Skip links

Finance orgs have 30 days to confess cyber sins under incoming FTC rules

In the latter case, contact details for the law enforcement agency would need to be supplied also

US law enforcement may seek to delay the public disclosure of an incident, in which case the relevant agency would need to provide a written request for an extension, which can be granted for an additional 60 days beyond the initial 30-day window.

Crucially, the amendment [PDF] will only apply to security breaches that involve the theft of unencrypted data belonging to at least 500 consumers.

In the original proposal, the drafting process for which started in October 2021, the thinking was that the amendment would apply to events in which 1,000 consumers or more were affected.

The FTC ultimately reduced this to 500, but said it would likely only lead to the additional reporting of a small number of incidents a year – around 5 percent more that would, by the FTC’s estimates, affect 155 extra organizations.

The 500-consumer cutoff broadly aligns with state laws around data breach reporting in the US. California, for example, requires similar disclosures to be made in the event that 500 state residents are affected by a breach, whereas the cutoff is set at 1,000 individuals in Alabama.

Other states, like Colorado, have different rules for different cutoffs. If the number of affected residents is between 500 and 999, notices must be sent to the Attorney General. For those that impact 1,000 or more, the organization must notify all consumer reporting agencies too. Data breaches of any size must always be reported to individuals that are affected, no matter how small the number, within 30 days.

The amendment will come into effect 180 days after it’s published in the Federal Register. The date for this has not been set but will most likely come into effect in 2024.

The FTC’s news comes just a few months after the Securities and Exchange Commission (SEC) announced its own mandatory breach reporting rules in July, but with a far stricter four-day window.

Public companies that suffer “material” data breaches will be required to file an Item 1.05 Form 8-K report that includes details of the breach – similar information to that required by the FTC’s latest amendment – and will be made public by the regulator.

Experts speaking to The Register at the time expressed concern over US organizations’ ability to determine materiality, saying compliance will be difficult to maintain as a result.

The Department of Homeland Security (DHS) has also recently published proposals [PDF] to make the reporting of security incidents more streamlined at the federal level, including the recommendation for a single reporting portal. ®