159 views 2 mins 0 comments

Looking Ahead to the FTC’s Implementation of the Data Breach Notification Rule for Nonbanking Financial Institutions

In Legal News, News
January 26, 2024
Looking Ahead to the FTC’s Implementation of the Data Breach Notification Rule for Nonbanking Financial Institutions

From the law firm of Polsinelli PC:

Beginning on May 13, 2024, nonbanking “financial institutions” must notify the Federal Trade Commission (“FTC”) within 30 days of discovering a data breach involving the nonpublic personal information of at least 500 consumers. These covered organizations can include a wide variety of companies that engage in financial activities but that are not directly regulated by federal banking regulators, including automobile dealerships, higher educational institutions participating in federal student financial aid programs, mortgage lenders or brokers, tax preparation firms, travel agencies, and others. These organizations are already required to implement certain information security protections pursuant to the FTC’s Safeguards Rule. The FTC’s new data breach notification requirement will provide the FTC with a critical tool to ensure that organizations are properly safeguarding consumer data.

[…]

The FTC is also likely to initiate investigations into many of the reported breaches. Consistent with how the FTC has investigated prior data security incidents and consistent with how other federal regulators investigate reported incidents, reporting organizations should expect the FTC to conduct a threepronged inquiry following a data breach report. First, the FTC will likely request information about how the organization responded to the incident, including how it conducted its investigation, how it ensured that its systems were secure, and whether and how it notified potentially affected individuals. Second, the FTC is likely to seek information about the organization’s underlying information security program and compliance with the FTC’s Safeguards Rule. Finally, the FTC may seek information about the organization’s overall data privacy compliance program under the FTC’s jurisdiction to investigate and prohibit unfair or deceptive acts or practices in commerce.ix The FTC’s inquiry into these areas can be quite detailed.

The FTC stated its intention to publicly post the data breach notices it receives. That will create additional issues for entities that have experienced a breach in terms of reputation, litigation, and media coverage.

Read more at The National Law Review.