FTC’s Safeguards Rule amended to require 30-day breach notification

The U.S. Federal Trade Commission (FTC) on Oct. 11 amended its Standards for Safeguarding Customer Information—known as the Safeguards Rule, for short—to require all nonbanking financial institutions to report data breach incidents within 30 days after discovery of a security breach involving the information of at least 500 consumers. The new notification requirement will go into effect May 13, 2024.

The purpose of the Safeguards Rule is to ensure that entities covered by the rule protect the security of customer information. The Safeguards Rule took effect in 2003, but the FTC amended it in 2021 to keep pace with current technology. While preserving the flexibility of the original Safeguards Rule, the revised rule provides more concrete guidance for businesses. It reflects core data security principles that all covered companies need to implement.

In the event of a breach, organizations are required to notify the FTC using their online portal and disclose details about the security incident, such as the following:

• Name and contact information of the reporting institution
• Number of affected and potentially affected consumers
• Description of the types of data that have possibly been exposed
• Exposure date and, if possible to determine, the duration of the incident
• Confirmation of whether law enforcement advised that public disclosure of the breach could obstruct an investigation or threaten national security

The agency has added a provision for a 60-day delay should a law enforcement official seek an extension in the public disclosure of a specific incident.

The FTC provides a guide for businesses to notify the agency in the event of a data breach. Noncompliance with the rule could result in costly fines, litigation and damage to the institution's reputation, including criminal penalties.

Who does the rule apply to?

The updated rule applies to a wide range of entities, including, but not limited to, mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, travel agencies operated in connection with financial services, collection agencies, credit counselors and other financial advisors, tax preparation firms, nonfederally insured credit unions, and investment advisors that are not required to register with the Securities and Exchange Commission.

The Safeguards Rule applies to financial institutions subject to the FTC’s jurisdiction and that aren’t subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act. The rule applies to all customer information in an institution’s possession, regardless of whether such information pertains to individuals with whom the institution has a customer relationship or the customers of other financial institutions that have provided such information to the institution in question.

Why the change?

The rule change comes in response to increasing concerns about the vulnerability of sensitive personal information to data breaches, identity theft and other cyberthreats. Data breaches at organizations entrusted with personally identifiable information continue to increase, and this reinforces the need for the FTC and businesses engaging in an activity that is financial in nature to work together to combat cybersecurity threats and strengthen the critical cybersecurity infrastructure. Ensuring the confidentiality, security and integrity of information depends on cooperation among the FTC, institutions and other entities, including consumer monitoring sources, contractors and third-party servicers.

Why is this important to my organization?

Any breach of the security of consumer information displays a potential lack of administrative capability. As cyber events become more frequent, it is critical that organizations maintain an information security program and ongoing compliance monitoring program to comply with insurance requirements and to establish a defense in the event of legal proceedings.

What does the new rule cover?

The new rule requires institutions to implement comprehensive information security programs to protect consumers' personal and financial data from unauthorized access or misuse. Institutions will need to evaluate and update their existing policies, procedures and systems to align with the new requirements. This process may include updating their data security practices, conducting risk assessments and training employees on data security best practices.

The Safeguards Rule identifies nine program elements and eight safeguard controls that your company’s information security program must include.

Next steps

To support the implementation of the program requirements, institutions may employ consulting firms with experience in data security and regulatory compliance. Consulting firms can provide customized guidance and support to help institutions develop and implement comprehensive information security programs that align with the new Safeguards Rule.