Last week, the FTC announced that it had finalized its rulemaking to add data breach notification provisions to the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule. As expected, the new provisions require non-bank financial institutions to provide notice to the FTC of data incidents meeting certain thresholds and detail the trigger for, and content and timing of, the notice. The FTC’s proposal elicited only 49 comments, perhaps because most stakeholders thought that the new requirements were inevitable and would be fairly routine. After all, the federal banking agencies have long required data breach notification under GLBA, every state in the country has a data breach law, and the Commission was only proposing that notice be given to the FTC, not to consumers.
However, there’s a surprising feature in the data breach provisions as finalized. In particular, the FTC added a new definition of “notification event,” which will now serve as the trigger for notification. The new definition states, in relevant part:
- Notification event means the acquisition of unencrypted customer information without the authorization of the individual to which the information pertains.
By contrast, as originally proposed, the Rule would have tied the data breach notification provisions to the Rule’s existing definition of “security event,” which reads:
- Security event means an event resulting in unauthorized access to, or disruption of misuse of, an information system, information stored on such information system, or customer information held in physical form.
This change is far more significant than it may look at first glance. It also conflicts (at least partially) with the privacy provisions of GLBA, and is likely to create confusion. Here are more details about the consequences of this change:
The new definition more clearly covers both data security breaches and unauthorized disclosures of data.
Following in the footsteps of the FTC’s proposal to amend the Health Breach Notification Rule (HBNR), the new notification trigger, by focusing on the concept of “unauthorized acquisition,” seems designed to cover, not only data security breaches, but also unauthorized data disclosures. While the HBNR proposal is explicit on this point, the materials accompanying the final Safeguards Rule don’t mention it. Instead, the Statement of Basis and Purpose (SBP) accompanying the Safeguards Rule explains that the new definition was necessary to avoid a confusing reference to data misuse in the original proposal.
The new definition requires notice to the FTC for any disclosure not authorized by the consumer. This conflicts (at least partially) with the privacy provisions of GLBA.
Use of the phrase “without the authorization of the individual” in the Rule’s new definition of “notification event” means that an acquisition of data isn’t unauthorized (and thus requires notification) unless it’s authorized by the consumer. Further, the term “authorization” is often understood to mean affirmative express consent (opt in), although the final Rule doesn’t say that, or even discuss the issue. (By contrast, the FTC asks questions about the meaning of “authorization” in its HBNR proposal.)
If “authorization by the consumer” means opt in, then the new trigger for notification is at odds with the privacy provisions of GLBA. That’s because GLBA specifically allows the disclosure of covered data to an affiliated entity without consumer consent, and to third parties pursuant to an opt out. Further, even if “authorization of the individual” is considered to encompass the GLBA opt out for disclosures to third parties, it still clashes with the GLBA provisions governing disclosures to affiliates.
So how can disclosures to affiliates and (maybe) third parties be treated as unauthorized for data breach purposes when they’re specifically authorized under the law? And where in GLBA does the FTC find authority for its new breach notification trigger? The SBP doesn’t answer these questions.
The new definition creates inconsistencies within the Rule itself.
Following this latest amendment, the Safeguards Rule now includes two different definitions of a breach (or breach-like event), each with its own requirements.
The first definition – “security event” (see definition above) – still appears in the Rule as something companies must avoid, plan for, respond to, and report on as part of their data security programs. This term also implicitly links to the term “authorized user,” which the Rule defines as “an employee, contractor, agent, customer, or other person that is authorized to access any of your information systems or data,” and which would encompass affiliates and third parties that acquire data in compliance with GLBA. Thus, in the data security portion of the Rule, companies need not defend against disclosures of data that comport with GLBA because such disclosures are authorized.
The second definition – “notification event” – triggers the new data breach notice requirements. Because this definition turns on whether the consumer has authorized the disclosure of data, it sets up a different (and broader) standard for breach notification than for the Rule’s data security obligations. Read literally, it would also require notice to the FTC even for disclosures to affiliates and (possibly) third parties that comply with the privacy provisions of GLBA.
Even apart from the legal questions raised by these competing definitions, they are bound to create confusion. For example, to follow the Rule as written, companies may need to develop two breach notification plans – one for “security events” and another for “notification events.”
Looking Ahead
We have yet to see how the FTC will enforce the new provisions of the Rule. Many of them (e.g., regarding the format and timing of the notice) appear straightforward and, as noted above, the FTC is only requiring notice to itself, not to consumers.
However, if the FTC tries to enforce the new provisions in a way that conflicts with GLBA (i.e., claiming that disclosures of data that comport with GLBA should nevertheless trigger notice to the FTC), it will likely have some trouble. Companies will be able to point to conflicting requirements in the law, as well as in other parts of the Rule (including the definition of “authorized user”), to counter such an interpretation.
[View source.]
