Nonbank financial institutions, including mortgage brokers, motor vehicle dealers and payday lenders, must report certain data breaches and other security events to the Federal Trade Commission (FTC).
According to an amendment to the Commission’s Safeguards Rule announced Friday, these companies must notify the FTC as soon as possible and no later than 30 days after the data breach.
However, the obligation is only applicable when at least 500 customers were affected by the event and if unencrypted information has been acquired without the customers’ authorization.
“Companies that are trusted with sensitive financial information need to be transparent if that information has been compromised,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement.
The possibility of requiring notification of data breaches and other security events has been discussed since October 2021, when the FTC sought comment on a proposed supplemental amendment to the Safeguards Rule.
At that time, the FTC proposed to require financial institutions to notify electronically of any security event that resulted or was likely to result in the misuse of customer information affecting at least 1,000 consumers. The FTC received 14 comments from industry groups, consumer advocates and individual consumers, among others.
Supporters said the data breach notice would enable the FTC to more easily enforce the rule that requires financial institutions to maintain a comprehensive security program to keep their customers’ information safe.
Meanwhile, opponents argued that it duplicates state breach notification laws and that the FTC could access and review regulated entities’ reports to consumers and state authorities.
In response, the FTC said that this indirect method would require diverting resources from enforcement to search for and collect information about breaches.
“Receipt of these notices will enable the commission to monitor for emerging data security threats affecting financial institutions and to facilitate prompt investigative response to major security breaches,” the FTC wrote in its final rule.
The Commission voted 3-0 to publish the notice amending the Safeguards Rule in the Federal Register – and the amendments are effective 180 days after publication.
Source link