On October 27, 2023, a significant amendment was adopted to the FTC’s Safeguards Rule by the Federal Trade Commission (FTC). The amendment imposes an obligation on non-banking financial institutions to notify the FTC within a 30-day timeframe, subsequent to the discovery of data breaches that impact the nonpublic personal information of a minimum of 500 consumers. Detailed elaboration about this development can be found in an article published on JD Supra authored by law firm Polsinelli.
The FTC, a government agency tasked with consumer protection and prevention of anticompetitive business practices, provides robust guidelines for financial institutions under the Safeguards Rule. This amendment marks a significant development in regulatory policy aimed at enhancing consumer data protection.
As per the new amendment, should non-banking financial institutions experience a data breach involving nonpublic personal information, they must notify the FTC within thirty days. This notification requirement applies if the breach impacts at least 500 consumers. Nonpublic personal information can include sensitive data such as Social Security numbers, credit and income history, and other personal identifiable information that isn’t publicly accessible.
The adoption of this amendment amplifies the role of corporate legal teams and data protection officers in ensuring that in the event of data breaches, the necessary notifications are carried out within the stipulated timeline to avoid regulatory penalties.
As data breaches continue to increase in frequency and impact globally, this move is an important step in federal efforts to ensure personal information security and institutional accountability.