Non-bank financial institutions must report data security breaches: FTC

The Federal Trade Commission will require non-banking financial institutions to report data breaches and other events related to cybersecurity, the agency announced Friday.

The amendment to the FTC’s Safeguards Rule would require non-banking financial institutions like mortgage brokers, motor vehicle dealers and payday lenders to notify the commission as soon as possible, and no later than 30 days, after the discovery of a breach affecting 500 consumers or more.

The FTC should be notified when unencrypted customer information has been obtained without their authorization, the agency said. The notice to the agency must include information about the breach, including the number of consumers affected and those at risk.

“Companies that are trusted with sensitive financial information need to be transparent if that information has been compromised,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement. “The addition of this disclosure requirement to the Safeguards Rule should provide companies with additional incentive to safeguard consumers’ data.”   

The Safeguards Rule already requires financial institutions to develop, execute, and support a comprehensive security program to keep their customer information confidential.

In October 2021, the FTC asked for comments on a proposed supplemental amendment to the Safeguards Rule that would require financial institutions to report certain data and security breaches.

The Safeguards Rule was mandated by Congress under the 1999 Gramm-Leach-Bliley Act.

The breach notification requirement will become effective 180 days after being published in the Federal Register.

The rule is the latest stipulation for lenders and other firms in the space to safeguard customer information, which has been subjected to numerous hacks in recent years.

In a recent rule set forth by the Securities and Exchange Commission, publicly traded companies must report cybersecurity incidents that are considered “material” by the company. The rule was adopted in July and will become effective in December.

“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC Chair Gary Gensler said in a statement in July when the rule was adopted. “Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”

Recently, Flagstar Bank said around 837,390 of its customers were impacted by a cyber attack that involved unauthorized access to its customer information in one of their file transfer applications.