The Federal Trade Commission (FTC) has announced a final rule amending the FTC Safeguards Rule that will require non-banking institutions, such as dealers, to report certain data breaches and other security events to the FTC.

The final rule requires financial institutions (including dealers) to report “notification events,” defined as the unauthorized acquisition of unencrypted customer information involving at least 500 customers, to the FTC. The FTC has stated that the rule and its notice requirement are specifically intended to facilitate enforcement of the FTC’s Safeguards Rule against entities that file reports.

The notice to the commission must be provided electronically through a form located on the FTC’s website and must include:

• The name and contact information of the reporting financial institution
• A description of the types of information that were involved in the notification event
• The date or date range of the notification event (if possible to determine)
• The number of consumers affected
• A general description of the notification event

Notices will be available in a public database. The final rule does not impose a consumer notice requirement.

This rule will become effective 180 days after it is published in the federal register, which is expected shortly. Dealers and their qualified individuals should review the final rule to understand its requirements and scope and should consult with their technology providers and counsel regarding the implications of the new rule.