October 30, 2023 at 04:01PM
The U.S. Federal Trade Commission (FTC) has amended the Safeguards Rules to require non-banking financial institutions, such as mortgage brokers and investment firms, to report data breaches within 30 days. The goal is to enhance data security and protect customer information. Companies must disclose incidents impacting 500 or more consumers, excluding cases where encrypted information is involved. The FTC emphasizes that reporting does not necessarily indicate a violation or guarantee an investigation. The new requirement takes effect in April 2024. Further details can be found in the provided document.
Key Takeaways from Meeting Notes:
1. The U.S. Federal Trade Commission (FTC) has amended the Safeguards Rules, requiring non-banking financial institutions to report data breaches within 30 days.
2. The new requirement applies to entities such as mortgage brokers, motor vehicle dealers, payday lenders, investment firms, insurance companies, peer-to-peer lenders, and asset management firms.
3. The aim of the amendment is to enhance data security measures, protect customer information, and strengthen compliance obligations.
4. The notification requirement applies to security incidents affecting 500 or more consumers, especially if unauthorized third parties accessed unencrypted information.
5. Companies trusted with sensitive financial information need to be transparent when that information is compromised.
6. The disclosure requirement provides companies with an incentive to safeguard consumers’ data.
7. The notification requirement does not apply if consumer information is encrypted and the attackers did not access the encryption key.
8. Firms need to submit breach reports through the FTC’s online portal, including details such as contact information, impacted consumers, types of data exposed, exposure date, and potential duration of the incident.
9. Public disclosure of a breach could be delayed by 60 days if law enforcement officials request it.
10. Submitting a data breach report does not automatically indicate a Safeguards Rule violation or guarantee an investigation or enforcement action.
11. The new notification requirement will be effective from April 2024, 180 days after the rule’s publication in the Federal Register.
For more information on the amendments and the development process, you can refer to the document provided.