Data breach reporting mandate for non-bank financial entities approved

Non-banking financial organizations with at least 500 customers, including mortgage brokers, payday lenders, and motor vehicle dealers, have been required by the Federal Trade Commission to report data breaches and other cybersecurity incidents within a 30-day period as part of an amendment to the Safeguards Rule, which will be effective beginning April, according to The Record, a news site by cybersecurity firm Recorded Future. Incident reports by impacted entities should provide not only a description of the incident but also detail the kinds of information compromised, the time period of the breach, and the number of individuals whose data were compromised, said the FTC, which also noted that the organizations should submit reports through a form on its website. "Companies that are trusted with sensitive financial information need to be transparent if that information has been compromised. The addition of this disclosure requirement to the Safeguards Rule should provide companies with additional incentive to safeguard consumers' data," said FTC Bureau of Consumer Protection Director Samuel Levine.