Reminder: FTC Safeguards Rule Notification Requirement Now in Effect
Friday, May 17, 2024
FTC Safeguards Notification Requirement
Print Mail Download i

On May 13, the FTC’s amendment to the Safeguards Rule relating to the reporting of data breaches and security incidents, which were announced in October of 2023, became effective.

As a reminder, the FTC’s Safeguards Rule requires non-banks, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe. In October 2021, the FTC announced it had finalized an amendment to the Safeguards Rule to reinforce the data security safeguards that financial institutions are required to put in place to protect their customers’ financial information (see our previous post on this final rule here).

The October 2023 amendment (previously discussed here) requires financial institutions to notify the FTC as soon as possible, and no later than 30 days after discovery, of a security breach involving the information of at least 500 customers. The notification obligation applies to “customer information,” which the FTC defines as nonpublic, personally identifiable financial information that is maintained about a “customer,” which is a consumer with whom the company has a continuing relationship to provide financial products or services for personal, family, or household uses. The notice to the FTC reporting the breach must include the following information:

  • the name and contact information of the reporting financial institution;
  • a description of the types of information exposed in the notification event;
  • if the information is [available to identify], the date or date range of the notification event;
  • the number of consumers affected; and
  • a general description of the notification event.

The FTC has released guidance to assist companies to comply with Safeguards Rule requirements.

Putting It Into PracticeA couple things to remember about the FTC Safeguards Amendment. First, there is no harm threshold. As such, any type of data breach that impacts 500 or more customers falls under the Amendment’s scope. Second, the FTC will publish notification event reports in a publicly available database, with only a limited exception if a law enforcement agency indicates that notice to the public would impede a criminal investigation or harm national security.

Listen to this post

Copyright © 2024, Sheppard Mullin Richter & Hampton LLP.

Current Legal Analysis

More from Sheppard, Mullin, Richter & Hampton LLP

FDA Gets Technical on HCT/P Rules in Warning Letter to Human Tissue Company
by: Dominick DiSabatino , Cortney Inman
CFPB Opens Public Probe on Closing Fees
by: Mehul N. Madia , A.J. S. Dhaliwal
FHA’s Releases 12-Hour Cyber Incident Notification Rule
by: A.J. S. Dhaliwal , Mehul N. Madia
South Carolina Enacts Earned Wages Access Law
by: A.J. S. Dhaliwal , Mehul N. Madia
CFPB Pursues Enforcement Action Following HMDA Reporting Inaccuracies
by: A.J. S. Dhaliwal , Mehul N. Madia
Appellate Judge Proposes Possible Use of GenAI for Contract Interpretation – Recognizes That AI Hallucinates But Flesh-And-Blood Lawyers Do Too!
by: James G. Gatto
Update: California State Assembly Passes AB 3219 Requiring State Approval of Private Equity Healthcare Deals
by: Jordan E. Grushkin , Christina M. Nguyen
Navigating Revised Motions to Amend in Inter Partes Review as a Non-active, Joined Party
by: Luciano Alvarado
CFPB Report Targets Games and Virtual Worlds – What Blockchain Game and Metaverse Companies Need to Know
by: James G. Gatto , Maxwell Earp-Thomas
Mid-Year Recap: Think Beyond US State Laws!
by: Liisa M. Thomas

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins