BLOG

Question: Will a state-regulated mortgage company be required to report data breaches to the Federal Trade Commission (FTC)?

Answer:

Yes, under an amendment to the Safeguards Rule effective May 13, 2024, the FTC will require certain nonbank financial institutions, including mortgage lenders and brokers, to notify it of data breaches and security events. Specifically, the amendment requires notice to the FTC after discovery of a “notification event” that involves the information of at least 500 consumers. The amendment defines a “notification event” as follows:

“[A]cquisition of unencrypted customer information without the authorization of the individual to which the information pertains. Customer information is considered unencrypted for this purpose if the encryption key was accessed by an unauthorized person. Unauthorized acquisition will be presumed to include unauthorized access to unencrypted customer information unless you have reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information.”

Notification events must be reported to the FTC as soon as possible and no later than 30 days after discovery. The notice must be made electronically on a form located on the FTC’s website: FTC.gov and include the following:

• Name and contact information of the reporting financial institution;
• Description of the types of information that were involved in the notification event;
• If possible to determine, the date or date range of the notification event;
• Number of consumers affected or potentially affected by the notification event;
• General description of the notification event; and
• Whether any law enforcement official provided the financial institution with a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security, and a means for the FTC to contact the law enforcement official.