FTC Amends Safeguards Rule that will Require Reporting of Data Security Breaches by Non-Banking Financial Institutions
The Federal Trade Commission ("FTC") has approved an amendment to the Safeguards Rule that will require non-banking institutions to report certain data breaches and other security events to the agency within 30 days of discovering any unauthorized acquisition of unencrypted customer information that affects 500+ customers.
The FTC's Safeguards Rule mandates non-banking financial institutions to develop and maintain a robust security program for customer information. The rule now mandates all institutions to report "notification events" to the FTC, defining such events as unauthorized acquisition of unencrypted customer data involving at least 500 customers.
The FTC has finalized changes to the Safeguards Rule in October 2021, enhancing data security safeguards for financial institutions to protect customer information. The FTC is also seeking comment on a proposed amendment requiring reporting of data breaches.
Samuel Levine, Director of the FTC's Bureau of Consumer Protection, emphasized the need for companies with sensitive financial information to be transparent about any breaches, adding this requirement to the Safeguards Rule.
The amendment, effective October 27, 2023, mandates financial institutions to notify the FTC within 30 days of a security breach involving at least 500 consumers, if unencrypted customer information was obtained without authorization, and must include details about the affected or potentially affected consumers.
The revised Rule focuses on "notification events" involving unencrypted customer information acquisition without individual authorization. If involving at least 500 consumers, covered entities must contact the FTC within 30 days of discovery using a form on the FTC's website.
Below are the items the notice must include:
1. The name and contact information of the financial institution;
2. A description of the types of information involved;
3. The date or date range of the notification event, if it’s possible to determine;
4. The number of consumers affected; and
5. A general description of the notification event.
The notification must also include a written determination from law enforcement that notifying the public of a breach would impede a criminal investigation or cause national security damage, and a means for the FTC to contact the law enforcement official. The private sector must also monitor and comply with fifty state breach disclosure laws and a growing wave of comprehensive privacy laws.
The breach notification requirement becomes effective 180 days after publication of the rule in the Federal Register. The publication was on November 13, 2023, which makes it effective on May 13, 2024.
© 2023 Cliclaw.com
(Image Credit: iStock Photo)
This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.