In the News: HR.com Features Donna Maddux and Amir Goodarzi Article on FTC Safeguards Rule Update

Media Mention
HR.com

Constangy Cyber attorneys Donna Maddux and Amir Goodarzi co-authored an article published in the December 2023 issue of HR.com’s Legal and Compliance Excellent detailing an amendment to the Federal Trade Commission’s (FTC) Safeguards Rule, which will change how and when entities must report a consumer data breach. 

The FTC approved an amendment to the Safeguards Rule under the Gramm-Leach-Bliley Act to enhance the reporting requirements for non-banking financial entities. Under the amendment, entities must report to the FTC within 30 days of having a “notification event” where 500 or more customers’ data is exposed in a cyber incident or distributed in a manner not authorized by the customer. 

Breaking down the amendment, Maddux and Goodarzi explained that non-banking financial entities are those that engage in any activity that is financial or even incidental to those financial activities. That broad definition means that examples of affected businesses could include everything from the leasing office of a car dealership to travel agencies and property appraisers. These entities “should update their customer data disclosure policies to clarify which disclosures are authorized by the customer...” and “…also review their incident response policies to ensure that procedures are in place for compliance with this rule, when necessary,” suggested Maddux and Goodarzi.

Maddux and Goodarzi noted several important elements of the amendment to keep in mind:

  • When the clock starts - The new rule places the 30-day clock from when a notification event becomes known by an employee, officer, or other agent of the covered entity. 
  • Type of information covered – the amendment involves the breach of customer information, defined as “any record containing nonpublic personal information about a customer, in any form, that is handled or maintained by or on behalf of the covered entity or its affiliates.
  • Who is a customer – the customer must have a continuous relationship with the covered entity, defined as the covered entity providing one or more financial products or services to the customer.
  • Notification events that trigger FTC reporting requirements - could mean a data breach in the traditional sense of cyber theft or simply sharing of customer data in a manner they didn’t authorize.
  • The FTC notification process – affected businesses notify the FTC within 30 days after the notification event and complete a form providing information about the incident and their response.

These new rules, which are slated to go into effect in May 2024, are significant for a wide range of non-banking financial services entities. These organizations should update their customer data disclosure policies and incident response plans to remain compliant.

For the full article, please click here.

Subscribe for Updates

Related Attorneys

Jump to Page

Constangy, Brooks, Smith & Prophete, LLP Cookie Preference Center

Your Privacy

When using this website, Constangy and certain third parties may collect and use cookies or similar technologies to enhance your experience. These technologies may collect information about your device, activity on our website, and preferences. Some cookies are essential to site functionality, while others help us analyze performance and usage trends to improve our content and features.

Please note that if you return to this website from a different browser or device, you may need to reselect your cookie preferences.

For more information about our privacy practices, including your rights and choices, please see our Privacy Policy. 

Strictly Necessary Cookies

Always Active

Strictly Necessary Cookies are essential for the website to function, and cannot be turned off. We use this type of cookie for purposes such as security, network management, and accessibility. You can set your browser to block or alert you about these cookies, but if you do so, some parts of the site will not work. 

Functionality Cookies

Always Active

Functionality Cookies are used to enhance the functionality and personalization of this website. These cookies support features like embedded content (such as video or audio), keyword search highlighting, and remembering your preferences across pages—for example, your cookie choices or form inputs during submission.

Some of these cookies are managed by third-party service providers whose features are embedded on our site. These cookies do not store personal information and are necessary for certain site features to work properly.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek