The Federal Trade Commission (FTC) has greenlit a new amendment to its Safeguards Rule, mandating that nonbank financial institutions report large data security breaches and other incursions into personal information.
The Safeguards Rule, which was established in 1999 and fully took effect in 2003, already requires nonbanks (including mortgage lenders, vehicle dealerships and payday lenders) to develop and implement data security programs to keep customers’ sensitive financial and personal information safe. In 2021, it was revised to ensure that it kept pace with the evolution of technology by adding specific criteria for which safeguards institutions were required to instill. These included limits to who could access consumer data and compulsory encryption to keep the data secure.
The FTC announced the 2021 updates to the rule following an uptick in data breaches. Now, with such breaches remaining problematic, the newest amendment will require nonbanks to report to the FTC security breaches involving the information of at least 500 consumers as soon as possible — and no later than 30 days after discovery. The report must include the number of consumers affected or potentially affected; a description of the types of information involved; the date range of the incursion, if possible; and whether a law enforcement official has decided that notifying the public would either impede a criminal investigation or constitute a threat to national security.
Notably, while the 2021 update to the Safeguards Rule did not include a reporting requirement, the FTC published a proposal of a further amendment including such a requirement on the same day that the update was published. This new amendment appears to be the culmination of that proposal.
“Companies that are trusted with sensitive financial information need to be transparent if that information has been compromised,” said Samuel Levine, director of the FTC’s bureau of consumer protection. “The addition of this disclosure requirement to the Safeguards Rule should provide companies with additional incentive to safeguard consumers’ data.”
The FTC voted unanimously to publish the amendment in the Federal Register. The breach-notification requirement will officially go into effect 180 days after that publication.