Skip to main content
CSBS Nonbank Model Data Security Law

Thinking about implementing a data security law in your state? Fill out our interest form to connect with the regulatory team.

In 2018, triggered by several high-profile cybersecurity breaches, the CSBS Board of Directors requested the NDSC undertake consideration and development of a model law addressing nonbank data security (cybersecurity) concerns. The purpose of the initiative was to establish CSBS approved model statutory language to be used by states already considering such, and to encourage states that have not passed laws to consider following a uniform model. In early 2019, following review of several possible models, the NDSC produced the CSBS Model Data Security Law based on the Federal Trade Commission (FTC) 2019 proposed amendments to the Safeguards Rule under the Gramm-Leach-Bliley Act.  

The Federal Trade Commission’s Safeguards Rule 

The Safeguards Rule covers all nonbank financial companies. Using the Safeguards Rule proposal as the basis for the model law adds no additional regulatory burden to companies while providing consistency across federal and state oversight. Due to Covid-19, a long delay ensued for the FTC and the CSBS model law was effectively shelved pending FTC action. The FTC’s 2019 proposal became a final rule in early 2022, however, at the same time, the FTC determined that notice requirements was an important missing component, and a new section to the now final Safeguards Rule was proposed. We are currently awaiting the final version of the notice requirements. 


These documents provide resources for states to draft and implement your own nonbank data security laws. These resources include information on notification requirements that may be useful to states desiring coverage for state chartered banks as well. 

Using the CSBS Nonbank Model Data Security Law 

The model is for voluntary consideration and adoption – it is meant to be a helpful tool. States with existing laws or rules likely do not need this model, however, you may wish to review for completeness of your coverage. States needing requirements for nonbank cybersecurity may find the following use suggestions helpful: 

  1. As a model or guide for your own state’s law, with minor modifications for [bracketed] language.  
  2. For states desiring to implement a rule over a law, conform the model to your rule writing process. 
  3. For states not yet ready to implement a rule or pass a law, consider conforming the essential sections of the model to your guidance process (model template provided). Doing this will create greater harmonization across the state system even where states cannot yet pass a law. 

In addition:  

  • We have used yellow highlights to identify any substantive changes from the FTC rule. 
  • The model contains [Optional] sections, clearly identified. These sections are encouraged depending on your state’s need. 
  • The model contains [bracketed] placeholders for state specific language (e.g., “commissioner” or specific effective dates, etc.]. 
  • We have kept the model language as close to the FTC rule language as possible to avoid any undue or layered burden on the industry. 



1129 20th Street, N.W., 9th Floor, Washington, DC 20036 | Tel. 202.296.2840 | Fax. 202.296.1928