| Entities | |
| Topics and Issues | Data breach (4) Data Security (3) Safeguards Rule (4) |
In October 2023, the FTC issued a press release noting a final amendment to the Safeguards Rule “that would require non-banking institutions to report certain data breaches and other security events to the agency.” In November 2021, the FTC issued a final rule updating the Safeguards Rule. The FTC issued a supplemental notice of proposed rulemaking announcing that it was “seeking comment on whether to make an additional change to the Safeguards Rule to require financial institutions to report certain data breaches and other security events to the Commission.”
CDIA filed a comment in connection with that supplemental notice. There were over 40 comments filed in connection with this rulemaking.
The Safeguards amendment, which becomes effective 180 days from publication in the Register,
requires financial institutions to notify the FTC as soon as possible, and no later than 30 days after discovery, of a security breach involving the information of at least 500 consumers. Such an event requires notification if unencrypted customer information has been acquired without the authorization of the individual to which the information pertains. The notice to the FTC must include certain information about the event, such as the number of consumers affected or potentially affected.
CDIA’s comment was cited 19 in the final release from the FTC. That may be a record number of citations to a CDIA comment ever, and an average of two cites per page. Our comment in 2021 pointed out that the lack of necessity for the Proposal is unnecessary given existing state breach notification requirements. We said that a
adding an additional notification requirement would be burdensome, costly, and redundant while also providing no countervailing consumer benefit. Thus, CDIA urges the Commission to decline to issue the revisions to the Amended Safeguards Rule suggested in the Proposal. If the Commission elects to go forward with the Proposal, however, CDIA believes that the Commission should amend its Proposal by limiting the notification requirement to those security events that could result in substantial harm or inconvenience to at least 1,000 customers, consistent with the legislative purpose behind the Safeguards Rule. CDIA also suggests a number of additional modifications to better harmonize the Proposal with existing state laws.
Additional resources:
Safeguards Snafu? The Anomalous New Provision in the FTC’s Gramm-Leach-Bliley Safeguards Rule (paper) (podcast)