Published in the Daily Journal

By David C. Shonka and Daniel  B. Garrie

In October 2023, the Federal Trade Commission (FTC) approved a significant amendment to the Safeguards Rule, enhancing the obligation of non-banking financial institutions to report certain data breaches and other security events to the agency. This amendment, which will take effect on May 13, 2024, represents a pivotal shift in the regulatory landscape for these institutions, fundamentally altering their responsibilities in the face of cybersecurity incidents. Companies subject to the Rule should take no comfort from the FTC’s statements that the required notifications include only a “limited set of information” that is “minimal.” Given the Agency’s interest in consumer privacy and its related concerns about Generative AI and, more fundamentally, about algorithmic decision-making, entities should not doubt where the Commission is going when it also states that the new notifications “will enable [it] to identify breaches that merit investigation more quickly and efficiently.” Indeed, the Commission acknowledges that the required “reports are unlikely to contain all the information the Commission would need to determine” whether enforcement action is warranted because “such determinations are typically made following investigations that afford entities the opportunity to provide context and information.” It is therefore critical that companies reevaluate their data breach reporting processes in the context of their broader cybersecurity programs to ensure they are prepared to meet their expanded risks and obligations under the Amended Rule.

Overview of the Amendment

The FTC's amendment specifically targets non-bank financial institutions subject to its jurisdiction under the Gramm-Leach-Bliley Act (GLBA). The entities covered include a broad range of institutions, such as non-bank mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, debt collection agencies, credit counselors, tax preparation firms, non-federally insured credit unions, and investment advisors not registered with the Securities and Exchange Commission, among others.

Full access to the article is available with a Daily Journal subscription.