FTC Amends Safeguards Rule

Wednesday, November 8th, 2023

The Federal Trade Commission (FTC) announced on October 27th that it has expanded the scope of its financial data security rule, which will now require nonbank financial institutions – like vehicle dealers and mortgage brokers – to report data breaches. This new amendment to the FTC Safeguards Rule imposes similar reporting requirements to those already applicable to banks.

Specifically, the amendment will require nonbank financial institutions to report to the FTC any data breach affecting 500 or more consumers’ data. The rule gives financial institutions 30 days to report the breach, however the FTC encourages reporting as soon as possible. Importantly, the reporting requirement applies only to breaches of unencrypted data, underscoring the importance of implementing sound cybersecurity protocols like end-to-end encryption of data.

In his statement announcing the amended rules, Samuel Levine, the director of the FTC’s Bureau of Consumer Protection, emphasized the importance of corporate transparency and rapid disclosure of incidents, even before the 30 day timeline when possible. The new requirements will take effect in approximately six months, according to the FTC.

This new reporting requirement places a significant new burden on affected financial institutions, as reporting an incident to the FTC will trigger an investigation into the company’s cybersecurity practices and compliance with the Safeguards Rule. Failure to report an incident will put the offending company into the far more precarious position of being the subject of not only an FTC investigation, but also an enforcement action accompanied by hefty fines and the potential for criminal penalties.

In light of the massive financial and reputational risk posed by increasingly active threat actors and the government’s corresponding regulation of corporate cybersecurity, it has never been more important for companies to develop and implement robust cybersecurity and data privacy policies. It is equally crucial to consult with experienced legal counsel for assistance developing these proactive policies and, when necessary, responding to cyber incidents.

If you have any questions about this update, please reach out to John Danyluk at danyluk@gentrylocke.com.