FTC Updates Safeguards Rule to Require Data Breach Reporting, Adopts EPIC Recommendations

October 27, 2023

The Federal Trade Commission approved an amendment to the Safeguards Rule that requires non-banking financial institutions to report certain data breaches and other security events to the Commission. The changes strengthen the rule by requiring covered entitles to create and maintain a comprehensive security program to protect their customers’ information. Non-banking financial institutions will be required notify the Commission as soon as possible, and no later than 30 days after discovery, of a security breach affecting at least 500 consumers. EPIC filed comments last year on the proposed Safeguards Rule amendment, which the Commission cited favorably throughout the final rule. EPIC’s comments argued that covered entities should be required to notify the Commission of breach regardless of whether they believe misuse is likely and that covered entities should still be required to notify the Commission of covered incidents even if there is a compelling law enforcement basis to not notify the public—recommendations that were both adopted by the Commission. EPIC applauds the Commission for using its authority to protect consumers’ personal information, routinely files comments with the Commission concerning data protection rules and enforcement actions, and works to protect the security of consumers’ data.

Support Our Work

EPIC's work is funded by the support of individuals like you, who allow us to continue to protect privacy, open government, and democratic values in the information age.