FTC Strengthens Data Security Requirements for Non-Banking Entities

In a significant move to bolster consumer data protection, the Federal Trade Commission (FTC) recently approved an amendment to the Safeguards Rule. This amendment now mandates non-banking entities, including mortgage brokers, motor vehicle dealers, and payday lenders, to promptly report data breaches and other security incidents. This development comes as part of the FTC's ongoing efforts to fortify the safeguards surrounding consumers' financial information.

The Safeguards Rule, which was initially implemented to regulate financial institutions, has now been extended to encompass a broader spectrum of entities entrusted with sensitive financial data. These non-banking entities are now required to establish, implement, and maintain robust security programs designed to safeguard consumer information effectively.

Become a Subscriber

Please purchase a subscription to continue reading this article.

Subscribe Now

Under the newly revised rule, financial institutions must promptly inform the FTC of any security breach involving at least 500 consumers within 30 days of its discovery. This notification obligation applies specifically when unencrypted customer data is accessed without proper consent. The disclosure must include precise details regarding the number of affected or potentially affected customers, ensuring transparency in the wake of such incidents.

Furthermore, the amendment stipulates that breaches must be reported no later than 180 days after the Federal Register rule is published, ensuring that entities adhere to a strict timeline for disclosure. This provision emphasizes the urgency of timely reporting, allowing affected parties to take necessary precautions promptly.

The FTC Bureau of Consumer Protection Director, Samuel Levine, stressed the importance of transparency in such situations, stating, “Companies that are trusted with sensitive financial information need to be transparent if that information has been compromised.” The inclusion of this disclosure requirement in the Safeguards Rule is expected to incentivize companies to prioritize and enhance consumer data protection measures.

The Commission's unanimous decision to publish this amendment in the Federal Register underscores its commitment to upholding consumer data security. David Lincicum and Mark Eichorn, leading figures in the FTC's Bureau of Consumer Protection, played instrumental roles in advancing this case.

By extending reporting obligations to non-banking entities, the FTC aims to create a more comprehensive and rigorous framework for data protection. This development signals a renewed focus on consumer welfare and emphasizes the FTC's dedication to safeguarding sensitive financial data in an ever-evolving digital landscape.