Categories: Cybersecurity

On October 27, 2023, the Federal Trade Commission (“FTC”) approved an amendment to the Safeguards Rule that requires non-banking financial institutions (e.g., mortgage companies, mortgage brokers, and creditors) to notify the FTC when certain data breaches and other security events occur.  The Safeguards Rule, promulgated by the FTC in 2002, has long required non-banking financial institutions to create, implement, and maintain a comprehensive security program to keep the information and data of its customers safe.  Now, if one of these institutions suffers a security breach or notification event – defined as the unauthorized acquisition of unencrypted customer information involving at least 500 customers, the institution must notify the FTC within 30 days of discovering the breach or notification event.

Pursuant to the amendment, an unauthorized acquisition of customer information occurs when it is acquired without the authorization of the individual to whom the information pertains. Further, unauthorized access of information will be presumed to result in unauthorized acquisition unless the institution can show that the information was not, or could not reasonably have been, acquired without authorization.  While the amendment does not apply to encrypted customer information, such information will be considered unencrypted if the encryption key is accessed by an unauthorized person.

The 30-day notification period starts on the first day that an employee, officer, of other agent of the financial institution learns of the notification event. The FTC has set clear requirements for what an institution’s notification to the FTC must contain.  Specifically, the notice must include the following:

  1. The name and contact information of the reporting financial institution;
  2. A description of the types of information that were involved in the notification event;
  3. The date or date range of the notification event, if possible to determine;
  4. The number of consumers affected or potentially affected by the notification event;
  5. A general description of the notification event; and
  6. Whether any law enforcement official has provided the financial institution with a written determination that notifying the public of the breach would impede the investigation or cause damage to national security, and if so, a means for the FTC to contact the law enforcement official.

Moving forward…

Although the amendment does not go into effect until 180 days after its publication in the federal register, all non-banking financial institutions under the FTC's jurisdiction must be sure to understand what the amendment requires of them and have adequate safeguards in place to limit the risk of security and data breaches.  Moreover, covered institutions should ensure that customer information is properly encrypted and that encryption keys remain secure. Doing so will reduce the chances of litigation, costs, and penalties that will surely arise from failing to comply with the amendment, as is evident from actions the FTC has taken against institutions for violating the pre-amendment Safeguards Rule.

*Daniel J Glicker, a Law Clerk – Admission Pending (not admitted to the practice of law) in the firm’s New York office, contributed to the preparation of this post.

Back to Commercial Litigation Update Blog

Search This Blog

Blog Editors

Related Services



Jump to Page


Sign up to receive an email notification when new Commercial Litigation Update posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.