Key Point: The Federal Trade Commission (FTC) has amended the Safeguards Rule to require non-banking financial institutions to inform the FTC within 30 days of discovering any unauthorized acquisition of unencrypted customer information that affects 500+ customers.

The Federal Trade Commission (FTC) has announced a significant amendment to the Safeguards Rule, that directs all financial institutions, including non-banking entities, to report certain data breaches and security events to the FTC within 30 days.

The Safeguards Rule, which is predicated on the Gramm-Leach-Bliley Act (GLBA), now requires all financial institutions to report to report “notification events” to the FTC. The FTC is defining a notification event as “the unauthorized acquisition of unencrypted customer information, involving at least 500 customers.” The amendment goes into effect in April 2024. See pending additions at 16 C.F.R. § 314.2(m) and § 314.5.

Business entities covered by the Safeguards Rule

The Safeguards Rule applies to financial institutions subject to the FTC’s jurisdiction and that are not subject to the enforcement authority of another regulator under § 505 of GLBA. See FTC Safeguards Rule: What Your Business Needs to Know. The Safeguards Rule’s preexisting definition of a financial institution is unchanged:  

Any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities as described in the Bank Holding Company Act of 1956 …. An institution that is significantly engaged in financial activities, or significantly engaged in activities incidental to such financial activities, is a financial institution.

16 C.F.R. § 314.2(h)(1). The definition continues by providing thirteen examples of businesses that are not banks or credit unions but are significantly involved in financial activities, such as automobile dealerships, mortgage brokers, payday lenders, retailers with their own credit cards. 16 C.F.R. § 314.2(h)(2).

Accordingly, because federal agencies such as the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency already require their regulated entities to report data security incidents to consumers and regulators, and the Consumer Financial Protection Bureau does not enforce the Safeguards Rule (the Dodd Frank Act left that authority with the FTC), the FTC’s amendment can be construed as applying to “non-banking financial institutions.”

Evolution of cybersecurity reporting within the Safeguards Rule and GLBA

The FTC added cybersecurity requirements to the Safeguards Rule on December 19, 2021. The December 2021 additions required financial institutions to implement cybersecurity programs to protect customer data through encryption, limited access, and written procedures for sharing the information. When the 2021 provisions were first proposed, the FTC acknowledged that they relied heavily on the cybersecurity regulations issued by New York’s Division of Financial Services (NYDFS). On the same day, the FTC published the 2021 regulations, it also announced its intent to further amend the Safeguards Rule with a mandatory reporting provision and brings us to the October amendment.

Requirements of the amended Safeguards Rule

When the FTC defined a notification event, it hoped to avoid arbitrary line-drawing questions regarding the sensitivity of the exposed customer information. The amended Safeguard Rule uses the existing regulation’s definitions of customer information and non-public personal information. The FTC defines non-public personal information as personally identifiable financial information and excludes information that is publicly available or not “personally identifiable.” See 15 U.S.C. § 6809(4), and 16 C.F.R. § 314.2.

The FTC believes that security incidents should “trigger the notification requirement where customers’ non-public personally identifiable, unencrypted financial information has been acquired without authorization are serious and support the need for Commission notification.”[1]   

FTC notifications provision will be encoded at 16 C.F.R. § 314(j), and will require a covered entity to include the following details through a form available on the FTC’s website https://www.ftc.gov: 

1. the name and contact information of the reporting financial institution
2. a description of the types of information exposed in the notification event
3. if the information is [available to identify], the date or date range of the notification event
4. the number of consumers affected, and
5. a general description of the notification event.

This notification must be made within 30 days of discovery of the notification event, where ‘discovery’ is the first day the event is known to the non-banking financial institution. See pending additions at 16 C.F.R. § 314.4(j)(2).

If applicable, the notification must include whether any law enforcement official has provided the financial institution with a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security, and a means for the FTC to contact the law enforcement official. See pending additions at 16 C.F.R. § 314.4(j)(1)(vi).

Notably, and in contrast to the FTC’s use of preexisting definitions in the GLBA Privacy Rule, the process for communicating this law enforcement / national security exception differs from the exception allowed in the Securities Exchange Commission’s (SEC) reporting requirements that were issued in August 2023. This procedural disparity is but one example of the myriad reporting requirements that regulated entities need to navigate within the Federal government. Specifically, the Department of Homeland reported that the Cyber Incident Reporting Council assessed fifty-two separate, and potentially duplicative, Federal reporting requirements for cyber events. On top of the Federal maze of reporting requirements, the private sector needs to monitor and comply with fifty state breach disclosure laws and a growing wave of comprehensive privacy laws enacted or making their way through the state legislatures.

Consistent with the SEC’s philosophy that current and prospective investors should be informed of material cybersecurity incidents, the FTC believes that making a database of notification events publicly available will benefit consumers writ large and will further incentivize companies to protect customer information.

Conclusion

The FTC contends that the amended Safeguards Rule will be a significant development in data security regulation and reflects its commitment to protecting consumer information and willingness to hold financial institutions accountable for data security breaches. Non-banking financial institutions should take note of these changes and ensure that they follow the new requirements.

[1]  Standards for Safeguarding Customer Information, Federal Trade Commission Final Rule p. 17, Oct. 27, 2023 available at https://www.ftc.gov/system/files/ftc_gov/pdf/p145407_safeguards_rule.pdf.

[View source.]