FTC to Create Public Data Breach Website for Some Financial Firms

Federal Trade Commission building in Washington, D.C, on January 12, 2022. Photo: Diego M. Radzinschi/ALM

The National Association of Realtors has said that it believes the new regulation update will not apply to organizations such as real estate agencies that are engaging in traditional types of activities.

The SIFMA/BPI letter: The Securities Industry and Financial Markets Association and the Bank Policy Institute noted in a joint comment submitted in January 2022 that the update is of interest because it could affect entities that compete with their members and may face fewer regulatory constraints.

SIFMA and BPI also suggested that the regulation could lead to member companies that already have regulators getting more regulators.

The FTC may use the update to “impermissibly exceed its jurisdictional power — and it may do so in areas where there only a handful of consumers and areas where other federal prudential and state insurance regulators already exercise pervasive oversight,” the groups said.

Although insurance companies may be directly under the jurisdiction of state insurance regulators, “some entities within an insurance group … may not technically be subject to such rules, while functionally being connected to other corporate entities that are subject to those rules,” SIFMA and BPI said. “Adding the commission’s rules to such complex situations would only create confusion, not protect consumers.”

Similarly, the groups said, the investment adviser for a private investment fund might be subject to regulation by the Securities and Exchange Commission, but the fund itself might be exempt from SEC oversight.

The fund itself might have no employees and only a handful of sophisticated investors, but the commission could step in and interfere with the SEC’s work, the groups added.

See also  Goldman Sachs, JPMorgan and UBS Launch New Brands to Lure Average Investors

Representatives from SIFMA were not immediately available to comment on the release of the final rule.

The FTC’s perspective: FTC officials said that the new reporting requirements would be minimal, and that it needs to have its own breach notification reports, to help it spot and address problems early.

One commenter recommended that it get breach information from other state and federal regulators. “Such an approach would be extremely burdensome on the commission,” officials said. “Also, as some of the commenters noted, state laws vary in what types of incidents must be reported and to whom.”

The new Safeguard Rule update will establish a uniform reporting requirement for all affected financial institutions, officials said.

The database: SIFMA and BPI and some other commenters asked the FTC to make the breach reports confidential.

FTC officials argued that the reports will be similar to what many states already post and that the new database could spur consumers not yet affected by breaches to do more to protect their data.

The Federal Trade Commission Building in Washington. Credit: Diego M. Radzinschi/ALM