FTC amends Safeguards Rule

Non-banking financial institutions must now report data security breaches

Published on


The Federal Trade Commission (the “FTC”) has just approved an amendment to the Safeguards Rule of the Gramm-Leach-Bliley Act (“GLBA”) pertaining to reporting obligations for motor vehicle dealers for certain data breaches and other security events to the FTC. Previously, the GLBA’s Safeguards rule only required that non-banking financial institutions, subject to the FTC’s jurisdiction, develop a written information security plan describing how the financial institution protects the confidentiality, integrity, and availability of consumer information. An entity is a “financial institution” if it is engaged in an activity that is “financial in nature” or is “incidental to such financial activities.” With this definition, the FTC made very clear that it intended “financial institution” to be defined broader than how most people use that phrase in conversation and motor vehicle dealers clearly fall within the ambit of the definition.

The amendment the FTC approved to the Safeguards Rule now requires even non-banking institutions to report certain data breaches and other security events to the FTC. Motor vehicle dealers must notify the FTC as soon as possible, no later than 30 days after discovery, of a security breach involving the information of at least 500 customers. The breach requires notification if unencrypted customer information has been acquired without the authorization of the individual to which the information pertains. The notice to the FTC must include certain information about the event, such as the number of consumers affected or potentially affected. While this reporting requirement becomes effective 180 days from today, it is critical that motor vehicle dealers have strong security measures in place and at the very least, ensure that their customers’ information is encrypted—since information that is encrypted is not subject to notification under this reporting requirement. Dealers should contact their regulatory automotive attorney if they are under the impression that they have experienced a breach for advice on how to proceed.