by Lesley Fair

Lesley Fair (photo courtesy of the author)

October 2023 marks the 20th anniversary of the effective date of the Gramm-Leach-Bliley Safeguards Rule. Its purpose then – and its purpose now – is to protect consumers by requiring entities covered by the Rule to “develop, implement, and maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.” The FTC just announced an amendment to the Rule that will require non-banking financial institutions within the FTC’s jurisdiction to report data breaches affecting 500 or more people.

Threats to the security of financial data have materialized and morphed in recent years. After considering public comments and hosting a national workshop, the FTC revised the Safeguards Rule in October 2021 to strengthen protections for consumers’ information maintained by non-banking financial institutions – for example, mortgage brokers and payday lenders. Also announced was a proposed supplemental amendment to the Safeguards Rule that would require financial institutions to report certain data breaches and other security events to the FTC. The agency just approved an amendment that will require notification.

You’ll want to read the revised Rule for the specifics, but the focus is on “notification events” – defined as the “acquisition of unencrypted customer information without the authorization of the individual to which the information pertains.” If a notification event “involves the information of at least 500 consumers,” the covered entity must contact the FTC “as soon as possible, and no later than 30 days after discovery of the event” using a form on the FTC’s website. 

Here are some of the things the notice must include:

1. The name and contact information of the financial institution;
2. A description of the types of information involved;
3. The date or date range of the notification event, if it’s possible to determine;
4. The number of consumers affected; and
5. A general description of the notification event.

The amendment to the Rule will take effect 180 days after it’s published in the Federal Register. Looking for more information about Safeguards Rule compliance? The FTC has a special page with Gramm-Leach-Bliley Act resources.

Lesley Fair is a Senior Attorney at the Federal Trade Commission and a Lecturer at the law schools of George Washington University and Catholic University of America. This post first appeared on the Federal Trade Commission’s Business Blog.  

The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright or this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).