Skip to Main Content
Services Talent Knowledge
Site Search
Menu

Alert

Our attorneys stay on top of changes in legislation, agency regulations, case law, and industry trends—then craft timely legal alerts to keep clients up to date on legal developments important to their business.

December 12, 2023

FTC Amends Safeguards Rule to Require Reporting of Data Security Breaches to the FTC

On October 27, 2023, the Federal Trade Commission (FTC) amended its Safeguards Rule (16 CFR Part 314) to require entities engaged in financial activities to disclose to the FTC data breaches involving 500 or more customers within 30 days after the breach.

Background

The Gramm-Leach-Bliley Act, also known as the Financial Services Modernization Act of 1999, provides a framework for regulating data security and privacy practices for entities engaged in activities that are financial in nature or incidental to a financial activity. The act requires those entities to protect the security and confidentiality of their customers’ nonpublic personal information and provide their customers with information about the entities’ privacy practices and customer opt-out rights. Accordingly, the FTC promulgated the Safeguards Rule in 2002. The rule sets forth regulations that address, among other topics, the types of entities that are subject to the act and the administrative, technical, and physical safeguards that covered entities must implement with respect to customer information. Notably, the Safeguards Rule states that these “… entities include, but are not limited to, mortgage lenders, ‘pay day’ lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, travel agencies operated in connection with financial services, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, investment advisors that are not required to register with the Securities and Exchange Commission, and entities acting as finders.”

While the Gramm-Leach-Bliley Act itself applies to all financial institutions, the Safeguards Rule applies only to those institutions falling under the purview of the FTC. Financial institutions that fall within the jurisdiction of separate regulators, such as the Securities and Exchange Commission and the Commodity Futures Trading Commission, are bound by separate regulations promulgated by those regulators under the act. 

Deadline for Notification

This latest amendment to the Safeguards Rule introduces a new requirement for covered entities to notify the FTC of any “notification event” that involves the personal information of 500 or more customers as soon as possible and, in any event, no more than 30 days after such a breach becomes known to any employee, officer, or agent of a company holding personal customer information. The amended Safeguards Rule goes into effect on May 13, 2024. By that date, institutions must send their breach notices to the FTC using the online form located on the FTC’s website, https://www.ftc.gov

Contents of Notification 

The FTC has defined a notification event as the acquisition of unencrypted customer information without the authorization of the individual to which the information pertains. Customer information is considered unencrypted if the encryption key was accessed by an unauthorized person.

Unauthorized acquisition will be presumed to include unauthorized access to unencrypted customer information unless the covered entity has reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information.

The notice to the FTC must include: 

  • The name and contact information of the reporting entity 
  • A description of the types of information that were involved in the notification event
  • If the information is possible to determine, the date or date range of the notification event
  • The number of consumers affected 
  • A general description of the notification event 
  • Whether any law enforcement official has provided the entity with a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security and, if so, a means for the FTC to contact the law enforcement official

Business leaders and compliance professionals should be aware of the 30-day notice requirement and understand the types of incidents and data that are impacted by the amended Safeguards Rule. Companies should therefore review and update their written information security programs to avoid violating this new breach-notification regulation.

If you have any questions about the contents of this alert, please contact Renato Smith, co-chair of the Data Security & Technology Practice Area, at rsmith@barclaydamon.com; Rex McKeon, associate, at rmckeon@barclaydamon.com; or another member of the firm’s Data Security & Technology Practice Area.

Featured Media

Alerts

Second Circuit Upholds New York State's Ivory Law, but Holds Display Restriction Unconstitutional

Alerts

$175 Million of Federal Funds Available for Electric Vehicle Chargers in New York State

Alerts

USFWS Issues Final Guidance on Northern Long-Eared Bat and Tricolored Bat

Alerts

IRS Guidance Excludes VA Service-Connected Disability Benefits From Certain Income Determinations for Qualified Residential Rental Projects

Alerts

Second Department: Objective Evidence Required to Establish Trivial Defect Defense

Alerts

NYS Department of Health Issues Consumer Protection Guidance on Payments for Health Care Services

This site uses cookies to give you the best experience possible on our site and in some cases direct advertisements to you based upon your use of our site.

By clicking [I agree], you are agreeing to our use of cookies. For information on what cookies we use and how to manage our use of cookies, please visit our Privacy Statement.

I AgreeOpt-Out