Finance orgs have 30 days to confess cyber sins under incoming FTC rules
Follows similar efforts from the SEC and DHS in recent months
The US has approved mandatory data breach reporting requirements that impose a 30-day deadline for non-banking financial organizations to report incidents.
The amendment to the Federal Trade Commission's (FTC) Safeguards Rule, which aims to hold the US finance sector to high cybersecurity standards, will apply to entities including insurance companies, mortgage brokers, payday lenders, and car dealerships.
"Companies that are trusted with sensitive financial information need to be transparent if that information has been compromised," said Samuel Levine, director of the FTC's Bureau of Consumer Protection.
"The addition of this disclosure requirement to the Safeguards Rule should provide companies with additional incentive to safeguard consumers' data."
The financial organizations in scope of the amendment are instructed to notify the FTC of a security breach involving 500 consumers or more as soon as possible, and no later than 30 days after discovery.
In the report issued to the regulator, organizations must include:
- Name and contact information for the reporting financial institution
- A description of the data affected by the incident
- If possible, the date or date range of the breach
- The number of consumers affected
- A general description of the incident and, if applicable, whether a law enforcement agency has officially determined that notifying the public of the incident would impede a criminal investigation or cause damage to national security
In the latter case, contact details for the law enforcement agency would need to be supplied also
US law enforcement may seek to delay the public disclosure of an incident, in which case the relevant agency would need to provide a written request for an extension, which can be granted for an additional 60 days beyond the initial 30-day window.
Crucially, the amendment [PDF] will only apply to security breaches that involve the theft of unencrypted data belonging to at least 500 consumers.
In the original proposal, the drafting process for which started in October 2021, the thinking was that the amendment would apply to events in which 1,000 consumers or more were affected.
The FTC ultimately reduced this to 500, but said it would likely only lead to the additional reporting of a small number of incidents a year – around 5 percent more that would, by the FTC's estimates, affect 155 extra organizations.
- Crooks pwned your servers? You've got four days to tell us, SEC tells public companies
- SEC proposes four-day rule for public companies to report cyberattacks
- Lawyers join forces to fight common enemy: The SEC and its probes into cyber-victims
- Lawyers slam SEC for 'blatant fishing expedition' after Exchange mega-attack
The 500-consumer cutoff broadly aligns with state laws around data breach reporting in the US. California, for example, requires similar disclosures to be made in the event that 500 state residents are affected by a breach, whereas the cutoff is set at 1,000 individuals in Alabama.
Other states, like Colorado, have different rules for different cutoffs. If the number of affected residents is between 500 and 999, notices must be sent to the Attorney General. For those that impact 1,000 or more, the organization must notify all consumer reporting agencies too. Data breaches of any size must always be reported to individuals that are affected, no matter how small the number, within 30 days.
The amendment will come into effect 180 days after it's published in the Federal Register. The date for this has not been set but will most likely come into effect in 2024.
The FTC's news comes just a few months after the Securities and Exchange Commission (SEC) announced its own mandatory breach reporting rules in July, but with a far stricter four-day window.
Public companies that suffer "material" data breaches will be required to file an Item 1.05 Form 8-K report that includes details of the breach – similar information to that required by the FTC's latest amendment – and will be made public by the regulator.
Experts speaking to The Register at the time expressed concern over US organizations' ability to determine materiality, saying compliance will be difficult to maintain as a result.
The Department of Homeland Security (DHS) has also recently published proposals [PDF] to make the reporting of security incidents more streamlined at the federal level, including the recommendation for a single reporting portal. ®