Financial institutions are now required to notify the Federal Trade Commission about any security breach that involves the information of 500 customers or more. The breach must be reported no later than 30 days after it is discovered.
On April 24, the Federal Trade Commission announced that it had finalized changes to its Health Breach Notification Rule - to address emerging technologies.
Specifically, the Rule was broadened to (1) apply to entities not currently subject to the Health Insurance Portability and Accountability Act, (2) clarify what a breach of security is, (3) expand notification methods, (4) impose additional requirements for the content of notifications, and (5) amend the timeframe for issuing required notifications to the FTC.
On March 20, the U.S. House of Representatives passed House Resolution 7520, the Protecting Americans’ Data from Foreign Adversaries Act of 2024, targeting companies that sell sensitive information to “foreign adversaries.” H.R. 7520 comes on the heels of two other major developments. First, House Resolution 7521 would require TikTok to divest from its Chinese parent company. Second, President Biden’s Executive Order 14117, requires, among other things, that the Attorney General make rules restricting data brokers from selling bulk sensitive personal data to “countries of concern.” The two resolutions and the E.O. are part of a growing, bipartisan trend to restrict access to sensitive information by foreign adversaries.
On December 20, the Federal Trade Commission released a notice of proposed rulemaking to update the Children’s Online Privacy Protection Rule, known as the “COPPA Rule.” (We are linking to the official version of the proposed rule that was published in the Federal Register on January 11.) In a press release published on December 20, the FTC announced that the proposed amendments “would place new restrictions on the use and disclosure of children’s personal information and further limit the ability of companies to condition access to services on monetizing children’s data.”
Amendments have recently been proposed to two of the three statutes to be enacted under Canada’s Bill C-27: The Digital Charter Implementation Act. The statutes that may be amended are the Consumer Privacy Protection Act and the Artificial Intelligence and Data Act. The proposed amendments would beef up the protections in both statutes.
The Federal Trade Commission has approved an amendment to the Safeguards Rule under the Gramm-Leach-Bliley Act that creates a new data privacy regulatory reporting requirement for non-banking financial entities. Covered entities must notify the FTC within 30 days of discovery of a “notification event” that involves the unauthorized acquisition of unencrypted customer information of 500 or more consumers. The new rule, announced on October 27, takes effect 180 days after publication in the Federal Register, meaning approximately May 2024.
The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation.
Subscribe
Contributors
- Suzie Allen
- John Babione
- Bert Bender
- Jason Cherry
- Christopher R. Deubert
- Maria Efaplomatidis
- Sebastian Fischer
- Laura Funk
- Lauren Godfrey
- Amir Goodarzi
- Taren N. Greenidge
- Chasity Henry
- Julie Hess
- Sean Hoar
- Donna Maddux
- David McMillan
- Ashley L. Orler
- Todd Rowe
- Melissa J. Sachs
- Allen Sattler
- Matthew Toldero
- Alyssa Watzman
- Aubrey Weaver
- Xuan Zhou