On October 27, 2023, the Federal Trade Commission (FTC) further tightened requirements to safeguard customers’ financial information in the hands of financial institutions, with their release of a new amendment (Amendment) to the applicable Standard for Safeguarding Customer Information. The Amendment now requires financial institutions, including nonbanking financial institutions, to report data security breach incidents to the FTC. Here are key takeaways from the Amendment:

  • Financial institutions, which include nonbanking financial institutions such as mortgage brokers, payday lenders, and automobile dealers, must now notify the FTC immediately and not later than 30 days after discovery of any security breach involving the unauthorized acquisition of unencrypted information of at least 500 consumers.
  • Otherwise-encrypted information will be presumed unencrypted under the Amendment if the encryption key was accessed by an unauthorized person. This presumption is rebutted if the financial institution is able to adduce reliable evidence that there has not been or could not reasonably have been unauthorized acquisition of such information.
  • The breach notification must contain the name and contact information of the reporting financial institution, description of the types of information that were involved, the date or date range of the breach, and the number of consumers affected or potentially affected, among other information.
  • The Amendment is effective 180 days from October 27 2023, the date of its publication in the Federal Register.

Financial institutions, including non-banking financial institutions, should review their data security policies and procedures and consult counsel with questions.