On October 27, 2023, the Federal Trade Commission (“FTC”) adopted an amendment to the FTC’s Safeguards Rule that will require non-banking financial institutions to notify the FTC within thirty days of discovering a data breach involving the nonpublic personal information of at least 500 consumers. The amendment takes effect 180 days after publication in the Federal Register, which suggests an effective date in mid-2024.

Regulatory Context

The Gramm-Leach-Bliley Act (“GLBA”) imposes certain privacy and data security obligations on covered “financial institutions.”¹ Under the GLBA, financial institutions are broadly defined to include any institutions engaging in activities that are financial in nature or incidental to such financial activity.² For banking (typically depository) financial institutions, the GLBA provides enforcement authority to the federal banking regulators (the Federal Deposit Insurance Corporation, Federal Reserve, Office of the Comptroller of the Currency and the National Credit Union Administration). For all other types of financial institutions, the GLBA provides enforcement authority to the FTC.³

The federal banking regulators have issued rules requiring financial institutions within their jurisdiction to 1) implement safeguards to protect the security, confidentiality and integrity of customer information, and 2) notify the applicable federal banking regulators and affected customers in the event of a data breach involving unauthorized access to customer information.⁴ Until now, the FTC had promulgated a Safeguards Rule that required financial institutions to implement certain security requirements, but did not include any mandatory data breach notification obligations.⁵ Now, the FTC has adopted its own distinct version of a data breach notification obligation for covered organizations.

Applicability of the Safeguards Rule Amendment

The FTC’s new data breach notification requirement applies to “financial institutions” that are not otherwise regulated by one of the federal banking regulators. The FTC has provided the following non-exhaustive list of such covered organizations:

• Retailers that issue their own credit cards directly to consumers;
• Automobile dealerships that lease vehicles for longer than 90 days;
• Mortgage lenders;
• Payday lenders;
• Finance companies;
• Mortgage brokers;
• Account servicers;
• Check cashers;
• Wire transferors;
• Travel agencies operated in connection with financial services;
• Collections agencies;
• Credit counselors and other financial advisors;
• Tax preparation firms;
• Non-federally insured credit unions;
• Investment advisors that are not required to register with the SEC;
• Entities acting as finders;
• Personal property or real estate appraisers;
• Financial career counselors;
• Businesses that print and sells checks for consumers; and
• Real estate settlement service providers.

Each organization will need to conduct a fact-based assessment to determine whether they are a financial institution for purposes of this rule.

Requirements Under the Amended Safeguards Rule

The amended Safeguards Rule requires financial institutions to report any instance of the unauthorized acquisition of unencrypted customer information of at least 500 consumers to the FTC as soon as possible but in no event later than thirty days following discovery of the breach. The notice must include (1) the name and contact information of the reporting financial institution, (2) a description of the types of information that were involved in the notification event, (3) the date or date range of the notification event (if it is possible to determine), (4) the number of consumers affected, (5) a general description of the event and, if applicable, whether any law enforcement official has provided the institution with a written determination that notifying the public of a breach would impede a criminal investigation.

It is important to note that the rule’s reference to “customer information” is generally broader than the operative definitions used by the federal banking regulators in their data breach notification requirements. The FTC’s requirement covers any nonpublic personal information about a customer of a financial institution, whether in paper, electronic or other form.⁶ This includes any information provided by the customer in order to obtain a financial product, information about a customer resulting from any transaction involving a financial product or service, and any other information obtained about the customer in connection with providing the financial service. This could include, for example, application information, account balance information, payment history, the fact that the individual is a customer, any information collected in connection with serving a credit account, any information collected through an internet cookie and any information from a consumer report.

Practical Guidance for Covered Financial Institutions

As a threshold matter, all organizations should determine whether they are subject to the FTC’s Safeguards Rule well in advance of any data security incident. The new data breach notification requirement is only one part of the more comprehensive set of data security requirements under the Safeguards Rule. Covered organizations must implement an information security program that contains nine specific elements. Prior guidance from Polsinelli regarding these requirements can be found here. This new reporting rule provides the FTC a new method to identify and investigate financial institutions who may not be compliant with the Safeguards Rule.

Covered organizations should ensure that their data security incident response plans address the new rule by incorporating the definitions and reporting timeframes under the FTC rule and other applicable laws. As with any external notice regarding a data security incident, notices to the FTC should be timely, factual, and accurate. The organization should identify the person or team who will be responsible for leading the organization’s incident response and ensuring that regulators are notified in accordance with applicable law.

The organization should distribute the updated incident response plan to all individuals who may be required to execute on the plan in both physical and digital formats. Once adopted, organizations should ensure that the plan is routinely tested to identify potential gaps and to increase the effectiveness of the response plan under an actual crisis.