The Federal Trade Commission is weighing updating its rules to require financial institutions to report within 30 days any security incidents in which misuse of customer data of at least 1,000 customers likely occurred.
The information requested by the FTC under a proposal published Wednesday would include the name and contact information of an affected institution, the type of data involved in the event and the timeframe of the incident. The FTC notes that similar information is required under many state breach reporting laws, and that the FTC does not consider the information requested to be “confidential or proprietary.”
The proposal adds to a list of agency actions putting privacy at the center of its enforcement agenda. Requiring breach notifications from financial institutions would give the lead consumer protection agency in the U.S. more information to bolster its oversight of an industry that increasingly is vacuuming up more consumer data.
“I have a feeling that’s going to create a lot of controversy,” said Jessica Rich, former director at the bureau of consumer protection at the FTC.
Financial institutions operate under stricter breach reporting requirements than most other U.S. industries and reporting is required in most states. The proposal, which is not a finalized rule, raises questions about how the FTC would work with state attorneys general on breaches and “whether there is some sort of information sharing or interaction between the FTC” and “whether they want to collaborate,” said Calli Schroeder, global privacy counsel at the Electronic Privacy Information Center, a nonprofit in Washington, D.C.
A previous proposal that would have introduced similar requirements received industry pushback, something that will likely resurface during the comment period for the new proposal, Rich added.
The FTC also on Wednesday finalized an update to its rules for safeguarding consumer financial information by introducing more detailed requirements for measures that companies must take under the law. The FTC initiated the process of updating the decades-old Safeguards Rule in 2019.
The changes include specifying that, with some exceptions, firms must implement encryption and multifactor authentication to secure consumer data.
Recent high-profile financial breaches “could have been prevented or mitigated by adopting practices required by these amendments,” chair Lina Khan and commissioner Rebecca Slaughter, both Democrats, argued in their statement supporting the update. For instance, Equifax did not encrypt the data of 145 million consumers, something that required under the new rules “might have prevented the intruders from misusing individuals’ sensitive information, even if they were able to obtain it,” the pair wrote.
“It’s kind of shocking that that wasn’t in place beforehand,” said Schroeder of the new encryption requirement.
Schroeder characterized the rule change, which also requires firms to securely dispose of customer information within two years of its last use, as a positive step towards protecting consumer data.
The new rules come amid a flurry of proposals regarding cyber incident notification laws in Congress. Congress also continues to weigh a federal privacy law. Several Democrats last month encouraged the FTC to enact a privacy rulemaking process in lieu of federal progress.
The FTC’s two Republican commissioners, who both voted against the rule change, expressed concerns that the agency’s decision to veer into prescriptive security guidelines could overstep its authority.
“The decisions about tradeoffs in this space are complex and significant for consumers, business, and government,” commissioners Christine Wilson and Noah Phillips wrote in a dissenting opinion. “Intrusive mandates are best left to the people’s representatives rather than to the vagaries of the administrative rulemaking process.
“I don’t think that some of the things they asked for, in general, would be a big surprise to companies,” said Elizabeth McGinn, a partner at Buckley LLP who advises clients on cybersecurity and privacy compliance.