Standards for Safeguarding Customer Information

Following a corresponding consultation in 2021 (EventID 13610), the Federal Trade Commission (FTC) has published in the Federal Register its final rule with respect to the notification of unauthorized retrieval of unencrypted customer information from financial institutions.
Specifically, the new rule mandates that financial institutions, which include insurance companies, brokers, banks, building societies, mutual funds, and all other entities offering financial products and services to customers, to notify the FTC when there is an „unauthorized acquisition of unencrypted customer information“ of at least 500 customers. The notification must be made as soon as possible, but no later than 30 days after discovery of the event via a specified form on the FTC’s website under https://www.ftc.gov and must contain
– information about the reporting financial institution, including its name and contact information;
– a description of the types of information that was unlawfully retrieved;
– if possible to determine, the date or date range of when the „unauthorized acquisition“ has taken place;
– an overall description of the occurrence; and
– if applicable, details about any law enforcement official’s written determination that disclosing the breach would hinder a criminal investigation or national security, along with contact information for the FTC to reach the law enforcement official.
—
It shall be noted that the final rules contains a key change to the proposed ones to take into account responses received from consumer protection groups. Specifically, the number of affected customers to trigger the notification requirement has been reduced from 1,000 to 500. Apart from minor wording changes, all other terms and provisions have remained in place.
The final reporting requirement will come into force on May 13, 2024.