What You Need to Know
- The rule would apply to breaches affecting at least 500 consumers.
- It might apply only to financial institutions without regulators other than the FTC.
- SIFMA suggested that the rule could apply to insurance company and investment firm siblings.
The Federal Trade Commission plans to set up a public website section that will list large data breaches at the financial institutions it regulates.
The FTC added breach notice requirements in a new final rule that was posted on its website Friday.
“The commission intends to enter notification event reports into a publicly available database,” the commission said in the preamble, or official introduction, to the final rule.
The rule will apply to breaches affecting at least 500 consumers.
What it means: Clients, regulators, plaintiffs’ attorneys and financial professionals may soon have an easier time learning about data breaches at some types of financial services companies.
The data breach regulation backdrop: The Gramm-Leach-Bliley Act of 1999 already sets federal data security and breach reporting rules for financial institutions.
Federal and state governments have many data breach response rules that apply to banks, investment advisors, insurance companies and other financial institutions.
The FTC developed the Safeguards Rule in 2003 to implement Gramm-Leach-Bliley privacy and data security rules for the financial institutions it regulates, and it began official efforts to add a breach notification update in 2019.
The data: The new final rule will require affected entities with large breaches to use an online form to tell it about the nature of the event, the time period when the event occurred, the number of consumers affected or potentially affected, and whether law enforcement officials have asked them to keep the breach information confidential.
Law enforcement officials can ask the FTC to keep breach reports confidential for up to 90 days, and the FTC can keep reports confidential longer if the commission staff decides that disclosure could hurt a criminal investigation or harm national security.
The FTC estimated that the new requirements might affect about 115 entities per year.
At press time, the FTC had posted a preview version of the final rule on its own website, but the official Federal Register publication date was not yet available. The rule is set to take effect 180 days after the official Federal Register publication date.
The scope: Definitions of the term “financial institution” differ widely from regulation to regulation.
The FTC suggested that its new regulation update would apply to entities such as mortgage brokers, motor vehicle dealers and payday lenders.