Malware

Urgent FTC Mandate: Non-Bank Financial Firms Required to Report Breaches within 30 Days

Breaking news: Non-bank financial firms are now required to report breaches within 30 days, as mandated by the FTC. Stay updated on this urgent requirement and its implications.

Published

on

FTC Amends Safeguards Rule to Require Non-Banking Financial Institutions to Report Data Security Breaches

The U.S. Federal Trade Commission (FTC) has amended the Safeguards Rules, mandating that all non-banking financial institutions report data breach incidents within 30 days.

Such entities include mortgage brokers, motor vehicle dealers, payday lenders, investment firms, insurance companies, peer-to-peer lenders, and asset management firms.

This requirement adds to the Safeguards Rule, aiming to enhance data security measures to protect customer information and strengthen compliance obligations.

It applies to security incidents that impact 500 or more consumers, especially if unauthorized third parties accessed unencrypted (cleartext) information.

“Companies that are trusted with sensitive financial information need to be transparent if that information has been compromised,” stated FTC’s Director of Bureau for Consumer Protection, Samuel Levine.

“The addition of this disclosure requirement to the Safeguards Rule should provide companies with additional incentive to safeguard consumers’ data.”

The notification requirement does not apply to cases where consumer information is encrypted as long as the attackers did not access the encryption key.

Reporting Requirements

The notice breached firms need to be submitted onto FTC’s online portal and must include details about the security incident, such as:

  • Name and contact information of the reporting institution.
  • Number of impacted consumers and of those potentially affected by it.
  • Description of the types of data that have been potentially exposed.
  • Exposure date and, if possible to determine, the duration of the incident.
  • Confirmation whether law enforcement advised that public disclosure of the breach could obstruct an investigation or threaten national security.

The agency has added a provision for a 60-day delay should a law enforcement official seek an extension in the public disclosure of a specific incident.

The FTC emphasizes that submitting a data breach report doesn’t automatically imply a violation of the Safeguards Rule, nor does it ensure an investigation or enforcement action.

The new notification requirement will become effective 180 days after publication of the rule in the Federal Register, so the rule should be applicable starting in April 2024.

For more details on the amendments and their development process based on the feedback FTC received from stakeholders, you can read this document.

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending

Exit mobile version