Security News > 2023 > October > Finance orgs have 30 days to confess cyber sins under incoming FTC rules

The FTC ultimately reduced this to 500, but said it would likely only lead to the additional reporting of a small number of incidents a year - around 5 percent more that would, by the FTC's estimates, affect 155 extra organizations.

The 500-consumer cutoff broadly aligns with state laws around data breach reporting in the US. California, for example, requires similar disclosures to be made in the event that 500 state residents are affected by a breach, whereas the cutoff is set at 1,000 individuals in Alabama.

Data breaches of any size must always be reported to individuals that are affected, no matter how small the number, within 30 days.

The FTC's news comes just a few months after the Securities and Exchange Commission announced its own mandatory breach reporting rules in July, but with a far stricter four-day window.

Public companies that suffer "Material" data breaches will be required to file an Item 1.05 Form 8-K report that includes details of the breach - similar information to that required by the FTC's latest amendment - and will be made public by the regulator.

The Department of Homeland Security has also recently published proposals [PDF] to make the reporting of security incidents more streamlined at the federal level, including the recommendation for a single reporting portal.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/10/31/ftc_30_day_breach_disclosure/