The Federal Trade Commission on Friday announced it has amended the Safeguards Rule that will require non-bank financial institutions to report data breaches to the agency.
Any breach involving the personal information of at least 500 consumers will need to be reported to the FTC, once the amendment goes into effect — which will happen 180 days after the amendments are published in the Federal Register.
What’s Happening: In the event that the unencrypted personal information of at least 500 consumers is compromised, companies will be required to notify the FTC. Companies will need to make that notification as soon as possible, and no later than 30 days after discovering it.
What It Is: The Safeguards Rule requires non-bank financial institutions, such as debt collectors, mortgage brokers, and car dealers, to develop, implement, and maintain a comprehensive security program to keep the personal information of their customers safe. The FTC recently amended the rule, expanding the compliance requirements to include:
- Designating a qualified individual to oversee their information security program,
- Developing a written risk assessment,
- Limiting and monitoring who can access sensitive customer information,
- Encrypting all sensitive information,
- Training security personnel,
- Developing an incident response plan,
- Periodically assessing the security practices of service providers, and
- Implementing multi-factor authentication or another method with equivalent protection for any individual accessing customer information.
What They Said: “Companies that are trusted with sensitive financial information need to be transparent if that information has been compromised,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The addition of this disclosure requirement to the Safeguards Rule should provide companies with additional incentive to safeguard consumers’ data.”