FTC Updates Safeguards Rule to Require Data Breach Reporting, Adopts EPIC Recommendations
October 27, 2023
The Federal Trade Commission approved an amendment to the Safeguards Rule that requires non-banking financial institutions to report certain data breaches and other security events to the Commission. The changes strengthen the rule by requiring covered entitles to create and maintain a comprehensive security program to protect their customers’ information. Non-banking financial institutions will be required notify the Commission as soon as possible, and no later than 30 days after discovery, of a security breach affecting at least 500 consumers. EPIC filed comments last year on the proposed Safeguards Rule amendment, which the Commission cited favorably throughout the final rule. EPIC’s comments argued that covered entities should be required to notify the Commission of breach regardless of whether they believe misuse is likely and that covered entities should still be required to notify the Commission of covered incidents even if there is a compelling law enforcement basis to not notify the public—recommendations that were both adopted by the Commission. EPIC applauds the Commission for using its authority to protect consumers’ personal information, routinely files comments with the Commission concerning data protection rules and enforcement actions, and works to protect the security of consumers’ data.