New FTC Breach Notification Rule

The nature and nuances of data breach regulations are ever evolving.  Recently, the Federal Trade Commission (FTC) has approved a new amendment that requires non-banking financial firms to report certain breaches to the FTC itself.  This is an amendment to the agency’s existing Safeguards Rule, which is a standard string of measures meant to protect customer data. 

Falling under this umbrella are institutions like mortgage brokers, accountants, payday lenders, and automotive dealers.  Having recently examined the growing risks inherent in motor vehicles these days, as in-vehicle sensors and other tools allow companies to collect a wealth of personal information and compile driver profiles based on the data, we can see how it becomes clear why regulators are bringing the industry under increased scrutiny.  We’ve seen research from Mozilla that casts a light on these suspect gathering methods, like cameras, apps and microphones that can record sensitive customer data, even including valuable medical records, all with consumers having virtually no control over this process.

Against this backdrop are new regulations enacted.  The new FTC amendment expands the types of data that trigger the notification requirement.  “Customer” data now qualifies as well.  Defined by the FTC, customer data involves “records containing “non-public personal information” about a customer. “Non-public personal information” is, in turn, defined as “personally identifiable financial information,” and excludes information that is publicly available or not “personally identifiable.””

Looking at timetables, organizations must report incidents in which over 500 people have been affected to the FTC no later than 30 days after discovery.  Oddly, notification to the impacted individuals themselves is not stipulated, though that could just be due to the FTC publishing the information themselves.  And since separate state laws invariably demand an extension to the consumers, perhaps the Commission felt it was unnecessary in this amendment.  But I’m just speculating here. 

The Commission’s rule makes special note of non-public customer financial data that has been illicitly acquired and specifically lacks the shield of encryption.  Recognition for the importance of data encryption is growing across industries, such that there is no excuse for a business or government agency to leave sensitive data out in the open air, so to speak.

NetLib Security’s efficient Encryptionizer product offers the solution.  Transparently encrypting stored data across all environments – whether physical, virtual or cloud – Encryptionizer works right out of the box with no impact on system performance or any additional programming required.  Under a deluge of both cybercrime and the regulations developed to fight them, Encryptionizer assists in meeting various compliance standards, including PCI, GDPR, HIPAA Omnibus/HiTECH and FIPS 140-2.

Request a free evaluation here.