Skip to content

Compliance

Compliance Corner: Updates to FTC's Safeguards Rule

← All articles
Filed under Compliance
The FTC has now updated its Safeguards Rule to add breach notification requirements. It plans to host a new public database of instances in which consumers' nonpublic information has been subjected to unauthorized access.

Effective May 13, 2024

Key features

Financial institutions subject to the FTC's jurisdiction, which include mortgage lenders, payday lenders, collection agencies, check cashiers, credit counselors, and more - and all of their service providers may want to familiarize members of their workforce with processes they have in place to detect, report, investigate and resolve data security issues.

Some key features in the new FTC Safeguards Rule's breach notification provisions include these:

1. Report data breaches/unauthorized acquisitions affecting 500 or more consumers to the FTC via an electronic form located at its website www.ftc.gov¹

2. Breach notices must explain types of information involved in the "notification event," date or date range of event, number of consumers affected, and whether law enforcement is involved and has provided a determination that notifying the public of the breach may have an impact on or impede a criminal investigation or cause damage to national security

3. Notification of a breach must occur "as soon as possible, but no later than 30 days after discovery of the event," and

4. "Notification events" go beyond traditional data security breaches and include the unauthorized acquisition of unencrypted customer information.

5. The Safeguards Rule's notification requirements do not pre-empt notifications that may also be required under state or other laws.²

Let's get practical

If this new breach notification requirement in the FTC's Safeguards Rule prompts you to review your own internal security incident compliance programs, you may want to keep in mind some of these unique features of the Safeguards Rule's new notice requirements:

  • The FTC's new rule has a modernized description of personally identifiable non-public financial information a consumer provides. It includes, for example, information the financial institution collects through an internet "cookie" - which the FTC describes as "an information collecting device from a web server."³
  • Consistent with the FTC's enforcement actions under its Health Breach Notification Rule, the FTC has also taken a broad-ranging view of what data security events must be reported to the FTC (and the public). In addition to traditional data breaches, the FTC now expects entities to report unauthorized acquisitions of 500 or more consumer's information to be "notification events."
  • The Safeguards Rule now explains that a "notification event" is the "acquisition of ... [unencrypted customer] information without the authorization of the individual to which the information pertains." The Rule goes further to include a rebuttable presumption that customer information will be considered "unencrypted" "if the encryption key was accessed by an unauthorized person ... unless you have reliable evidence showing that there has not been, or could not reasonably have been unauthorized acquisition of such information."⁴
  • Clarity on what triggers a "notification event." The FTC explains it considers an event to be "discovered as of the first day on which such event is known." This means that a financial institution is deemed to know of a notification event "if the event is known to any person, other than the person committing the breach, who is the financial institution's employee, officer, or other agent."⁵

    1. For health breaches the FTC had entities report electronically by sending an email within sixty (60) days of discovering a health breach to the FTC's electronic filings office with subject line "HBN - Request to Submit Document" to which the FTC replied with instructions for secure electronic submission of encrypted documents. See, www.ftc.gov/healthbreach. For this rule, see, 88 Federal Register 77508, published November 13, 2023.
    2. See, fn 1. The preamble to final rule which explains that this new notification requirement is not duplicative of state breach notification laws and instead is "designed to ensure that the Commission receives notice of security breaches affecting financial institutions under the Commission's jurisdiction."
    3. See, 16 CFR Section 314.2(n)(2)(F)
    4. See, 16 CFR Section 314.2(m)
    5. See, 16 CFR Section 314.2(j)
visit our data security and cyber readiness guide to read more about cyber compliance from Leslie Bender

Found This Useful? Let's Get You Set Up.

Start an application and an expert will tailor the next steps to your situation.

Related reading

15 Licensing Application Process Facts That Delay Approvals

Compliance

15 Licensing Application Process Facts That Delay Approvals

Most licensing delays come from small misses. A payment method that does not work, a stale certificate, the wrong signature, a missing ownership detail. These are the things that slow down filings, trigger deficiencies, and force teams to redo work they thought was finished. We pulled these from the webinar because they came up naturally [...]

California Delete Act: DROP Deadline and Data Broker Rules

Compliance

California Delete Act: DROP Deadline and Data Broker Rules

Property managers in Maryland are running into a question that is getting more attention and creating real operational risk. Does collecting rent, especially when a tenant is past due, trigger Maryland's collection agency licensing requirements?

The Changing Compliance Landscape for Consumer Lenders

Compliance

The Changing Compliance Landscape for Consumer Lenders

Explore evolving compliance rules for consumer lenders, CFPB updates, and strategies to stay compliant in 2025 and beyond.

Debt Collection & Buying

Compliance Corner: What Regulators May Expect You To Know About the AI Tools You're Using in Your Collection Agency

AI keeps reshaping financial services, and collection agencies are adding AI tools to streamline operations, strengthen compliance, and improve consumer engagement. With that innovation comes responsibility and a growing need for clarity on legal, ethical, and regulatory questions. Emerging technology like AI is top of mind for state financial services regulators, who increasingly ask how licensees use these tools.

Connecticut to License US Locations Only

Licensing

Connecticut to License US Locations Only

Update regarding new law: Connecticut to take a NO ACTION POSITION for Qualified Collection Agencies Earlier in August we reported that Connecticut had signed into law an Act that, among other things, stated that the Connecticut Department of Banking would no longer issue consumer collection agency licenses to an office outside of the United States [...]

Consistency and Timeliness are Key

Licensing

Consistency and Timeliness are Key

Consistency & Timeliness are Key How accurate is your current licensing information? Licensees must report accurate and current information when filing registrations and licenses. To ensure accurate information, several states require their licenses to be filed through the Nationwide Multi-state Licensing System (NMLS). Within NMLS, company information is gathered based on the requirements of each jurisdiction. Individual information for owners, officers, directors and managers/qualified individ

Browse the full insights library, meet our editorial team, or download our whitepapers.

Insights

Found This Useful? Let's Get You Set Up.

An expert will respond within one business day.