FTC Amends Safeguards Rule to Require Notification of Data Security Breaches

The FTC recently issued a final rule amending the Standards for Safeguarding Customer Information (the Safeguards Rule) to require certain financial institutions to report data breaches, involving at least 500 consumers, to the FTC.  The amendment is effective May 13, 2024. 

The amendment to the Safeguards Rule requires financial institutions over which the FTC has rulemaking authority pursuant to the Gramm-Leach-Bliley Act, such as mortgage lenders, mortgage brokers, and finance companies, to notify the FTC if unencrypted customer information, involving at least 500 consumers, is acquired without the authorization of the individual to which the information pertains.  The financial institution must notify the FTC, no later than 30 days after discovery of the event, using a form provided on the FTC’s website.  The notice to the FTC must include certain information about the event, including, among other information, (i) a description of the types of information that were involved in the notification event, (ii) the number of consumers affected or potentially affected by the notification event, and (iii) the date or date range of the notification event, if such dates can be determined.