Some Financial Institutions Must Report Breaches in 30 Days

The heat has just been turned up for companies hoping to “hide out” a data breach.

Announced October 27th, all non-banking financial institutions are now required to report data breach incidents within 30 days. The amendment to the Safeguards Rule was made by the U.S. Federal Trade Commission (FTC). It will go into effect 180 days after publication of the law in the Federal Register, or around April of next year.

What is the Safeguards Rule?

Designed to ensure that covered entities implement processes to keep customer information secure, the Standards for Safeguarding Customer Information, or Safeguards Rule, went into effect in 2003 but was updated in 2021 to account for recent technological changes, demanding more of the data security measures non-banking financial institutions put in place to protect this data.

This most recent amendment represents an ongoing effort to do right by the consumers it is bound to protect. It gives them ample time to be warned of any compromise to their digital lives – which is increasingly synonymous with their actual lives.

Who Does the New Safeguards Amendment Apply To?

The FTC’s Safeguards Rule involves certain types of non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe.

The change applies to security incidents impacting 500 or more customers. However, it does not apply in cases where encrypted information remains untouched or “so long as an unauthorized person did not access the encryption key.”

Fighting for the Right Terms

Semantics matter here.

• “Discover” vs. “Determine” | In a joint comment, The Securities Industry and Financial Markets Association (SIFMA) and the Bank Policy Institute (BPI) argued that the event that should trigger the 30-day timeclock should not be the “discovery” of a breach, but rather the “determination” of one. They suggested that a determination occurs sometime after the initial catch and “connotes a higher standard of certainty than ‘discovery’”. The Commission, however, disagreed, stating that companies will be able to quickly identify the conditions for a breach (was unencrypted information accessed by an unauthorized party or not?) and should have ample time to respond within the 30-day limit.
• Just “sensitive” information, right? | Not exactly – and yes. Another point of contention was whether breaches should be reported if the information obtained wasn’t technically “sensitive”. The argument was that notifications would be needless if the data breached had no potential to harm consumers. In this case, the literal phrasing of the amendment was referenced, which makes no reference to “sensitive” data at all, but rather encompasses all “customer information”. This refers to “non-public personal information”, which is essentially personally identifiable financial information, which is, of course, covered. Nice try!
• How many people trigger the notification? | Some argued that the number of affected should be significantly higher before a company would need to report due to the large number of customers of some non-banking financial institutions. However, leaning on state laws as a guidepost, the Commission noted that 250-500 consumers were typically the threshold for notification in those instances and that the number should be determined not by the size of the financial entity but rather by the number of people affected. Therefore, the amendment holds that “a security event that involves the acquisition of unencrypted customer information involving at least 500 consumers is significant enough to warrant notification of the Commission, regardless of the size of the financial institution.”

A few other points were debated, such as the 30-day limit, which ultimately held with a few exceptions. One is that public notifications may be delayed based on a request by law enforcement. In this case, the Commission itself must still be notified within the time limit. And two, if public disclosure of the incident would impede a criminal investigation or imperil national security.

What Should the Notification Include?

In the event of a breach, non-banking financial institutions are required to report the following:

• The name and contact information of the institution reporting the event
• How many consumers were affected, and how many were potentially affected by the incident
• The types of data compromised
• How long did the incident last, and when (to the day) it was discovered
• Whether or not law enforcement determined if public disclosure of the event would injure national security or obstruct an investigation

This information can be submitted on the FTC’s online portal. Additionally, any law-enforcement-induced delays must be confirmed by a written injunction, and the Commission must be supplied with a way to contact said law enforcement official.

What Does This Mean Going Forward?

When we step back from the canvas, this recent legal clarification to the Safeguards Rule is another evidence that the winds have clearly shifted from protecting the company to protecting the consumer. Yeah, about ten years ago, you might say. But still, this most recent addition came down firmly on the side of giving the consumer the benefit of the doubt and not negotiating with naysayers. While a lot of sensible points were brought up that could have altered the shape or effectiveness of the legislation, they ultimately did not succeed.

Financial services cybersecurity is clearly having its day, and it looks like there’s no end in sight. Now, all customers need to do to ensure the security of their financial information is to take the appropriate steps if ever they’re notified their data has been breached. And yes, that will probably entail changing a lot of passwords.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire