View Rule

The Safeguards Rule, which was issued under the Gramm-Leach-Bliley (GLB) Act, requires each financial institution subject to the FTC's jurisdiction to develop a written information security program to keep customer information secure that is appropriate to its size and complexity, the nature and scope of its activities, and the sensitivity of the customer information at issue. Companies covered by the rule are also responsible for taking steps to ensure that their service providers safeguard customer information in their care. The Commission believes that the rule strikes an appropriate balance between allowing financial institutions flexibility and establishing standards for safeguarding customer information that are consistent with GLB's requirements.

As part of its ongoing systematic review of all rules and guides, on September 7, 2016, the Commission requested public comments on, among other things, the economic impact and benefits of the rule; possible conflict between the rule and State, local, or other Federal laws or regulations; and the effect on the rule of any technological, economic, or other industry changes. 81 FR 61632 (Sept. 7, 2016). The comment period closed on November 7, 2016. On March 5, 2019, the Commission announced a Notice of Proposed Rulemaking (NPRM). 84 FR 13158 (April 4, 2019). The public comment period as extended closed on August 2, 2019. 84 FR 24049 (May 24, 2019). Staff is reviewing approximately 50 comments that were submitted. On March 6, 2020, the Commission announced that a public workshop relating to the April 4, 2019 NPRM would be held on May 13, 2020. 85 FR 13082 (Mar. 6, 2020). However, due to the COVID-19 pandemic, the workshop was postponed until July 13, 2020.

On December 9, 2021, the Commission issued a final rule that, among other amendments, provides additional requirements for financial institutions’ information security programs. 86 FR 70272 (Dec. 9, 2021). The final rule also expands the definition of "financial institution” to include entities that are significantly engaged in activities that are incidental to financial activities, so that the rules would cover "finders" for example, companies that serve as lead generators for payday loan companies or mortgage companies. This rule was effective January 10, 2022, except that the provisions set forth in section  314.5 are applicable beginning June 9, 2023. 87 FR 71509 (Nov. 23, 2022).

On December 9, 2021, the Commission also issued a Supplemental Notice of Proposed Rulemaking that proposes to further amend the Safeguards Rule to require financial institutions to report to the Commission any security event where the financial institutions have determined misuse of customer information has occurred or is reasonably likely and that at least 1,000 consumers have been affected or reasonably may be affected. 86 FR 70062 (Dec. 9, 2021). The comment period closed on February 7, 2022.

On October 27, 2023, the Commission announced a final rule amendment that requires covered financial institutions to notify the FTC as soon as possible, and no later than 30 days after discovery, of a security breach involving the information of at least 500 consumers. Such an event requires notification if unencrypted customer information has been acquired without the authorization of the individual to which the information pertains. The notice to the FTC must include certain information about the event, such as the number of consumers affected or potentially affected. The breach notification requirement becomes effective 180 days after publication of the rule in the Federal Register.