This summer, the Federal Trade Commission (“FTC”) will once again tighten the belt on entities that offer financial products and services when another round of amendments to the Gramm-Leach-Bliley Safeguards Rule goes into effect—this time, requiring covered entities to report data breaches to the FTC.

What is the Safeguards Rule?

The Safeguards Rule, which originally became effective in May 2003, long had a small bark and an even tinier bite.  The rule required covered entities to develop, implement, and maintain a comprehensive written information security program with “appropriate” safeguards.  With no private right of action and a breathtaking lack of specificity, this requirement was treated as little more than a suggestion by many covered entities.  

What’s Changed over Time?

However, this all began to change in 2019, when the FTC decided to modernize the Safeguards Rule by drawing inspiration from the New York Department of Financial Services’ Part 500 Cybersecurity Regulations (“Cybersecurity Regulations”).  The first round of amendments to the Rule went into effect in June 2023, and required a panoply of safeguards including encryption of customer data, multi-factor authentication, and penetration testing, to name a few. 

What do the New Amendments Require?

The newest amendments require GLBA financial institutions to report notify the FTC within 30 days when unencrypted customer information involving 500 or more consumers is acquired without authorization.  The requirement goes into effect on May 13, 2024.  Of course, for any financial services provider that suffers a data breach impacting more than 500 consumers, notification of the FTC will be just one of many requirements to add to the “to do” list. For more information regarding the amended Rule, visit https://www.federalregister.gov/documents/2023/11/13/2023-24412/standards-for-safeguarding-customer-information#footnote-14-p77500