FTC Expands Financial Data Breach Reporting RequirementsNon-Banking Institutions Will Be Required to Report Breaches Under Revised Rule
Consumer lenders such as mortgage brokers, auto dealers and payday lenders must soon report data breaches to the Federal Trade Commission under a revised regulation that mandates public disclosure.
The revised Safeguards Rule sets the threshold for nonbanking financial institutions to report data breaches anytime a third party acquires without authorization the unencrypted records of at least 500 consumers.
The new disclosure requirement, which agency commissioners voted unanimously to approve, will become effective in six months. It sets a 30 day deadline after discovery for the companies and comes on the heels of an earlier amendment to the Safeguards Rule the commission approved in 2021 requiring consumer lenders to beef up security programs. Friday's update is only the second change to the Safeguards Rule since it took affect following President Bill Clinton's approval of the Gramm-Leach-Bliley Act of 1999 (see: US FTC Delays Safeguards Rule Deadlines by 6 Months).
Sam Levine, director of the FTC's Bureau of Consumer Protection, said the new disclosure requirements "should provide companies with additional incentive to safeguard consumers' data." The final rule clarifies that companies must report a breach when they discover that a third party has "acquired" unencrypted data without authorization. That's a change from language that would have defined a triggering incident as one where a consumer lender determined that "misuse" of consumer data was reasonably likely to occur. The original language "could have been used as an opportunity to circumvent the reporting requirement," the FTC said.
Industry lobbyists including the National Automobile Dealers Association argued for constraints on public disclosure while some such as CTIA urged the FTC not make the reports public at all. The agency said it agrees with industry arguments that a data breach doesn't necessarily mean that a company violated the Safeguards Rule. But the reverse is true as well, the agency said: "the fact that an institution has not experienced a breach does not necessarily mean that the institution is in compliance."
As a result, the agency says it believes providing consumers with breach data is tantamount to consumer empowerment. "Making the notices public will enable consumers to make more informed decisions about which financial institutions they choose to entrust with their information," the FTC said (see: Title Lender TMX Now Says Payment Card Data Stolen in Breach).
The agency will create a public database to house the breach notifications.
The expanded Safeguard Rule does include an exception. Organizations will not be required to disclose data breaches if the acquired data was encrypted - "so long as the encryption key was not accessed by the unauthorized person."