FTC to Require More Data Breach Reporting, Security Plan

The Federal Trade Commission (FTC) on Friday announced that an amendment to its Safeguards Rule would require non-banking financial institutions to report certain data breaches and other security events.

The agency’s Safeguards Rule now requires non-banking financial institutions like mortgage brokers, car dealers, accountants, investment advisers, and payday lenders to develop and maintain a comprehensive security program to keep customer data secure. The amendment strengthens changes made to the Safeguards Rule in 2021.

“Companies that are trusted with sensitive financial information need to be transparent if that information has been compromised,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement. “The addition of this disclosure requirement to the Safeguards Rule should provide companies with additional incentive to safeguard consumers’ data.”

The new amendment requires those companies to report breaches to the FTC no later than 30 days after discovery of a security breach involving data of at least 500 consumers. The companies must also report the exact number of consumers affected or possibly affected.

The requirement becomes effective 180 days after publication of the rule in the Federal Register, the agency noted.

The broadened Safeguards Rule is under the 1999 Gramm-Leach-Bliley Act, which requires certain financial institutions to meet tougher data security requirements to protect consumer data -- as well as the institution’s own sensitive information. The FTC can impose fines on those failing to comply.