Why it matters: The FTC is the federal agency entrusted with promoting competition and protecting consumers in the US. The organization already has a set of rules for financial institutions to enforce consumer protection, and now there's yet another requirement concerning security breach disclosing.
The FTC's Safeguards Rule mandates that "non-banking" financial institutions must securely manage and store their customers' information. This requirement applies to organizations such as mortgage brokers, motor vehicle dealers, and payday lenders, necessitating the development, implementation, and maintenance of a comprehensive security program for safeguarding customer data.
The federal agency recently announced an amendment to the previously approved Safeguards Rule, which obligates financial institutions to promptly report any security breaches they discover within their systems. According to the FTC, organizations are required to inform the FTC "as soon as possible," with a maximum timeframe of 30 days after detecting any security incident that involves the information of 500 or more consumers.
The notification is mandatory when malicious or unauthorized actors gain access to unencrypted customer information, as further explained by the FTC. However, this requirement does not apply if the information is encrypted, and cybercriminals did not acquire access to the encryption keys. The new rule is set to become effective 180 days after its publication in the Federal Register, with implementation commencing in April 2024.
After discovering a security breach, non-banking financial organizations will be required to submit relevant details to the FTC using the agency's online portal. A proper breach report should include the name and contact information of the reporting institution, the number of impacted consumers, a description of the exposed data, the date of exposure, and the duration of the incident.
Organizations will also have the opportunity to inform the FTC if public disclosure of a security breach could impede an investigation or pose a threat to national security. An additional 60-day delay in public disclosure can be requested by a law enforcement official.
Samuel Levine, director of the FTC's Bureau of Consumer Protection, emphasized that companies entrusted with sensitive financial information need to be transparent "if that information has been compromised." The new disclosure requirement should provide these companies with "additional incentive" to genuinely protect their consumers' data.
The FTC had announced enhanced rules for strengthening data security in October 2021 while simultaneously seeking public comment on a proposed supplementary amendment for data breach reporting requirements. The new amendment was ultimately approved with a unanimous 3-0 vote.