Skip to main content
close search
site logo
Dive Brief

Nonbanking financial institutions must notify FTC of breach under now-live amended rule

Breached organizations must now notify the Federal Trade Commission of security incidents no later than 30 days after discovery.

Published May 16, 2024
Kristen Doerer's headshot
Editor
non compete ban on private equity
Exterior view of the street sign in front of the U.S. Federal Trade Commission headquarters. P_Wei via Getty Images
This audio is auto-generated. Please let us know if you have feedback.

Dive Brief:

  • The FTC amended its rule to have nonbanking financial institutions maintain and safeguard customers’ information, with a requirement on reporting breaches going into effect Monday. 
  • The amendment to Standards for Safeguarding Customer Information requires financial institutions to notify the FTC as soon as possible after discovering a security breach impacting at least 500 customers’ data, with a deadline of no later than 30 days after discovery. 
  • The FTC’s rule applies to nonbanking financial institutions — including mortgage lenders, payday lenders, collection agencies, financial advisers, investment advisers, tax preparation firms and others. 

Dive Insight:

Data compromises reached a record high last year and companies were less forthright about the details of such breaches. At the same time, customers have expressed concerns about data privacy.

A survey from Broadridge Financial Solutions found that 2 in 5 customers will avoid interacting with a company online if they have concerns about their personal data.

The FTC is working to protect consumer data by tweaking existing regulations. The agency announced the revised provisions last October, providing impacted industries six months to prepare their businesses for the change.

“Companies that are trusted with sensitive financial information need to be transparent if that information has been compromised,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a prepared statement. “The addition of this disclosure requirement to the Safeguards Rule should provide companies with additional incentive to safeguard consumers’ data.”

Businesses must notify the FTC of instances when unencrypted customer information is acquired without that customer’s authorization.

Breached companies must provide notice via an online form on the FTC’s website and include a description of the types of information that were accessed, the date or dates of the breach and the number of consumers affected. 

The FTC isn’t the only agency that requires reporting such breaches. Last year, the Securities and Exchange Commission began requiring companies to disclose any material security incident and outline its nature, scope, timing and likely impact.

Recommended Reading

Filed Under: Data & Analytics

Editors' picks

Company Announcements

View all | Post a press release

Want to share a company announcement with your peers?

Share your announcement

Editors' picks
Latest in Data & Analytics
Industry Dive is an Informa TechTarget business.
© 2024 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.