Skip to content

Menu

LexBlog, Inc. logo
NetworkSub-MenuBrowse by SubjectBrowse by PublisherJoin the NetworkGet StartedSubscribeSupport
Contact Us
Search
Close

FTC Amends Safeguards Rule to Require Reporting of Data Breaches

By Kim Phan & James Koenig on October 31, 2023
Email this postTweet this postLike this postShare this post on LinkedIn
Cybersecurity_1073242516

On October 27, the Federal Trade Commission (FTC) announced a final rule amending the Standards for Safeguarding Customer Information (Safeguards Rule) under the Gramm-Leach-Bliley Act. The Safeguards Rule requires nonbanking financial institutions to develop, implement, and maintain a comprehensive information security program to keep their customers’ information safe. The amendment will require financial institutions to notify the FTC no later than 30 days after discovery of a security breach involving the information of 500 or more consumers. The amendment will go into effect 180 days after publication of the final rule in the Federal Register.

Specifically, the amendment applies to “notification events,” which are defined as the “acquisition of unencrypted customer information without the authorization of the individual to which the information pertains.” Notably, the FTC final rule requires notification where customer information has been acquired, rather than when misuse is considered likely, although the FTC agrees that notification should not be required when harm to consumers is rendered extremely unlikely because the customer information is encrypted. Although the FTC received public comments advocating for the inclusion of a “risk of harm” to consumers analysis, the FTC believes that determining whether acquisition has occurred simplifies the requirement and will enable financial institutions to more speedily determine whether a notification event has occurred.

If a notification event involves the information of 500 or more consumers, the covered entity must notify the FTC “as soon as possible, and no later than 30 days after discovery of the event” using a form on the FTC’s website. The FTC will deem a financial institution to have knowledge of a notification event if such event is known to any person, other than the person committing the breach, who is the financial institution’s employee, officer, or other agent.

The notice must include:

  • The name and contact information of the reporting financial institution;
  • A description of the types of information involved;
  • If possible, the date or date range of the notification event;
  • The number of consumers affected or potentially affected;
  • A general description of the notification event; and
  • If applicable, whether any law enforcement official has provided the financial institution with a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security, and the contact information for the law enforcement official.

This is a supplemental rulemaking to the Safeguards Rule updates previously finalized on December 9, 2021.

Four Quick Steps to Take Now:

  1. Incident Response Plan. Update your incident response plan in line with the requirements of the amendment and its 30-day period to notify the FTC.
  2. Service provider agreements and security assessment questionnaires. Update service provider contracts, statements of work, and security diligence assessment questionnaires to make sure service providers of financial institutions (including nonbanking financial institutions): (i) have developed, implemented, and maintained a comprehensive information security program around customers’ information; and (ii) are required to promptly notify their financial institution customers given that the 30-day notification clock starts when the triggering event is known not just by a company officer or employee, but also by an agent, including service providers.
  3. Update training to make sure the updated incident response plan, service provider contracting processes, and new amendment requirements are explained.
  4. Update/conduct cyber simulation tabletop training exercises that include FTC notification questions and third-party service provider security incident scenarios to further provide exposure and practice to the new amendment.

Troutman Pepper will continue to monitor important developments involving the FTC and the Safeguards Rule and will provide further updates as they become available. If you need assistance with complying with the requirement of the new amendment, please reach out to the authors of this article or any member of our Privacy & Cyber or Consumer Financial Services groups.

 

Photo of Kim Phan Kim Phan

Kim is a partner in the firm’s Privacy + Cyber Practice Group, where she is a privacy and data security attorney, who also assists companies with data breach prevention and response, including establishing effective security programs prior to a data breach and the

…

Kim is a partner in the firm’s Privacy + Cyber Practice Group, where she is a privacy and data security attorney, who also assists companies with data breach prevention and response, including establishing effective security programs prior to a data breach and the assessment of breach response obligations following a breach.

Read more about Kim PhanEmailKim's Linkedin Profile
Show more Show less
Photo of James Koenig James Koenig

Jim co-chairs the firm’s Privacy + Cyber Practice Group. For the past ten years, he has represented global clients in the financial services, energy, retail, pharmaceutical/health care, cable, telecommunications, car rental, airline, social media, technology, and manufacturing industries, including 35% of Fortune 100-listed companies.

Read more about James KoenigEmailJames's Linkedin ProfileJames's Twitter Profile
  • Posted in:
    Privacy and Cybersecurity
  • Blog:
    Consumer Financial Services Law Monitor
  • Organization:
    Troutman Pepper Locke
  • Article: View Original Source

Call us at 1-800-913-0988 or email sales@lexblog.com.

Facebook LinkedIn Twitter RSS
  • About LexBlog
  • The Field We Built
  • Our Beliefs
  • Our Team
  • Contact LexBlog
  • Disclaimer
  • Editorial Policy
  • Terms of Service
  • Get Started
  • Publishing Solutions
  • Compass
  • Submit a Request
  • Support Center
  • System Status
Copyright © 2026, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo