The Federal Trade Commission (FTC) recently approved an amendment to its Safeguards Rule to introduce the data security breach reporting requirement for all covered entities, including non-banking financial institutions. Specifically, this requirement applies when a non-banking financial institution discovers that information affecting 500 or more people has been exposed without authorization. Many companies store sensitive personal information about customers or employees. The FTC has long acknowledged that such companies need a sound security plan to protect this information. In July 2023, the FTC released guidance on protecting consumer biometric information and how breaches of biometric information can violate the Federal Trade Commission Act (FTC Act).

Overview of the FTC’s Safeguards Rule

The FTC’s Safeguards Rule is based on the Gramm-Leach-Bliley Act (the Act). This Act required financial institutions (companies that offer consumers financial products or services) to explain their information-sharing practices to customers and safeguard sensitive data. The Safeguards Rule built on the Act to require financial institutions under FTC jurisdiction to implement measures to keep customer information secure. Additionally, covered institutions must take steps to ensure that their affiliates and service providers similarly protect sensitive customer information in their care. Security program requirements under the Safeguards Rule include:

  • Designating a qualified individual who reports to the Board of Directors to implement and supervise the security program;
  • Conducting a risk assessment;
  • Designing and implementing safeguards to control risks;
  • Monitoring and testing safeguard effectiveness;
  • Training staff;
  • Monitoring service providers;
  • Keeping the security program current; and
  • Creating a written incident response plan.

Amendments to the Safeguards Rule

The recent amendments to the Safeguards Rule require non-banking institutions to report specific data breaches and other security events to the FTC. Specifically, financial institutions must report security breaches that involve information affecting at least 500 customers. A qualifying security breach requires notification if unencrypted customer information has been acquired without the authorization of the affected individual. Furthermore, the report must include specific information about the event, including the number of affected or potentially affected consumers. Institutions must make these reports as soon as possible and no later than 30 days after discovery. Covered non-banking financial institutions include, but are not limited to: mortgage brokers, motor vehicle dealers, and payday lenders.

The Safeguards Rule’s breach notification requirement is effective 180 days after the FTC publishes the amendment in the Federal Register. Currently, the FTC voted 3-0 to publish the notice amending the Safeguards Rule.

Employer Takeaways

Virtually all companies often need to collect certain protected information from consumers or employees. However, collecting such information carries a risk of it falling into the wrong hands. In that scenario, the employee and the consumer lose control over who uses their information and for what purpose. For this reason, employers and owners must protect against cybersecurity threats to ensure the security and privacy of that information. Overall, an effective security plan should require a company to collect only the information they need, keep the information safe, and dispose of it securely. Such a plan helps employers meet their legal obligations to protect employee and consumer sensitive data.