On October 27, the Federal Trade Commission (“FTC”) unanimously voted to amend the Safeguards Rule to require non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to report data breaches and security events to the Agency. This amendment will become effective 180 days after its publication in the Federal Register.

Under the amended rule, financial institutions subject to the authority of the FTC will be required to notify the Agency as soon as possible, and no later than 30 days after discovery of a “Notification Event” impacting 500 or more consumers.  A Notification Event is defined as any acquisition of unencrypted customer information without the authorization of the data subject.  Information is presumed unencrypted if the relevant encryption key was accessed by an unauthorized person.

Importantly, there will be a presumption of unauthorized access unless there is “reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition.”  This presumption is likely to expand the number of security incidents that qualify as notification incidents and cuts directly against the ‘risk of harm’ exemption present in many state data breach notification laws. 

Notice to the Agency will be provided through the FTC’s website.  After review by the Agency, notices will be made publicly available through an online database.  Notice to the FTC must include:

  • The name and contact information of the reporting entity;
  • A description of the types of information impacted;
  • The date or range of the event, if possible to determine;
  • The number of consumers impacted;
  • A general description of the event; and
  • Whether any law enforcement has requested a delay of public notification.

We will continue to monitor this amendment as it develops.  To learn more, the FTC’s announcement is available here and the final rule is available here