To bolster data security measures, the Federal Trade Commission (FTC) has mandated nonbank financial institutions — including mortgage brokers — to report specific data breaches and security incidents.
The amendment to the Safeguards Rule requires firms to alert the FTC promptly following a security breach, ensuring that such a report is filed within 30 days of its discovery. However, this requirement kicks in only if the breach has impacted at least 500 consumers and involves the unauthorized acquisition of unencrypted information.
“Companies that are trusted with sensitive financial information need to be transparent if that information has been compromised,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “The addition of this disclosure requirement to the Safeguards Rule should provide companies with additional incentive to safeguard consumers’ data.”
The journey to this decision began in October 2021 when the FTC initiated discussions on potential modifications to the Safeguards Rule. Their initial proposal, based on feedback from 14 varied comments, had suggested notifying electronically for security events that possibly jeopardized customer information of at least 1,000 consumers.
While many supported the move, believing it would aid the FTC in upholding data security norms, some opposition emerged. Detractors cited concerns of redundancy with state breach notification laws and proposed that the FTC could gather needed information from already-existing reports to consumers and state regulators.
The FTC pointed out the inefficiencies of such an indirect approach, which would divert crucial resources from primary enforcement activities.
“Receipt of these notices will enable the commission to monitor for emerging data security threats affecting financial institutions and to facilitate prompt investigative response to major security breaches,” the FTC noted in its concluding rule.
The final decision to implement the change to the Safeguards Rule was unanimous, with a 3-0 vote in favor. The new regulations will be enforceable 180 days after their official listing in the Federal Register.
