On October 27, 2023, the Federal Trade Commission (“FTC”) approved an amendment to the Safeguards Rule that requires non-banking financial institutions (e.g., mortgage companies, mortgage brokers, and creditors) to notify the FTC when certain data breaches and other security events occur. The Safeguards Rule, promulgated by the FTC in 2002, has long required non-banking financial institutions to create, implement, and maintain a comprehensive security program to keep the information and data of its customers safe. Now, if one of these institutions suffers a security breach or notification event – defined as the unauthorized acquisition of unencrypted customer information involving at least 500 customers, the institution must notify the FTC within 30 days of discovering the breach or notification event.
Pursuant to the amendment, an unauthorized acquisition of customer information occurs when it is acquired without the authorization of the individual to whom the information pertains. Further, unauthorized access of information will be presumed to result in unauthorized acquisition unless the institution can show that the information was not, or could not reasonably have been, acquired without authorization. While the amendment does not apply to encrypted customer information, such information will be considered unencrypted if the encryption key is accessed by an unauthorized person.
The 30-day notification period starts on the first day that an employee, officer, of other agent of the financial institution learns of the notification event. The FTC has set clear requirements for what an institution’s notification to the FTC must contain. Specifically, the notice must include the following:
- The name and contact information of the reporting financial institution;
- A description of the types of information that were involved in the notification event;
- The date or date range of the notification event, if possible to determine;
- The number of consumers affected or potentially affected by the notification event;
- A general description of the notification event; and
- Whether any law enforcement official has provided the financial institution with a written determination that notifying the public of the breach would impede the investigation or cause damage to national security, and if so, a means for the FTC to contact the law enforcement official.
Although the amendment does not go into effect until 180 days after its publication in the federal register, all non-banking financial institutions under the FTC's jurisdiction must be sure to understand what the amendment requires of them and have adequate safeguards in place to limit the risk of security and data breaches. Moreover, covered institutions should ensure that customer information is properly encrypted and that encryption keys remain secure. Doing so will reduce the chances of litigation, costs, and penalties that will surely arise from failing to comply with the amendment, as is evident from actions the FTC has taken against institutions for violating the pre-amendment Safeguards Rule.
*Daniel J Glicker, a Law Clerk – Admission Pending (not admitted to the practice of law) in the firm’s New York office, contributed to the preparation of this post.