On October 27, 2023, the US Federal Trade Commission (FTC) approved an amendment to the Safeguards Rule, which applies to “non-banking financial institutions” regulated by the FTC. Financial institutions subject to the FTC Safeguards Rule do not include financial institutions that are subject to the enforcement authority of another regulator under Section 505 of the Gramm-Leach-Bliley-Act, such as insurance companies subject to the state insurance laws or broker dealers or investment companies registered with the SEC. The FTC Safeguards Rule, which took effect in 2003, established standards for non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop and implement comprehensive security programs to protect customers’ information. The amendment will require non-banking financial institutions to report a “notification event” to the FTC if it involves the unauthorized acquisition of unencrypted customer information that affects 500 or more customers. The amended rule requires notification to occur as soon as possible and no later than 30 days after a notification event is discovered. The notice must also contain certain information, including the types of information exposed, the date or date range of the breach, and the number of customers affected or potentially affected, which will be published by the FTC on a publicly available database.
The notification requirement will be effective 180 days after the amendment is published in the Federal Register.