The updated Safeguards Rule establishes the requirement that nonbanking financial institutions notify the authorities of any data breaches that occur when a third party obtains the unencrypted records of at least 500 customers without their consent. The agency commissioners unanimously approved the new disclosure rule, and it will go into effect in six months.
It gives the corporations a 30-day window when they are discovered, and it follows the commission’s 2021 approval of a previous Safeguards Rule update mandating consumer lenders to strengthen their security measures. The modifications made on Friday represent just the second modification to the Safeguards Rule since it became operative after President Bill Clinton signed the 1999 Gramm-Leach-Bliley Act.