Third-Party Compliance With FTC Data Breach Notification Requirement

If you haven’t yet considered how to address data breach notification requirements with your third-party vendors, now might be a good time. On October 27, 2023, the Federal Trade Commission (FTC) became the latest regulator to issue a requirement regarding data breach notifications. Although this amendment to the Safeguards Rule applies to financial institutions, including non-banking organizations such as mortgage brokers and auto dealers, any organization can benefit from understanding these requirements.

The Basics of the FTC Safeguard Rule Breach Notification Amendment

The FTC’s Safeguards Rule has undergone a few updates since it became effective in 2003. This latest amendment requires financial institutions, including non-banking organizations, to report certain security incidents that impact 500 or more consumers. In this case, a security incident is defined as one that involves unencrypted customer information that was acquired without authorization.

The following excerpt is taken directly from the final rule and describes what an organization must include in the notification to the FTC:

The notice to the Commission must include:

(1) the name and contact information of the reporting financial institution;

(2) a description of the types of information that were involved in the notification event;

(3) if the information is possible to determine, the date or date range of the notification event;

(4) the number of consumers affected;

(5) a general description of the notification event; and, if applicable, whether any law enforcement official has provided the financial institution with a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security, and a means for the Federal Trade Commission to contact the law enforcement official.

The rule further states that an organization must notify the FTC “no later than 30 days after discovery of the event,” which can be done by submitting the notice through the FTC’s website.

3 Tips to Ensure Third-Party Compliance With the FTC Data Breach Notification Rule

Although this guidance isn’t focused on third-party data breaches, it’s important to consider how these requirements can affect your third-party relationships. Remember that your organization can face significant reputational, financial, and regulatory impacts from third-party data breaches, so it’s best to take a proactive approach and ensure compliance with this guidance.

Here are some tips to keep in mind:

• Regularly review your third parties’ cybersecurity documentation. Third-party data breaches aren’t completely avoidable, but it’s still essential to have a thorough understanding of your third parties’ cybersecurity posture so you can identify any gaps or weaknesses in the vendors’ controls that can lead to an incident. This can be achieved by reviewing various documents such as penetration testing results, data retention and destruction policies, and incident detection and response plans.
• Add breach notification requirements to your third-party contracts. This is where you can align your contractual requirements with regulatory expectations. Breach notification requirements should generally include details about the timing of notification, such as 24-72 hours after the third party discovers the incident. You may also want to require the third-party vendor to provide information about how they will investigate the data breach, remediate the situation, and prevent any future incidents. Your contract should also include any penalties that may be imposed on the third party after a breach, such as a suspension or termination.
• Consider other laws and regulations. This guidance from the FTC is just one of several that might be relevant to your organization. Various states have also issued their own data breach notification requirements, along with requirements from the NCUA and the SEC, so it’s a good idea to stay updated on current laws and regulations.

The Safeguards Rule is intended to protect customer information. All organizations, regardless of industry, can benefit from the best practices outlined in this guidance. By maintaining an effective information security program that includes data breach notification requirements with your third-party vendors, your organization will be well prepared to respond to any future security incidents.