November 2023
As reported by SC Magazine and Bleeping Computer
Non-banking financial organizations with at least 500 customers, including mortgage brokers, payday lenders, and motor vehicle dealers (including Powersport dealerships), have been required by the Federal Trade Commission to report data breaches and other cybersecurity incidents within a 30-day period as part of an amendment to the Safeguards Rule, which will be effective beginning April 2024.
This requirement adds to the Safeguards Rule, aiming to enhance data security measures to protect customer information and strengthen compliance obligations.
“Companies that are trusted with sensitive financial information must be transparent if that information has been compromised. The addition of this disclosure requirement to the Safeguards Rule should provide companies with additional incentive to safeguard consumers’ data,” said FTC Bureau of Consumer Protection Director Samuel Levine.
Incident reports by impacted entities should provide not only a description of the incident but also detail the kinds of information compromised, the time period of the breach, and the number of individuals whose data were compromised, said the FTC, which also noted that the organizations should submit reports through a form on its website.
Details that need to be included about the security incident:
• Name and contact information of the reporting institution.
• Number of impacted consumers and of those potentially affected by it.
• Description of the types of data that have been potentially exposed.
• Exposure date and, if possible, to determine the duration of the incident.
• Confirmation whether law enforcement advised that public disclosure of the breach could obstruct an investigation or threaten national security.
The agency has added a provision for a 60-day delay should a law enforcement official seek an extension in the public disclosure of a specific incident.
The FTC emphasizes that submitting a data breach report doesn’t automatically imply a violation of the Safeguards Rule, nor does it ensure an investigation or enforcement action.
The new notification requirement will become effective 180 days after publication of the rule in the Federal Register, so the rule should be applicable starting in April 2024.