The United States Federal Trade Commission has introduced new data breach notification rules, shedding light on the delicate equilibrium between the government’s quest to enhance its understanding of national cybersecurity threats and the consolidation of numerous reporting regulations.
On Friday, the consumer protection agency unveiled finalized amendments to its Safeguards Rule, requiring non-bank entities such as mortgage brokers and auto dealers to promptly report security incidents affecting the unencrypted data of 500 or more customers, with a maximum reporting timeframe of 30 days.
Companies that store sensitive consumer data find themselves navigating through a maze of over 50 federal security incident reporting regulations. These new FTC requirements are part of the broader initiative by various branches of the executive branch to harmonize these rules and bolster the nation’s cybersecurity posture. Nevertheless, the subtle discrepancies in reporting timelines and required details pose challenges for compliance, complicating matters for companies during the critical post-cyberattack period.
Linn Freedman, a cybersecurity compliance partner at Robinson & Cole LLP, remarked, “It is a difficult patchwork to know all the different entities, depending on what industry you are in, that you have to notify” after a security incident.
The Department of Homeland Security came to a similar conclusion in a report published on September 19, highlighting the significant hurdles posed by variations in breach definitions and reporting triggers.
The FTC has stated that these additional reporting requirements will equip the agency with new insights into “emerging data security threats” as it aligns its cybersecurity regulatory efforts with the Biden administration’s goals. However, the addition of another regulator relationship in the event of a cyber incident will be a significant compliance challenge for businesses, according to Nick Sanna, President of the FAIR Institute, a nonprofit focused on measuring information risk.
Safeguards Rule Expansion: The updated Safeguards Rule extends the Federal Trade Commission’s cybersecurity oversight to a new set of businesses, which must now revise their incident response plans to ensure compliance. These changes impact businesses governed by the Gramm-Leach-Bliley Act of 1999, including payday lenders, insurance providers, loan collection agencies, and tax preparation firms.
Melissa Krasnow, a partner at VLP Law Group LLP specializing in advising financial services providers on cybersecurity compliance, stated, “A lot of entities which may not have thought of themselves as being regulated would be regulated. The issue is whether they’re aware they’re regulated and are complying.”
The FTC’s new reporting requirements will take effect six months after the agency publishes the amendments in the Federal Register, providing companies with time to ascertain their regulatory status and develop effective compliance strategies. The data breach reports must include information about breached categories of data, duration, and an estimate of affected consumers.
In the attached analysis of the finalized amendment, the commission explained that the new information gathered would expedite the agency’s ability to identify breaches requiring further investigation and save resources by eliminating the need to continually search for breach notifications from other sources.
As Krasnow noted, “A lot of regulators, including the FTC, often don’t know when there’s noncompliance or lack of compliance until there’s a breach.”
Lenders need to prepare to implement new processes for collecting and reporting cyberattack information to ensure compliance with the amended rule.
Addressing Cyber Resiliency: Holding these businesses to higher data management standards could address concerns expressed by banks regarding cyber resiliency, particularly in response to an open banking proposal championed by the Consumer Financial Protection Bureau (CFPB). The CFPB’s proposal offers increased access to financial data for fintech third parties, raising concerns among banks about the cybersecurity practices and data protection of these entities, which face less stringent regulations.
Jonathan Joshua, a financial regulations counsel at Joshua Law Firm LLC, noted that the new amendments “show that the FTC continues to push the envelope” in terms of expectations for non-bank financial services providers.
However, the FTC’s rules should not be expected to fully resolve all the concerns raised in the ongoing discussions surrounding the CFPB proposal, as highlighted by Peter Dugas, who leads a regulatory intelligence center at advisory firm Capco RISC.
Dugas noted that addressing the full concerns would require additional standards for data, terms of access, record-keeping practices, duration periods, minimum data security programs, and litigation protections for third-party breaches.
Complex Reporting Landscape: Several groups that submitted comments on the proposed Safeguard Rule changes expressed concerns that the addition of another federal reporting requirement could divert attention away from responding to data breaches and complicate rather than streamline compliance efforts.
The FTC contends that reporting breaches to the agency will not be overly burdensome since companies are already required to collect similar information under breach-reporting regulations in all 50 states.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is planning to release a proposed rule set next year, mandating the financial sector and 15 other critical infrastructure sectors to report security breaches to the agency within 72 hours of discovery, and paid ransoms within 24 hours. While this rulemaking at CISA may centralize cybersecurity data reporting, the actual simplification of reporting in practice remains an open question, as highlighted by Justin Herring, a partner at Mayer Brown LLP with expertise in cybersecurity regulation.
