FTC Mandates Data Breach Reporting for Non-Banking Institutions

FTC Mandates Data Breach Reporting for Non-Banking Institutions

The Federal Trade Commission (FTC) is stepping up data security measures by requiring non-banking financial institutions to report certain data breaches and security events.

In a unanimous decision, the FTC approved an amendment to the Safeguards Rule, bolstering the safeguarding of customer information for financial institutions.

FTC Strengthening Data Security

The Safeguards Rule, which was introduced in 2021, mandates non-banking financial institutions such as mortgage brokers, motor vehicle dealers, and payday lenders to establish comprehensive security programs to protect customer information.

However, to further enhance data protection, the FTC has approved an amendment that compels these institutions to report data security breaches affecting 500 or more individuals.

Reporting Mandate

The newly approved amendment imposes several reporting requirements on financial institutions:

  • Timeframe: Financial institutions must report security breaches within 30 days of discovery.
  • Triggers: Notification to the FTC is required if unauthorized access to unencrypted customer information occurs.
  • Information: The reports must contain specific details, including the number of affected customers and a general event description.
  • Effective Date: This reporting requirement becomes effective 180 days after the rule is published in the Federal Register.

Transparency and Data Protection

Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, highlights the importance of transparency by saying,

Companies that are trusted with sensitive financial information need to be transparent if that information has been compromised

Industry Response and Concerns

The financial industry has had a mixed response to this reporting rule.

While some organizations welcomed it, others expressed concerns about redundancy with existing state-level incident reporting rules.

The FTC disagrees with this perspective, emphasizing the rule’s unique role in enabling the monitoring of emerging data security threats within financial institutions and facilitating prompt investigative responses to major security breaches.

Wider Regulatory Landscape

The FTC’s move to enforce data breach reporting aligns with the broader regulatory landscape’s increased focus on data security.

Several government agencies, including the SEC and the Cybersecurity and Infrastructure Security Agency (CISA), have introduced reporting rules to bolster cybersecurity within their respective domains.

As consumers become more conscious of data security, it is essential for financial institutions and other entities collecting sensitive consumer data to bear the responsibility of protecting it.

For more news and updates on Cybersecurity, visit The Cybersecurity Club.

Photo by Claudio Schwarz on Unsplash

SEC Adopts New Rules Requiring Prompt Cyberattack Disclosures for Public Companies

EU Chat Control Bill: Balancing Security and Privacy

FCC Set-up Privacy and Data Protection Task Force

US Consumer Watchdog Proposes Rules to Regulate Data Brokers