Skip to main content

October 2023 marks the 20th anniversary of the effective date of the Gramm-Leach-Bliley Safeguards Rule. Its purpose then – and its purpose now – is to protect consumers by requiring entities covered by the Rule to “develop, implement, and maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.” The FTC just announced an amendment to the Rule that will require non-banking financial institutions within the FTC’s jurisdiction to report data breaches affecting 500 or more people.

Threats to the security of financial data have materialized and morphed in recent years. After considering public comments and hosting a national workshop, the FTC revised the Safeguards Rule in October 2021 to strengthen protections for consumers’ information maintained by non-banking financial institutions – for example, mortgage brokers and payday lenders. Also announced was a proposed supplemental amendment to the Safeguards Rule that would require financial institutions to report certain data breaches and other security events to the FTC. The agency just approved an amendment that will require notification.

You’ll want to read the revised Rule for the specifics, but the focus is on “notification events” – defined as the “acquisition of unencrypted customer information without the authorization of the individual to which the information pertains.” If a notification event “involves the information of at least 500 consumers,” the covered entity must contact the FTC “as soon as possible, and no later than 30 days after discovery of the event” using a form on the FTC’s website. 

Here are some of the things the notice must include:

  1. the name and contact information of the financial institution;
  2. a description of the types of information involved;
  3. the date or date range of the notification event, if it’s possible to determine;
  4. the number of consumers affected; and
  5. a general description of the notification event.

The amendment to the Rule will take effect 180 days after it’s published in the Federal Register. Looking for more information about Safeguards Rule compliance? The FTC has a special page with Gramm-Leach-Bliley Act resources.

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.

The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.

  • We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
  • We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
  • We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
  • We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to

We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.

Dave Mohn
October 27, 2023

why 500 and not 25 people affected?
Every business that collects, uses or receives financial information should use the various methods to protect the public!

Get Business Blog updates