Nonbank financial institutions must report certain data breaches to the Federal Trade Commission (FTC) within 30 days of discovery under a new amendment to the agency’s Safeguards Rule.
The update to the rule, announced Friday, applies to cybersecurity incidents where the unencrypted information of at least 500 consumers is acquired without authorization. Covered entities must inform the FTC regarding the types of information accessed, the date range of the event, and the number of individuals affected.
The new requirement is scheduled to take effect 180 days after publication in the Federal Register.
“Companies that are trusted with sensitive financial information need to be transparent if that information has been compromised,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in a press release. “The addition of this disclosure requirement to the Safeguards Rule should provide companies with additional incentive to safeguard consumers’ data.”
The FTC in 2021 approved a series of extensive changes to the Safeguards Rule. The data breach amendment was proposed shortly after, initially requiring reporting of security events determined to be reasonably likely to result in the misuse of customer information affecting at least 1,000 consumers.
Commenters opposing the amendment argued it would be duplicative of state breach notification laws; the FTC disagreed.
“Receipt of these notices will enable the commission to monitor for emerging data security threats affecting financial institutions and to facilitate prompt investigative response to major security breaches,” the agency said in its final rule.