The Federal Trade Commission (FTC) has approved an amendment to the Safeguards Rule that would require nonbanking financial institutions to report any notification events to the agency. A notification event is defined as the unauthorized acquisition of unencrypted customer information involving at least 500 customers. The notice must be provided as soon as possible, and no later than 30 days after discovery. The notice must be made electronically on a form to be posted on the FTC's website. The breach notification requirement becomes effective 180 days after publication of the rule in the Federal Register.

The notice to the FTC must include the following information:

  • Name and contact information of the reporting financial institution.
  • A description of the types of information that were involved in the notification event.
  • If it is possible to determine, the date or date range of the notification event.
  • The number of consumers affected.
  • A general description of the notification event.
  • Whether any law enforcement official has provided the financial institution with a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security and a means for the FTC to contact the law enforcement official (if applicable).

This is the second recent amendment to the Safeguards Rule. The prior amendment, issued on December 9, 2021, updated data security requirements for financial institutions, which are broadly defined as institutions significantly engaged in financial activities or significantly engaged in activities incidental to such financial activities. Business entities in many industries can fall under this definition, from lenders, account servicers and financial advisers to retailers, auto dealerships and institutions of higher education.

Notably, these updated data security requirements include, among other things, encryption of data in transit and at rest. Therefore, compliance with the Safeguards Rule security requirements should negate the need to report data breaches, assuming that any affected data is sufficiently encrypted such that it cannot be unencrypted. For example, customer information is considered unencrypted if the encryption key was accessed by an unauthorized person.

If they have not already done so, financial institutions should work with their legal counsel and cybersecurity experts to ensure compliance with the Safeguards Rule and update their incident response plans to include this potential new reporting obligation.

For More Information

If you have any questions related to this Alert, please contact Michelle Hon Donovan, Jessica S. High, any of the attorneys in our Privacy and Data Protection Group, any of the attorneys in the Education Industry Group or the attorney in the firm with whom you are regularly in contact.

Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.