Skip to Content

FTC Updates Financial Institution Safeguards Rule

on Thursday, 18 November 2021 in Technology & Intellectual Property Update: Arianna C. Goldstein, Editor

On October 27, the Federal Trade Commission (“FTC”) announced it was updating the data security safeguards rules that banks are required to implement in order to protect customer information as part of Gramm-Leach Bliley Act (the “Safeguards Rule”). The FTC’s update follows a string of data breaches in recent years and is intended to detail additional common-sense steps financial institutions must implement to protect consumer data from cyberattacks.

Notably, the FTC’s update is primarily targeted toward nonbanking financial institutions, such as payday lenders, mortgage brokers, and motor vehicle dealers, and such entities are required under the update to develop, implement, and maintain a comprehensive security system to keep their customers’ information safe in accordance with the Safeguards Rule.

In addition to the Safeguards Rule updates, the FTC also released a notice of proposed rulemaking seeking comment on additional changes that could be made to the Safeguards Rule, in order to require financial institutions to report certain data breaches and other events to the FTC. As proposed, financial institutions experiencing a security event in which the misuse of customer information has occurred or is reasonably likely (and where at least 1,000 consumers have been affected or reasonably may be affected) would be required to report that event to the FTC as soon as possible but, in any event, no later than 30 days after discovery of the event. The report provided by the financial institution would need to include the following information:

  • The name and contact information of the reporting financial institution;
  • A description of the types of information that were involved in the security event;
  • If possible to determine, the date and date range of the security event; and
  • A general description of the security event.

Once published in the Federal Register, the notice of proposed rulemaking will have a sixty (60) day comment period.

The FTC’s statement announcing the updated Safeguards Rule is available here.  

A copy of the notice of proposed rulemaking is available here.


1700 Farnam Street | Suite 1500 | Omaha, NE 68102 | 402.344.0500