FTC’s Final Rule Requires Reporting of Data Breaches by Non-Bank Financial Institutions

Rachael Aspery, Aaron Kouhoupt, Paul Lysobey, David Tallman, David Thompson
McGlinchey Stafford
Contact
LinkedIn
Facebook
X
Send
Embed

McGlinchey Stafford

On October 27, 2023, the Federal Trade Commission (FTC) issued a final rule (Final Rule) to amend the Standards for Safeguarding Customer Information (Safeguards Rule). This amendment will require non-bank financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to report certain data breaches and other security events to the FTC.

The Final Rule will require non-bank financial institutions to report to the FTC any notification event where unencrypted customer information involving 500 or more consumers is acquired without authorization. The notification must be made to the FTC as soon as possible but no later than 30 days after discovering the security breach. The FTC has noted that the Final Rule is based on the reporting requirement in the New York Department of Financial Services cybersecurity regulations, 23 NYCRR 500. The prior version of the Final Rule, published in the Federal Register on December 9, 2021, did not include a reporting requirement. The Final Rule will become effective 180 days after publication in the Federal Register.

According to The Final Rule, the notice is required to be made electronically on a form to be located on the FTC’s website, including the following information:

  • The name and contact information of the reporting financial institution
  • A description of the types of information impacted
  • If the information is possible to determine the date or date range
  • The number of consumers affected or potentially affected
  • A general description
  • Whether any law enforcement official has provided a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security
  • A means for the FTC to contact the law enforcement official

Because the amendment to the Safeguards Rule will require financial institutions to notify the FTC as soon as possible, no later than 30 days, after a security breach involving unencrypted customer information of at least 500 consumers, clients should ensure that they are equipped to identify and report such security breaches promptly to the FTC within the 30-day timeframe.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© McGlinchey Stafford | Attorney Advertising

Written by:

McGlinchey Stafford
McGlinchey Stafford
Contact
more
less

McGlinchey Stafford on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide