The 30-Day Clock: New FTC Breach Notification Rules

Threat Intelligence

The 30-Day Clock: New FTC Breach Notification Rules

The FTC has officially tightened the requirements. A new amendment to the Safeguards Rule requires financial institutions, including auto dealerships, to notify the FTC within 30 days of discovering a data breach involving the unencrypted customer information of 500 or more consumers. This rule became effective on May 13, 2024, and it fundamentally changes how dealerships must handle security incidents.

The Legal Citation

The breach notification requirement is codified at 16 CFR 314.4(j). Specifically, 314.4(j)(1) establishes the notification obligation, requiring covered financial institutions to notify the FTC “as soon as possible, and no later than 30 days” after discovery of a notification event.

What Triggers the 30-Day Clock?

A “notification event” is defined in 16 CFR 314.2(m) as the unauthorized acquisition of unencrypted customer information affecting 500 or more consumers. Critically, the rule includes a presumption of acquisition: if there is evidence of unauthorized access to unencrypted customer information, acquisition is presumed to have occurred unless the institution has “reliable evidence” that the information was not and could not reasonably have been acquired.

This presumption matters. You cannot avoid notification by claiming “we have no proof they actually took the data.” If attackers accessed the system where unencrypted customer data was stored, the burden shifts to you to prove they did not take it. In practice, that is an extremely difficult standard to meet.

The 500-Consumer Threshold

The threshold is 500 consumers, not 500 records. If one consumer has multiple records exposed, that counts as one consumer. However, when the exact number is uncertain during an active investigation, err on the side of reporting. The FTC will look far more favorably on a proactive notification than on a dealership that played games with the count to avoid the threshold.

The Encryption Carve-Out

The rule specifically applies to unencrypted customer information. If the compromised data was encrypted and the encryption keys were not compromised, you may not have a reportable notification event. This is why encryption is not just a technical best practice; it is a legal shield. Dealerships that encrypt customer data at rest and in transit, and that protect their encryption keys separately, have a defensible position if a breach occurs.

However, “encrypted” means properly encrypted with current standards (AES-256, for example), not password-protected Excel files or ZIP archives with weak passwords.

How to Report: The FTC Portal

Breach notifications are filed through the FTC’s dedicated online portal at ftc.gov/safeguards-report. The report must include:

  • The name and contact information of the reporting entity
  • A description of the types of information involved in the breach
  • The date or date range of the event
  • The number of consumers affected or potentially affected
  • A general description of the incident

This information will be made public on the FTC’s website. If your security program is a “paper-only” program, the public disclosure will be the least of your worries.

What Happens After You File

Filing a breach notification is not the end of the process; it is the beginning. The FTC will use these notifications as a roadmap for investigations and enforcement actions. Expect follow-up questions about your Information Security Program, your most recent risk assessment, your vendor oversight practices, and your incident response procedures. If you cannot demonstrate that you had a functioning security program before the breach, the notification effectively becomes evidence of your own non-compliance.

FTC Notification vs. Consumer Notification: Two Separate Obligations

Notifying the FTC under 314.4(j) does not satisfy your obligation to notify affected consumers. Consumer notification requirements come from state breach notification laws, which vary significantly:

  • Many states require notification within 30 to 60 days
  • Some states, such as Florida, require notification within 30 days
  • Others, including Colorado and Connecticut, have requirements as short as 30 days from discovery
  • Several states require notification to the state attorney general in addition to affected consumers

You must comply with the notification laws of every state where affected consumers reside, not just the state where your dealership is located. For a dealership with customers across multiple states, this can mean navigating a patchwork of different requirements, timelines, and formats.

GLBA and the FTC Safeguards Rule: How They Interact

The FTC Safeguards Rule is issued under the authority of the Gramm-Leach-Bliley Act (GLBA). The GLBA broadly requires financial institutions to protect customer information, and the Safeguards Rule provides the specific implementation requirements. The breach notification amendment extends the GLBA’s protective framework by ensuring the FTC has visibility into security failures across the financial sector it oversees, which includes auto dealerships, mortgage brokers, tax preparers, and other non-bank financial institutions.

This is distinct from banking regulators’ breach notification requirements (which cover banks and credit unions under separate federal rules). Dealerships fall under FTC jurisdiction, making 314.4(j) their primary federal breach notification obligation.

What You Should Do Right Now

1. Update your Incident Response Plan to include the FTC notification step with the 30-day deadline explicitly documented, along with assigned roles and responsibilities for the notification process.

2. Verify your encryption posture. If customer data is encrypted with properly managed keys, you may avoid the notification trigger entirely.

3. Map your state obligations. Know which state breach notification laws apply to your customer base and what they require.

4. Run a tabletop exercise that includes the breach notification process. Walk through the scenario: who discovers the breach, who makes the call on notification, who drafts the report, and who files it.

5. Engage legal counsel now, before you need them. A breach response is not the time to start interviewing attorneys.

The 30-day clock does not pause for confusion, internal politics, or wishful thinking. It starts when you discover the event. Be ready.

Scott Sailors
Scott Sailorshttps://www.hiredhackers.com
Principal Security Consultant with over 20 years of experience in security architecture, engineering, and executive leadership. Holds CISSP, OSCP, CISM, CRISC, Master's and Bachelor's degrees in Cybersecurity with expertise bridging technical teams and senior management to communicate complex security challenges in actionable terms.

Latest articles

Previous article
Tax Season Warning: CPAs are Now Under the FTC Microscope
Next article
Beyond the Template: Why Paper Compliance is a Death Trap

Related articles