The U.S. Federal Trade Commission (FTC) has amended the Safeguards Rules, mandating that all non-banking financial institutions report data breach incidents within 30 days.
Such entities include mortgage brokers, motor vehicle dealers, payday lenders, investment firms, insurance companies, peer-to-peer lenders, and asset management firms.
This requirement adds to the Safeguards Rule, aiming to enhance data security measures to protect customer information and strengthen compliance obligations.
It applies to security incidents that impact 500 or more consumers, especially if unauthorized third parties accessed unencrypted (cleartext) information.
“Companies that are trusted with sensitive financial information need to be transparent if that information has been compromised,” stated FTC’s Director of Bureau for Consumer Protection, Samuel Levine.
“The addition of this disclosure requirement to the Safeguards Rule should provide companies with additional incentive to safeguard consumers’ data.”
The notification requirement does not apply to cases where consumer information is encrypted as long as the attackers did not access the encryption key.
The notice breached firms need to be submitted onto FTC’s online portal and must include details about the security incident, such as:
- Name and contact information of the reporting institution.
- Number of impacted consumers and of those potentially affected by it.
- Description of the types of data that have been potentially exposed.
- Exposure date and, if possible to determine, the duration of the incident.
- Confirmation whether law enforcement advised that public disclosure of the breach could obstruct an investigation or threaten national security.
The agency has added a provision for a 60-day delay should a law enforcement official seek an extension in the public disclosure of a specific incident.
The FTC emphasizes that submitting a data breach report doesn’t automatically imply a violation of the Safeguards Rule, nor does it ensure an investigation or enforcement action.
The new notification requirement will become effective 180 days after publication of the rule in the Federal Register, so the rule should be applicable starting in April 2024.
For more details on the amendments and their development process based on the feedback FTC received from stakeholders, you can read this document.