FTC amends Safeguards Rule pertaining to data breach reporting
Dealerships, finance companies and other service providers connected to automotive had to begin compliance with the Safeguards Rule in June.
On Friday, the Federal Trade Commission approved an amendment to it, instructing non-banking institutions to report certain data breaches and other security events to the agency.
To recap, the FTC’s Safeguards Rule requires non-banking financial institutions, such as mortgage brokers, auto dealers and payday lenders, to develop, implement and maintain a comprehensive security program to keep their customers’ information safe.
In October 2021, the FTC announced it had finalized changes to the Safeguards Rule to strengthen the data security safeguards that financial institutions are required to put in place to protect their customers’ financial information.
The FTC recapped that it also sought comment on a proposed supplemental amendment to the Safeguards Rule that would require financial institutions to report certain data breaches and other security events to the Commission.
The amendment announced on Friday requires financial institutions to notify the FTC as soon as possible, and no later than 30 days after discovery, of a security breach involving the information of at least 500 consumers.
Officials explained such an event requires notification if unencrypted customer information has been acquired without the authorization of the individual to which the information pertains.
The regulator added the notice to the FTC must include certain information about the event, such as the number of consumers affected or potentially affected.
“Companies that are trusted with sensitive financial information need to be transparent if that information has been compromised,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “The addition of this disclosure requirement to the Safeguards Rule should provide companies with additional incentive to safeguard consumers’ data.”
The breach notification requirement becomes effective 180 days after publication of the rule in the Federal Register.
The FTC voted 3-0 to publish the notice amending the Safeguards Rule in the Federal Register.
The lead officials on this matter are David Lincicum and Mark Eichorn in the FTC’s Bureau of Consumer Protection.