EPIC Backs Data Breach Notification Amendment to FTC Safeguards Rule
February 8, 2022
EPIC has submitted comments to the Federal Trade Commission in support of proposed changes to the Safeguards Rule, the FTC regulation that requires financial institutions to keep customer information secure. The proposed amendment would mandate that financial institutions report any security event affecting or likely to affect at least 1,000 consumers and in which misuse of consumer information has occurred or is likely to occur. EPIC supports the proposed amendment but urged the FTC to require covered entities to notify the Commission and consumers of all security incidents implicating the personal information of 1,000 or more customers—whether or not institutions believe misuse is likely. EPIC also recommended that the FTC not provide a carve out for encrypted data and that it impose a standalone reporting requirement untethered to existing federal or state laws. EPIC called on the FTC to publish security event notices by default unless there is a compelling law enforcement basis to withhold a particular notice. EPIC has long advocated for the FTC to use its legal authorities to combat harmful data practices and routinely files comments with the agency.