The Gramm‑Leach‑Bliley Act (GLBA) requires financial institutions to protect customer information. The FTC Safeguards Rule, updated in 2021 and amended again in 2023, strengthens these protections and introduces a federal incident‑reporting requirement for certain data breaches.
These requirements apply to non‑bank financial institutions regulated by the FTC, such as:
- Mortgage brokers and lenders
- Payday lenders
- Auto dealers
- Check‑cashing businesses
- Collection agencies
- Fintech companies
- Tax preparers
- Investment and financial advisory firms not regulated by the SEC or banking regulators
⭐ When Reporting Is Required
A covered financial institution must notify the FTC when it experiences a “notification event” involving unencrypted customer information of 500 or more consumers.
A notification event occurs when:
- Unauthorized acquisition of customer information is reasonably likely, or
- Unauthorized access to customer information has occurred, and
- The information is not encrypted, or the encryption key was also compromised.
This is broader than many state breach laws because it focuses on likelihood of acquisition, not just confirmed exfiltration.
📅 Reporting Timeline
Notification must be made to the FTC within 30 days
The 30‑day clock begins when the institution discovers the event, not when the investigation is complete.
Discovery occurs when:
- Any employee, officer, or agent knows or should reasonably know that a breach may have occurred.
📄 What Must Be Reported
The FTC requires a detailed incident report including:
- Name and contact information of the institution
- Description of the incident, including how it occurred
- Date range of the event
- Number of consumers affected
- Types of information involved (e.g., SSNs, account numbers, tax data)
- Whether law enforcement has been notified
- Whether the event is ongoing
- Remediation steps taken or planned
The FTC posts certain breach notifications on a public website, increasing reputational stakes.
🔐 What Counts as “Customer Information”?
Under the Safeguards Rule, customer information includes:
- Any nonpublic personal information (NPI)
- Information a financial institution collects about a consumer in connection with providing a financial product or service
Examples:
- Social Security numbers
- Account numbers
- Income and credit information
- Tax return data
- Driver’s license numbers
- Financial transaction histories
If this information is unencrypted and accessed without authorization, reporting is likely required.
🧩 Relationship to Other Laws
The FTC Safeguards Rule reporting requirement is in addition to:
- State data breach notification laws
- Sector‑specific federal rules (e.g., HIPAA, SEC, CFTC)
- Contractual reporting obligations (e.g., with banks or service providers)
Institutions must comply with all applicable timelines, which may differ significantly.
⚠️ Consequences of Non‑Compliance
The FTC can impose:
- Civil penalties
- Consent orders
- Mandatory remediation
- Long‑term monitoring and reporting obligations
Because the FTC publishes breach notifications, non‑compliance also carries significant reputational risk.