Close Close
ThinkAdvisor
Federal Trade Commission building in Washington, D.C, on January 12, 2022. Photo: Diego M. Radzinschi/ALM

Life Health > Running Your Business

FTC to Create Public Data Breach Website for Some Financial Firms

X
Your article was successfully shared with the contacts you provided.

What You Need to Know

  • The rule would apply to breaches affecting at least 500 consumers.
  • It might apply only to financial institutions without regulators other than the FTC.
  • SIFMA suggested that the rule could apply to insurance company and investment firm siblings.

The Federal Trade Commission plans to set up a public website section that will list large data breaches at the financial institutions it regulates.

The FTC added breach notice requirements in a new final rule that was posted on its website Friday.

“The commission intends to enter notification event reports into a publicly available database,” the commission said in the preamble, or official introduction, to the final rule.

The rule will apply to breaches affecting at least 500 consumers.

What it means: Clients, regulators, plaintiffs’ attorneys and financial professionals may soon have an easier time learning about data breaches at some types of financial services companies.

The data breach regulation backdrop:  The Gramm-Leach-Bliley Act of 1999 already sets federal data security and breach reporting rules for financial institutions.

Federal and state governments have many data breach response rules that apply to banks, investment advisors, insurance companies and other financial institutions.

The FTC developed the Safeguards Rule in 2003 to implement Gramm-Leach-Bliley privacy and data security rules for the financial institutions it regulates, and it began official efforts to add a breach notification update in 2019.

The data: The new final rule will require affected entities with large breaches to use an online form to tell it about the nature of the event, the time period when the event occurred, the number of consumers affected or potentially affected, and whether law enforcement officials have asked them to keep the breach information confidential.

Law enforcement officials can ask the FTC to keep breach reports confidential for up to 90 days, and the FTC can keep reports confidential longer if the commission staff decides that disclosure could hurt a criminal investigation or harm national security.

The FTC estimated that the new requirements might affect about 115 entities per year.

At press time, the FTC had posted a preview version of the final rule on its own website, but the official Federal Register publication date was not yet available. The rule is set to take effect 180 days after the official Federal Register publication date.

The scope: Definitions of the term “financial institution” differ widely from regulation to regulation.

The FTC suggested that its new regulation update would apply to entities such as mortgage brokers, motor vehicle dealers and payday lenders.

The National Association of Realtors has said that it believes the new regulation update will not apply to organizations such as real estate agencies that are engaging in traditional types of activities.

The SIFMA/BPI letter: The Securities Industry and Financial Markets Association and the Bank Policy Institute noted in a joint comment submitted in January 2022 that the update is of interest because it could affect entities that compete with their members and may face fewer regulatory constraints.

SIFMA and BPI also suggested that the regulation could lead to member companies that already have regulators getting more regulators.

The FTC may use the update to “impermissibly exceed its jurisdictional power — and it may do so in areas where there only a handful of consumers and areas where other federal prudential and state insurance regulators already exercise pervasive oversight,” the groups said.

Although insurance companies may be directly under the jurisdiction of state insurance regulators, “some entities within an insurance group … may not technically be subject to such rules, while functionally being connected to other corporate entities that are subject to those rules,” SIFMA and BPI said. “Adding the commission’s rules to such complex situations would only create confusion, not protect consumers.”

Similarly, the groups said, the investment adviser for a private investment fund might be subject to regulation by the Securities and Exchange Commission, but the fund itself might be exempt from SEC oversight.

The fund itself might have no employees and only a handful of sophisticated investors, but the commission could step in and interfere with the SEC’s work, the groups added.

Representatives from SIFMA were not immediately available to comment on the release of the final rule.

The FTC’s perspective: FTC officials said that the new reporting requirements would be minimal, and that it needs to have its own breach notification reports, to help it spot and address problems early.

One commenter recommended that it get breach information from other state and federal regulators. “Such an approach would be extremely burdensome on the commission,” officials said. “Also, as some of the commenters noted, state laws vary in what types of incidents must be reported and to whom.”

The new Safeguard Rule update will establish a uniform reporting requirement for all affected financial institutions, officials said.

The database: SIFMA and BPI and some other commenters asked the FTC to make the breach reports confidential.

FTC officials argued that the reports will be similar to what many states already post and that the new database could spur consumers not yet affected by breaches to do more to protect their data.

The Federal Trade Commission Building in Washington. Credit: Diego M. Radzinschi/ALM


NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.