On October 27, 2023, the Federal Trade Commission (FTC) issued a final rule (Final Rule) to amend the Standards for Safeguarding Customer Information (Safeguards Rule). This amendment will require non-bank financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to report certain data breaches and other security events to the FTC.
The Final Rule will require non-bank financial institutions to report to the FTC any notification event where unencrypted customer information involving 500 or more consumers is acquired without authorization. The notification must be made to the FTC as soon as possible but no later than 30 days after discovering the security breach. The FTC has noted that the Final Rule is based on the reporting requirement in the New York Department of Financial Services cybersecurity regulations, 23 NYCRR 500. The prior version of the Final Rule, published in the Federal Register on December 9, 2021, did not include a reporting requirement. The Final Rule will become effective 180 days after publication in the Federal Register.
According to The Final Rule, the notice is required to be made electronically on a form to be located on the FTC’s website, including the following information:
- The name and contact information of the reporting financial institution
- A description of the types of information impacted
- If the information is possible to determine the date or date range
- The number of consumers affected or potentially affected
- A general description
- Whether any law enforcement official has provided a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security
- A means for the FTC to contact the law enforcement official
Because the amendment to the Safeguards Rule will require financial institutions to notify the FTC as soon as possible, no later than 30 days, after a security breach involving unencrypted customer information of at least 500 consumers, clients should ensure that they are equipped to identify and report such security breaches promptly to the FTC within the 30-day timeframe.