The Federal Trade Commission (FTC) is expanding financial data breach reporting requirements, compelling consumer lenders such as mortgage brokers, auto dealers, and payday lenders to report data breaches to the FTC.
Under the revised Safeguards Rule, these non-banking institutions must notify the FTC whenever a third party gains unauthorized access to the unencrypted records of at least 500 consumers. The updated rule, set to take effect in six months, aims to enhance data security by establishing a 30-day deadline for reporting breaches. This development is only the second change to the Safeguards Rule since its inception in 1999.
Sam Levine, director of the FTC’s Bureau of Consumer Protection, emphasized that the new disclosure requirements are designed to incentivize companies to better protect consumers’ data. The revised rule now stipulates that companies must report a breach upon discovering that a third party has “acquired” unencrypted data without authorization.
This is a shift from the original language, which required reporting when a consumer lender determined that “misuse” of consumer data was reasonably likely. While some industry lobbyists raised concerns about public disclosure, the FTC believes that making breach notifications public empowers consumers to make informed decisions about which financial institutions they trust with their data. To facilitate this, the FTC will establish a public database to house breach notifications.
However, the expanded Safeguards Rule includes an exception. Organizations will not be obliged to disclose data breaches if the acquired data was encrypted, provided the encryption key was not accessed by an unauthorized person. The FTC’s decision underscores the importance of data security and transparency, aiming to ensure that consumers’ information is safeguarded while maintaining the integrity of financial institutions.