FTC approves rule giving non-banking financial institutions 30 days to report data breaches

The Federal Trade Commission has approved a new rule that will make it mandatory for non-banking financial institutions to report data breaches and security events within 30 days.

The regulation is an amendment to the Safeguards Rule, which governs mortgage brokers, motor vehicle dealers and payday lenders.

“Companies that are trusted with sensitive financial information need to be transparent if that information has been compromised,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “The addition of this disclosure requirement to the Safeguards Rule should provide companies with additional incentive to safeguard consumers’ data.”

The amendment, which goes into effect next April, requires financial institutions to report incidents involving the information of at least 500 customers to the FTC.

Security breaches require notification “if unencrypted customer information has been acquired without the authorization of the individual to which the information pertains.”

In a 38-page document, the FTC explained that the incident reports must include:

• The name and contact information of the reporting financial institution;
• A description of the types of information that were involved in the notification event;
• If the information is possible to determine, the date or date range of the notification event;
• The number of consumers affected;
• A general description of the event
• If applicable, whether any law enforcement official has provided the financial institution with a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security and a means for the Federal Trade Commission to contact the law enforcement official.
• The notice needs to be submitted electronically through a form located on the FTC’s website.

The amendment, which was passed in a 3-0 vote, ends a two-year process to add the reporting rule. The Safeguards Rule, which was mandated by Congress in 1999 and took effect in 2003, added cybersecurity provisions in 2021, making it mandatory for non-banking financial institutions to maintain a cybersecurity program designed to safeguard customer data.

Companies were forced to limit who can access consumer data, use encryption to secure data and explain information sharing practices. They also had to tell the FTC how they plan to access, collect, distribute, process and store customer information.

Organizations were required to designate somebody to oversee an information security program and report updates to their board of directors.

“Financial institutions and other entities that collect sensitive consumer data have a responsibility to protect it,” Levine said in 2021.

Industry backlash

The amendment released by the FTC notes that they received mixed feedback from organizations about the changes. Some welcomed the incident reporting rule while others felt it was duplicative of several state-level incident reporting rules.

“The Commission, however, disagrees that requiring financial institutions to provide notice to the Commission is redundant because of state breach notification laws,” they wrote, since state laws require organizations to give notice to consumers and “in some cases” to state regulators, but not the FTC, which oversees financial institutions.

“Notice to consumers or to state regulators does not achieve this purpose. Receipt of these notices will enable the Commission to monitor for emerging data security threats affecting financial institutions and to facilitate prompt investigative response to major security breaches.”

Several other organizations, like the National Automobile Dealers Association, argued that most breaches were not worth reporting and floated an idea that reporting requirements should only “apply after a series of security events,” because only multiple events can be “suggestive of compliance failures,” while any single breach “certainly… is not.”

Several government agencies have passed incident reporting rules in recent months, including the SEC, which unveiled its own this summer. The Cybersecurity and Infrastructure Security Agency (CISA) is planning to institute its own rules for critical infrastructure organizations next year.