The Safeguards Rule was designed to ensure that non-bank financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, establish and maintain robust security programs to protect customer information. In 2021, the FTC initiated a process to amend the Safeguards Rule, soliciting public comments on a proposed supplemental amendment requiring non-bank financial institutions to report data breaches and security events to the FTC. The recent announcement represents the final version of this proposal (the “Amendment”).
Under the Amendment, non-bank financial institutions are now required to notify the FTC as soon as possible (and in any event not later than thirty days) following the discovery of a "notification event" that involves the personal information of at least 500 individuals. A "notification event" is defined as the unauthorized acquisition of unencrypted customer information. The term "customer information" encompasses any record containing nonpublic personal information about a customer of a non-bank financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of the non-bank financial institution or its affiliates. The presumption is that unauthorized acquisition of information shall have occurred whenever unauthorized access to unencrypted customer information takes place, unless sufficient evidence proves otherwise.
1) the name and contact information of the reporting non-bank financial institution;
2) a description of the types of information involved in the notification event;
3) if possible, the date or date range of the notification event;
4) the number of consumers affected; and
5) a general description of the notification event.
The Amendment will take effect 180 days after being published in the Federal Register.
One point that could have significant practical impact is that the sharing of any unencrypted data absent consumer authorization could, under the Amendment, constitute a “notification event” giving rise to a breach requiring notification to the FTC. Non-bank financial institutions may now need to secure consumer consent before sharing this information with third parties and partners, which could have a notable influence on consent prerequisites for financial entities regarding data sharing.
On May 9, 2024, Maryland Governor Wes Moore signed the Maryland Online Data Privacy Act of 2024 (MODPA), making Maryland the 18th state to enact comprehensive privacy...
PAG Law has a rich history of advocating for founders and entrepreneurs.
Our commitment to excellence has driven numerous
successful outcomes in complex legal matters.