Skip to main content
Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations

FTC approves amendment to Safeguards Rule requiring nonbanks to report data breaches

Privacy, Cyber Risk & Data Security Federal Issues Data Breach FTC Safeguards Rule Nonbank Supervision

Privacy, Cyber Risk & Data Security

On October 27, the FTC approved an amendment to the Safeguards Rule to require nonbanks to report data breaches. Under the amended rule, financial institutions, including mortgage brokers, motor vehicle dealers, and payday lenders, will be required to notify the FTC of data breaches as soon as possible, and no later than 30 days after the discovery of incident involving at least 500 consumers. Notice of an incident is required if unencrypted consumer information was acquired without their authorization, as the FTC noted that encrypted consumer information is unlikely to cause consumer harm. The FTC will provide an online form that will be used to report certain information, including the type of information involved in the security event and the number of consumers affected or potentially affected. Additionally, the amended rule will require nonbanks to “to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe.” As previously covered by InfoBytes, the FTC recently extended compliance on some Safeguards provisions finalized in October 2021 (covered by InfoBytes here), to June of this year.

The commission voted 3-0 to publish the amendment, which will become effective 180 days after its publication in the Federal Register.