The FTC’s Safeguards Rule requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe.

The amendment to the Safeguards Rule was announced on October 27, 2023. The Federal Trade Commission requires non-banking institutions to report certain data breaches and other security events to the agency. Covered entities are to notify the FTC as soon as possible and no later than 30 days after the discovery of a security breach involving the information of at least 500 consumers. Such an event requires notification if unencrypted customer information is acquired without the authorization of the individual to which the information pertains.

“Companies that are trusted with sensitive financial information need to be transparent if that information has been compromised,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The addition of this disclosure requirement to the Safeguards Rule should provide companies with additional incentive to safeguard consumers’ data.”