The Federal Trade Commission (FTC) has announced a final rule amending the FTC Safeguards Rule that will require non-banking institutions, such as dealers, to report certain data breaches and other security events to the FTC. The final rule requires financial institutions (including dealers) to report “notification events,” defined as the unauthorized acquisition of unencrypted customer information involving at least 500 customers, to the FTC. The FTC has stated that the rule and its notice requirement are specifically intended to facilitate enforcement of the FTC’s Safeguards Rule against entities that file reports.
The notice to the commission must be provided electronically through a form located on the FTC’s website and must include:
- The name and contact information of the reporting financial institution
- A description of the types of information that were involved in the notification event
- The date or date range of the notification event (if possible to determine)
- The number of consumers affected
- A general description of the notification event
Notices will be available in a public database. The final rule does not impose a consumer notice requirement.
When this rule was proposed, NADA submitted extensive comments opposing the notice requirement. While the FTC rejected much of NADA’s comments, several of NADA’s key points were included in the final rule, including:
- Notification is only required if the financial institution discovers that unencrypted customer information has been acquired without authorization, and
- The FTC’s acknowledgement that “not every notification event is necessarily the result of a failure to comply with the Safeguards Rule.”
This rule will become effective 180 days after it is published in the federal register, which is expected shortly. Dealers and their qualified individuals should review the final rule to understand its requirements and scope and should consult with their technology providers and counsel regarding the implications of the new rule.