Skip to main content

If your business is covered by the FTC’s Gramm-Leach Bliley Safeguards Rule, an amendment to the Rule that requires covered companies to report certain data breaches and other security events to the FTC is now in effect – and we’ve made it easy for you to report. 

Standards for Safeguarding Customer Information – friends call it the Safeguards Rule – reflects Congress’ intent that businesses “protect the security and confidentiality of those customers’ nonpublic personal information.” As part of its long-standing effort to review rules to ensure they’re keeping up with technology and the times, the FTC put the Safeguards Rule under the regulatory microscope. After substantial input from consumer groups, industry members, and others, the FTC announced certain updates that took effect on June 9, 2023. In October 2023, the FTC announced revised provisions related to reporting data breaches and security incidents, but gave businesses six months to get ready for the changes that took effect on Monday, May 13, 2024.

First things first. Who’s covered by the Safeguards Rule? The answer is “financial institutions” subject to the FTC’s jurisdiction. But if “financial institution” conjures up images of deposit slips, tellers, and ballpoint pens chained to marble tabletops, think again. The definition is broader than that and covers a wide variety of entities that may have consumers’ confidential financial information. The Rule specifies 13 different kinds of businesses – mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, and investment advisors that aren’t required to register with the SEC – but even that list isn’t exhaustive. FTC Safeguards Rule: What Your Business Needs to Know offers informal staff guidance to help you determine if the Rule applies to you. 

Now that the Safeguards Rule reporting requirement is in effect, what must businesses do? Reading the revised Rule should be the first step in your compliance efforts, but here’s a thumbnail sketch. The amendment requires financial institutions to notify the FTC as soon as possible – and no later than 30 days after discovery – of a security breach involving the information of at least 500 consumers. Here’s how the Rule defines an incident that triggers notification:

An acquisition of unencrypted customer information without the authorization of the individual to which the information pertains. Customer information is considered unencrypted for this purpose if the encryption key was accessed by an unauthorized person. Unauthorized acquisition will be presumed to include unauthorized access to unencrypted customer information unless you have reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information.

If that happens at your company, we want to make it as easy as possible for you comply with the reporting requirements of the Safeguards Rule. You must use a new online form that explains in plain language the specific information you need to provide. 

Of course, the Safeguards Rule already has provisions in place to help bolster security at your business. Read FTC Safeguards Rule: What Your Business Needs to Know for details. Also, remember that compliance with the Safeguard Rule isn’t a substitute for obligations under other state and federal laws. 
 

Image
Safeguards Rule reporting banner


 

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.

The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.

  • We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
  • We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
  • We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
  • We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.

We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.