On October 27, 2023, the FTC announced a new reporting provision for businesses affected by the already-amended Safeguards Rule.
The new provision requires business to report cybersecurity incidents that affect 500 or more people.
From the FTC:
The FTC just announced an amendment to the Rule that will require non-banking financial institutions within the FTC’s jurisdiction to report data breaches affecting 500 or more people.Federal Trade Commission
FTC guidance for the new rule seems fairly simple, although it may prove cumbersom (and embarrasing) to CPAs and other businesses liable under the Standards for Safeguarding Customer Information.
The focus is on “notification events” – defined as the “acquisition of unencrypted customer information without the authorization of the individual to which the information pertains.” If a notification event “involves the information of at least 500 consumers,” the covered entity must contact the FTC “as soon as possible, and no later than 30 days after discovery of the event”Federal Trade Commission