The Gramm-Leach-Bliley Act, enacted in 1999, requires financial institutions, broadly defined, to establish administrative, technical, and physical safeguards to protect customer information, but does not impose obligations to notify regulators of data breaches. It also tasked certain administrative agencies with establishing standards for appropriate safeguards. Pursuant to this directive, in 2002, the FTC promulgated the Safeguards Rule to establish such standards for financial institutions subject to the FTC’s authority (i.e., non-banking financial institutions, including mortgage brokers, motor vehicle dealers, and payday lenders). The FTC Safeguards Rule was amended in 2021 and amended again on October 27, 2023.
