Safeguards Rule Breach Notification Requirements Updated for Non-Banking Financial Institutions

The Federal Trade Commission (FTC) has given the green light to changes to the GLBA Safeguards Rule Breach Notification requirement. The approved amendment requires non-banking institutions to report certain data breaches to the FTC.

The Safeguards Rule requires non-banking financial institutions, such as mortgage brokers, auto dealers, and payday lenders to have an information security program in place that protects consumer data. This amendment to the Safeguards Rule requires these institutions to notify the FTC of a security breach involving the information of at least 500 consumers within thirty days of its discovery. An event requires notification if unencrypted customer information has been acquired without the authorization of the individuals whose data was compromised. The notice to the FTC must include:

1. The name and contact information of the reporting financial institution
2. A description of the types of information that were involved in the notification event
3. If the information is possible to determine, the date or date range of the notification event
4. The number of consumers affected
5. A general description of the notification event
6. Whether any law enforcement official has provided you with a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security, and a means for the Federal Trade Commission to contact the law enforcement official. A law enforcement official may request an initial delay of up to thirty days following the date when notice was provided to the Federal Trade Commission. The delay may be extended for an additional period of up to sixty days if the law enforcement official seeks such an extension in writing. Additional delay may be permitted only if the Commission staff determines that public disclosure of a security event continues to impede a criminal investigation or cause damage to national security.

The notice must be provided electronically through a form to be located on the FTC’s website, https://www.ftc.gov.

The new breach notification requirement becomes effective 180 days after publication of the rule in the Federal Register. Publication has been approved by the Commission.

At CompliancePoint, we have a team of experienced professionals who can help your organization develop and implement a security program that complies with the Safeguards Rule and all elements of the GLBA. Contact us at connect@compliancepoint.com to learn more.