All non-bank financial institutions in the United States will soon have 30 days to report a data breach, something they apparently were not required to do before, under new regulations from the US Federal Trade Commission (FTC).
The FTC recently amended its Safeguards Rules to include non-bank financial institutions such as mortgage brokers, investment firms, peer-to-peer lenders and the like.
In a press releasethe Commission noted that it had voted 3-0 to publish the notice amending the Safeguards Rule in the Federal Register. According to the amendments, any incident affecting at least 500 consumers – and especially incidents involving readable information – must be reported.
From April 2024
“Companies entrusted with sensitive financial information must be transparent if that information has been compromised,” said Samuel Levine, director of the FTC’s Bureau for Consumer Protection. “The addition of this disclosure requirement to the Safeguards Rule should give companies additional incentive to protect consumers’ data.”
Incidents involving theft of encrypted data are exempt from the rules (unless the attackers also stole the encryption key).
When submitting the notification, companies must indicate the name and contact details of the reporting institution, the number of affected consumers and those who may be affected, the description of the types of data potentially exposed, the date of exposure and, if possible, to determine , the duration of the incident, confirmation if the police have advised not to report it, BleepingComputer reported.
If police ask the company to remain silent so as not to influence the investigation, they will be given a 60-day extension, it added.
This new requirement will go into effect 180 days after publication in the Federal Register, which means it will start in April 2024.
The FTC added that a data breach filing does not imply a violation of the Safeguards Rule or an investigative or enforcement action.