The amendment to the Federal Trade Commission's Safeguards Rule, which aims to hold the US finance sector to high cybersecurity standards, will apply to entities including insurance companies, mortgage brokers, payday lenders, and car dealerships.
"The addition of this disclosure requirement to the Safeguards Rule should provide companies with additional incentive to safeguard consumers' data." The FTC ultimately reduced this to 500, but said it would likely only lead to the additional reporting of a small number of incidents a year – around 5 percent more that would, by the FTC's estimates, affect 155 extra organizations.Lawyers slam SEC for 'blatant fishing expedition' after Exchange mega-attack
Other states, like Colorado, have different rules for different cutoffs. If the number of affected residents is between 500 and 999, notices must be sent to the Attorney General. For those that impact 1,000 or more, the organization must notify all consumer reporting agencies too. Data breaches of any size must always be reported to individuals that are affected, no matter how small the number, within 30 days.