On November 13, 2023, the Federal Trade Commission (FTC) published a Final Rule in the Federal Register updating the Standards for Safeguarding Customer Information (Safeguards Rule). The rule includes changes to the incident notification requirements for financial institutions. The Final Rule will be effective on May 13, 2024.
How We Got Here
The FTC proposed amendments to the Safeguards Rule on April 4, 2019, and conducted a workshop with information security experts on July 13, 2020. The proposed amendments primarily focused on cybersecurity regulations issued by the New York Department of Financial Services. Final amendments were issued on December 9, 2021, and a Supplemental Notice of Proposed Rulemaking (SNPRM) was introduced, which received 14 comments.
The SNPRM suggested that financial institutions report specific security events to the FTC no later than 30 days after discovery. After reviewing the comments, The FTC finalized the proposed amendments with minor changes.
What Is It?
In summary, under the Final Rule, financial institutions must report to the FTC any instance of unauthorized acquisition of unencrypted customer information involving 500 or more consumers. The notification to the FTC must include specific details about the event, including the number of affected or potentially affected consumers. Now, let's break this down.
- Financial Institutions: The FTC's Safeguards Rule is required for non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, payday lenders and "any institution that is significantly engaged in financial activities, or significantly engaged in activities incidental to such financial activities." 16 CFR 313.3(k)(1)
- Notification Event: The new definition in § 314.2(m) defines a "notification event." Simply put, a notification event occurs when unencrypted customer information is collected without authorization. The Final Rule clarifies when a notification is necessary, requiring a notification when customer information has been collected (without permission), "rather than when 'misuse' is considered likely. "
- Threshold: Considering various state laws and its own rules, the FTC decided on a minimum threshold of 500 consumers. A security event involving the collection of unencrypted customer information affecting at least 500 consumers will require FTC notification, regardless of the institution's size.
- When to Report: To balance timely reporting and thorough investigations, the FTC set a 30-day reporting timeframe. This time allows financial institutions to investigate the incident, identify unauthorized access, understand how customers might be affected, and gather enough details to determine if the security event should be reported to the FTC.
- Public Disclosure: The SNPRM considered whether reports on security events from financial institutions should be public. The FTC thinks making reports public will help consumers and encourage better data protection practices by financial institutions. It opposes a confidential reporting system and plans to make event reports publicly accessible in a database.
Additionally, financial institutions must include in their notice if law enforcement believes public disclosure could cause setbacks to the criminal investigation or national security. This could delay public disclosure ranging from 30 to 90 days.
How to Report
The notification to The FTC must include;
The Final Rule emphasizes the importance of recognizing and reporting when customer information is accessed without permission. The Safeguards Rule protects consumers and helps financial institutions avoid damage to their reputation and operations. Promptly reporting incidents can show a commitment to being transparent and responsible, which in turn boosts consumer confidence. Overall, having a strong and open reporting system helps the financial industry stay resilient and secure in the face of evolving threats.
Need help with Incident Management? Tandem Incident Management has you covered. This product is designed to help financial institutions create and manage a formal Incident Response Plan, including creating a communications plan and tracking incidents as they occur. For more information, sign up to watch a demo today.