A new amendment to the Safeguards Rule goes into effect in May that increases companies’ compliance obligations. Here’s what you need to know.
05/02/2024 1:55 P.M.
1.5 minute read
A new data breach disclosure requirement under the Federal Trade Commission’s Safeguards Rule goes into effect May 13, 2024. The amendment requires non-bank covered entities to report breaches involving the information of at least 500 consumers to the FTC within 30 days of the event.
When the Safeguards Rule was initially published in 2021, it did not include data breach notification requirements.
Notifications to the FTC must include the contact information of the reporting institution, a description of the information involved in the security event, the date of the security event, number of impacted customers, and a general description of the security event.
“Any incident or breach of over 500 people gets reported to the FTC and they will publish it on a website,” Heath Morgan recently noted in an ACA Huddle. “So that is a compliance factor we have to think about in terms of why we have to value our data.”
Amendments to regulations like the Safeguards Rule occur often, said Jonathan Goldberger, senior vice president, security practice and strategic sales for TPx.
TPx, ACA’s IT and cybersecurity provider of choice, advises all members to ensure their incident response plan incorporates the breach notification requirements.
If you have already partnered with ACA’s cybersecurity partner of choice, TPx, then you are compliant with the latest update to the Safeguards Rule. TPx has incorporated this amendment into its cybersecurity program.
If you’d like help with Safeguards Rule compliance, contact TPx at [email protected].
Access ACA’s Safeguards Rule Resource Center here for compliance resources and ACA’s education as well as information from TPx. Webinar recordings related to the Safeguards Rule are available at ACA’s Store by selecting the Safeguards Rule topic.