see our previous post on this final rule here).

The October 2023 amendment (previously discussed here) requires financial institutions to notify the FTC as soon as possible, and no later than 30 days after discovery, of a security breach involving the information of at least 500 customers. The notification obligation applies to "customer information," which the FTC defines as nonpublic, personally identifiable financial information that is maintained about a "customer," which is a consumer with whom the company has a continuing relationship to provide financial products or services for personal, family, or household uses. The notice to the FTC reporting the breach must include the following information:

  • the name and contact information of the reporting financial institution;
  • a description of the types of information exposed in the notification event;
  • if the information is [available to identify], the date or date range of the notification event;
  • the number of consumers affected; and
  • a general description of the notification event.

The FTC has released guidance to assist companies to comply with Safeguards Rule requirements.

Putting It Into Practice: A couple things to remember about the FTC Safeguards Amendment. First, there is no harm threshold. As such, any type of data breach that impacts 500 or more customers falls under the Amendment's scope. Second, the FTC will publish notification event reports in a publicly available database, with only a limited exception if a law enforcement agency indicates that notice to the public would impede a criminal investigation or harm national security.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More