FTC Passes Amendment to Safeguards Rule
Automobile dealers are now facing an additional requirement under the Federal Trade Commission’s Safeguard Rule.
An amendment approved in October will require auto dealers and other non-banking institutions to report security breaches involving the information of more than 500 consumers to notify the FTC within 30 days of the discovery. The amendment will go into effect May 13, 2024.
This amendment follows the update to the Safeguards Rule, implemented in June 2023. The Safeguards Rule approved in October 2021 requires financial institutions to designate an individual to oversee their security program, develop a written risk assessment, limit and monitor who can assess customer information, encrypt information, train security personnel, develop a response plan, assess security practices of service providers and implement multi-factor authentication for any individual accessing customer information.
The FTC said the intent of the Safeguards Rule is for institutions to strengthen their security to protect customers’ financial information.
“Companies that are trusted with sensitive financial information need to be transparent if that information has been compromised,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection in a press release. “The addition of this disclosure requirement to the Safeguards Rule should provide companies with additional incentive to safeguard consumers’ data.”
The information to be reported includes the name and contact information of the finance institution, a description of the type of information involved, the date or range of the offense, the number of customers affected and a general description of the event.
The notification of the breach to the FTC is in addition to any state requirements to self-report issues, which can vary from state to state.
Shannon Robertson, Executive Director of AFIP, points out that many of the state reporting requirements are more concerned about the harm to the customer, whereas the FTC’s notification also looks at whether the organization took steps to prevent the breach.
Some objections to the amendment were filed, including suggesting only reports being made after a series of events. The commission responded, “not every notification event is necessarily the result of a failure to comply with the Safeguards Rule, it disagrees that a single breach cannot be ‘suggestive of compliance failures.’ Indeed, the fact that an institution has not experienced a breach does not necessarily mean that the institution complies with the Rule’s requirements. The Commission believes that taking action to correct a potential Safeguards Rule violation before additional security events can harm consumers is appropriate and desirable.”
The commission acknowledges that not every breach report will result in an enforcement action or investigation.
Robertson said that the dealer’s self-reporting and showing that they have worked to implement the Safeguards Rule could provide a level of defense or protection from a fine.
The FTC estimates the amendment will impact 115 financial institutions per year. Reports of breaches will be made public in a database.