October 2023 marks the 20th anniversary of the effective date of the Gramm-Leach-Bliley Safeguards Rule. Its purpose then – and its purpose now – is to protect consumers by requiring entities covered by the Rule to “develop, implement, and maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.” The FTC just announced an amendment to the Rule that will require non-banking financial institutions within the FTC’s jurisdiction to report data breaches affecting 500 or more people.
Threats to the security of financial data have materialized and morphed in recent years. After considering public comments and hosting a national workshop, the FTC revised the Safeguards Rule in October 2021 to strengthen protections for consumers’ information maintained by non-banking financial institutions – for example, mortgage brokers and payday lenders. Also announced was a proposed supplemental amendment to the Safeguards Rule that would require financial institutions to report certain data breaches and other security events to the FTC. The agency just approved an amendment that will require notification.
You’ll want to read the revised Rule for the specifics, but the focus is on “notification events” – defined as the “acquisition of unencrypted customer information without the authorization of the individual to which the information pertains.” If a notification event “involves the information of at least 500 consumers,” the covered entity must contact the FTC “as soon as possible, and no later than 30 days after discovery of the event” using a form on the FTC’s website.
Here are some of the things the notice must include:
- the name and contact information of the financial institution;
- a description of the types of information involved;
- the date or date range of the notification event, if it’s possible to determine;
- the number of consumers affected; and
- a general description of the notification event.
The amendment to the Rule will take effect 180 days after it’s published in the 鶹ý Register. Looking for more information about Safeguards Rule compliance? The FTC has a special page with Gramm-Leach-Bliley Act resources.
why 500 and not 25 people affected?
Every business that collects, uses or receives financial information should use the various methods to protect the public!