Want to share this?

The Standards for Safeguarding Consumer Information (“Safeguards Rule”) requires financial institutions subject to Federal Trade Commission (FTC) jurisdiction under the Gramm-Leach-Bliley Act (“GLBA”) to develop, implement, and maintain a comprehensive security program to keep customers’ nonpublic personal information secure. On October 27, 2023, the FTC announced it had approved amendments to the Safeguards Rule, including a requirement for non-banking financial institutions to report certain security events to the FTC. The amended rule went into effect on May 13th, 2024.

This summary is not intended as legal guidance. To learn more about the FTC Safeguards Rule, download our guide and check out Navigating the FTC’s Updated Data Breach Reporting Requirements, our session on the subject with The Privacy & Compliance Collective.

Watch On-Demand: Navigating the FTC’s Updated Data Breach Reporting Requirements

Watch Now

Who Is Subject to the FTC Safeguards Rule?

The Safeguards Rule applies to the handling of customer information by all financial institutions over which the FTC has jurisdiction, including, but not limited to:

  • Mortgage lenders and brokers
  • Account servicers
  • Finance companies
  • Check cashers
  • Collection agencies
  • Credit counselors and financial advisors

Event Notification Triggers

The amended rule requires notification to the FTC as soon as possible, and no later than 30 days after discovery of a “notification event” that involves 500 or more consumers. The Safeguards Rule does not require notification to affected individuals.

Under the Safeguards Rule, a notification event means: 

“…acquisition of unencrypted customer information without the authorization of the individual to which the information pertains. Customer information is considered unencrypted for this purpose if the encryption key was accessed by an unauthorized person. Unauthorized acquisition will be presumed to include unauthorized access to unencrypted customer information unless you have reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information.”

Definition of Personal Information

Under the Safeguards Rule, a notification event involves the unauthorized acquisition of unencrypted customer information. “Customer information” is defined as records containing ‘non-public personal information” about a customer. “Non-public personal information” is, in turn, defined as “personally identifiable financial information,” which excludes information that is publicly available or does not identify the consumer.

Unlike typical state breach notification laws, the Safeguards Rule does not clearly delineate specific data elements that qualify as personally identifiable financial information, such as name, Social Security number, bank account number, etc.

Under the Safeguards Rule, personally identifiable financial information means any information:

  • A consumer provides to you to obtain a financial product or service from you;
  • About a consumer resulting from any transaction involving a financial product or service between you and a consumer; or
  • You otherwise obtain about a consumer in connection with providing a financial product or service to that consumer.
    • Examples of personally identifiable financial information include:
      • Information a consumer provides to you on an application to obtain a loan, credit card, or other financial product or service;
      • Account balance information, payment history, overdraft history, and credit or debit card purchase information;
      • The fact that an individual is or has been one of your customers or has obtained a financial product or service from you;
      • Any information about your consumer if it is disclosed in a manner that indicates that the individual is or has been your consumer;
      • Any information that a consumer provides to you or that you or your agent otherwise obtain in connection with collecting on, or servicing, a credit account;
      • Any information you collect through an internet “cookie” (an information collecting device from a web server); and
      • Information from a consumer report.

Personally identifiable financial information does not include:

  • A list of names and addresses of customers of an entity that is not a financial institution; and
  • Information that does not identify a consumer, such as aggregate information or blind data that does not contain personal identifiers such as account numbers, names, or addresses.

The FTC Safeguards Rule in Radar® Privacy Data Sheet

Read Now

Notification Requirements

Upon discovery of a notification event, if the notification event involves the information of at least 500 consumers, notify the FTC as soon as possible, and no later than 30 days after discovery of the event. The notice must include the following information:

  • The name and contact information of the reporting financial institution;
  • A description of the types of information that were involved in the notification event;
  • If the information is possible to determine, the date or date range of the notification event;
  • The number of consumers affected or potentially affected by the notification event;
  • A general description of the notification event; and
  • Whether any law enforcement official has provided you with a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security, and a means for the FTC to contact the law enforcement official. 

GLBA vs. Safeguards Rule

While the Safeguards Rule is a part of the Gramm-Leach-Bliley Act (GLBA), is it still possible for a single organization to be subject to both the GLBA and the Safeguard Rule’s reporting requirements?

GLBA consists of three sections: The Financial Privacy Rule, which regulates the collection and disclosure of private financial information; the Safeguards Rule, which stipulates that financial institutions must implement security programs to protect such information; and the Pretexting provisions, which prohibit the practice of pretexting or accessing private information using false pretenses.

According to Sam Castic, Privacy Leader & Partner, Hintze Law, yes. Depending on how a company is structured, an organization with multiple lines of business may be subject to different regulations including the Safeguard Rule and the GLBA, as well as any applicable state or global laws and regulations.

The Safeguards Rule is in many ways additive, not a substitute for the GLBA. A company’s notification obligation will depend on what the scope of the incident is, what data is touched, the company’s structure, and what lines of business are affected.

What’s most important is that your organization isn’t attempting to learn who you need to talk to when you’re already in trouble. Having a clearly defined playbook with defined processes and procedures can help build transparent relationships with regulators and prevent costly fines from noncompliance.

Watch Now: Navigating the FTC’s Updated Data Breach Reporting Requirements