AILA Members and Friends:
At the end of October, the Federal Trade Commission (FTC) made further amendments to the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule that will require self-reporting in the event of certain data breaches. Read the official press release from the FTC here: FTC Amends Safeguards Rule to Require Non-Banking Financial Institutions to Report Data Security Breaches | Federal Trade Commission.
As we wrote on our blog and discussed at our annual convention, over the last few years, the FTC has amended, expanded and modernized the GLBA Safeguards Rule. The Safeguards Rule requires financial institutions to implement a written policy (called an information security program) designed to safeguard customer information. By now, all consumer finance companies should have reviewed and updated their policies in response to the revisions to the Rule.
Just last month, the FTC announced further changes to the Safeguards Rule. Under these new amendments, non-bank financial institutions must notify the FTC as soon as possible (but no more than 30 days) after discovery of a security breach involving unencrypted information of at least 500 consumers. There are specifics in the Rule about what type of breach triggers the notice requirements and what the notice to the FTC must include. The new provisions will go into effect in about 6 months.
Data security is, and continues to be, one of the top priorities of FTC (as well as the CFPB), so to protect your customers and your business, you need to be sure your Safeguards Policy is up-to-date. Also, if you suffer a data breach, you should consult with your compliance team and attorneys to determine whether there are any state or federal reporting requirements.
If you have any questions, let us know.