New FTC Rule Accelerates Data Breach Reporting

It's always in the news. Another great organization damaged by a devstating cyber attack. One main issue facing security leaders today is whether they have to publicly disclose the breach, notify government and consumers. That requirement alone can damage a brand. Conversely, the sharing of that information is critical to the security community and government in the effort to bolster defenses.

To safeguard consumer information and enhance transparency, the U.S. Federal Trade Commission (FTC) has introduced revised reporting requirements for non-banking institutions.

The new regulations have implications for organizations other than just banking institutions, like:

• consumer lenders,
• mortgage brokers,
• auto dealers,
• and payday lenders.

The Revised Safeguards Rule: Strengthening Data Breach Reporting

In an effort to reinforce consumer protection, the FTC has revised the Safeguards Rule, which now mandates non-banking financial institutions to disclose data breaches to the commission. Under the new regulation, consumer lenders must report breaches to the FTC when a third party acquires the unencrypted records of at least 500 consumers without authorization. This requirement aims to ensure swift and transparent reporting of data breaches, enabling consumers to make informed decisions regarding the financial institutions they entrust with their information.

Accelerating the Reporting Timeline

The revised Safeguards Rule also introduces a 30-day deadline for companies to report breaches after their discovery. This expedited timeline emphasizes the importance of prompt action and ensures that consumers are informed in a timely manner.

By reducing the reporting timeline, the FTC aims to enhance accountability and minimize the potential damage caused by data breaches.

Evolving Definitions: Acquiring vs. Misusing Data

One signifiant change in the revised Safeguards Rule is the shift in defining triggering incidents.

The original language focused on the "misuse" of consumer data, while the updated rule emphasizes the unauthorized "acquisition" of unencrypted data.

This is a meningful change. It not means organizations cannot avoid reporting, claiming that there wasn't evidence of misuse. It closes a potential loophole.

In the past, companies could have circumvented the reporting requirement by claiming that misuse was not reasonably likely to occur.

The FTC's intent is to prevent any manipulation of the reporting process and ensure that all data breaches are duly reported.

The new rule, taking effect in six months from now, requires reporting when they discover that a third party has "acquired" unencrypted data without authorization.

Empowering Consumers through Transparency

The FTC acknowledges the concerns raised by industry lobbyists regarding public disclosure of breach reports. However, the agency firmly believes that providing breach data to the public is paramount to consumer empowerment.

By making breach notices public, consumers can make more informed decisions about which financial institutions they trust with their sensitive information. This transparency will foster accountability and encourage companies to prioritize cybersecurity measures.

"Making the notices public will enable consumers to make more informed decisions about which financial institutions they choose to entrust with their information," the FTC stated.

Building a Public Database: Centralizing Breach Notifications

To effectively implement the new reporting requirements, the FTC plans to establish a public database to house breach notifications. This potential "wall of shame" isn't desired for shame, but rather for empoerment of consumers, whose protection rests with the FTC.

The new reporting site will be centralized and public. Similar, in many ways, to the public reporting the HHS does for Healthcare breaches today.

This centralized repository will serve as a comprehensive resource for consumers, allowing them to access information about data breaches across various financial institutions. By consolidating this information, the FTC aims to streamline the reporting process and enhance public awareness regarding data security.

Exceptions to the Reporting Requirements

The revised Safeguards Rule does include an exception for organizations that encrypt their acquired data. If the acquired data was encrypted and the unauthorized party did not access the encryption key, organizations are not required to disclose the breach.

This exception recognizes the importance of strong encryption practices in safeguarding consumer information and encourages companies to implement robust security measures.

The Journey to Stronger Data Protection

The introduction of the revised Safeguards Rule marks a significant step toward strengthening data breach reporting requirements for non-banking institutions.

By establishing clear guidelines and timelines, the FTC aims to foster a culture of accountability and transparency within the industry. As technology continues to evolve, it is imperative that organizations adapt their cybersecurity measures to protect consumer data effectively.

Additional Information:

The Cost of Data Breaches

Data breaches can have significant financial implications for both companies and consumers. According to recent studies:

• The average time a threat actor is inside a network without detection can be weeks or months.
• The rise in remote workers has expanded the attack surface and increased the need for additional protections for endpoints used by remote workers to combat threats like ransomware.
• The average cost of a data breach in the United States is $8.64 million.
• The global average cost of a data breach is $4.24 million.
• Less than 40% of US organizations prepare properly or have formalized, updated Incident Response Plans nor hold Tabletop exercise, real-world simulations of a data breach.

By implementing robust security measures and promptly reporting breaches, companies can mitigate the financial impact of data breaches and protect their reputation.

Steps to Strengthen Data Security

To enhance data security and minimize the risk of data breaches, organizations should consider implementing the following measures:

1. Real-Time Detection: Having "24/7 Eyes on Glass" by a Security Operations Center, often provided by a MSSP, allows for comprehensive real-time detection and threat hunting to spot anomalies and inside threats before damage can be done.
2. Remote Worker Endpoint Detection & Response: Having security layers like MEDR in place will allow and organization to bolster their protection against the increased risk posed by remote workers, allowing them to Kill, Quarantine, Remediate and Restore those endpoints to their pre-breach condition as if the breach had not happened.
3. Encryption: Encrypt sensitive data to protect it from unauthorized access.
4. Multi-factor authentication: Implement multi-factor authentication propery and throughout all systems, to add an extra layer of security.
5. Employee training: Educate employees on cybersecurity best practices in an ongoing job-embedded manner with test-phishing and other trainings geared toward social engineering.
6. Have A Plan and Practice it: having an incident response plan and running annual table. Top exercises is similar to conducting a fire drill for children back in school. An organization cannot wait until the day of a day of breach to determine who is responsible for what and who needs to take action. It is a critical part of critically needed security layers.

Have Security concerns? Let's talk. We will help you create a practical Security Roadmap.

David Mauro

Konica Minolta Managed IT, North America (MSSP)

[email protected]