The expansion of the FTC’s Safeguards Rule will require businesses to notify customers and the FTC of cyber breaches that had previously been excluded from reporting requirements. Previously, only banks had been required to notify customers of breaches, but now business entities that perform banking-like activities will follow the same requirements as banks. This means entities like car dealers and check cashing services will have additional reporting requirements if they don’t properly protect customer data. If your entity provides financing services to consumers, you should speak with a lawyer to understand your responsibilities under this new law.
Since 2021, the Federal Trade Commission (“FTC”) has taken additional steps toward protecting American consumer data and privacy through the expansion of the “Safeguards Rule.” The Safeguards Rule is short for the FTC’s Standards for Safeguarding Customer Information. See 16 CFR § 314. These standards are implemented through sections 501 and 505(b)(2) of the Graham Leach Bliley Act (“GLBA”), a federal law, enacted in 1999 to reform the financial industry and impose requirements to secure customers’ data and privacy. Historically, the GLBA was understood to apply specifically to banks. The class of affected businesses has expanded through redefining the term “financial institutions” to include businesses that provide certain banking-like services to the general public. Title 16, Code of Federal Regulations, Section 314.2(h) defines “Financial Institution” as: “[a]ny institution in the business of which is engaging in any activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Company Holding Act of 1956, 12 U.S.C. 1843(k). An institution that is significantly engaged in activities incidental to such financial activities, is a financial institution.”
What businesses are now included under the Safeguards Rule? The rule now includes business activities that one may not anticipate. Luckily, there are examples listed under 16 CFR 314.2(h)(2) that include:
1) Retailer that extends credit by issuing its own credit card to consumers;
2) Automobile Dealerships;
3) Personal Property or real estate appraiser;
4) Career counselor who specializes in providing career counseling services to individuals currently employed by or recently displaced from a financial organization;
5) Business that prints and sells checks to consumers;
6) Business that regularly wires money to and from consumers;
7) Check cashing businesses or those that print and sell checks to consumers;
8) An accountant or tax preparation service;
9) Business that operates a travel agency in connection with financial services;
10) Entity that provides real estate settlement services;
11) Mortgage Brokers;
12) An investment advisory company and credit counseling service;
13) Company acting as a finder in bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate.
One of the critical elements of the Safeguards Rule is that all Financial Institutions, including the expanded scope entities, are now required to report data security incidents, which are defined as a “Notification Event” under the rule. Businesses subject to the Rule must report when information of more than 500 consumers is accessed: a decrease from the previous threshold of 1000. Businesses must understand the answers to two questions: does your business fall under the expanded definition of “financial institutions”; and, if so, when is your business required to provide notice to the FTC and customers?
Affected businesses are required to inform the FTC and consumers of a database breach when a “Notification Event” occurs. A “Notification Event” defined under 16 CFR 314.2(m) of the Safeguards Rule is the “’acquisition of unencrypted consumer information without the authorization of the individual to which the information pertains.” Information is considered unencrypted if the encryption key is accessed by an unauthorized person. For example, someone hacks into your email and your saved passwords allow automatic access to various websites such as payroll where sensitive information is stored, or when someone hacks into your email and your login and passcode are the same as your SharePoint login where company encrypted data is stored. Customer information that is subject to the Safeguard Rule includes “any record carrying nonpublic personal information” or “personally identifiable financial information”, such as account numbers, social security numbers, home address information, etc. 16 CFR 314.2(d). In an ironic shift of responsibility, an unauthorized acquisition is presumed unless the affected Financial Institution can provide reliable evidence that there has not been, or could not have reasonably been, unauthorized acquisition of, or access to, consumer information.
Not all breaches require notification. A notification event is triggered only when customer information has been acquired by a person not authorized to have the information. Notification is not required where accidental misuse of the information by employees is the triggering event. Storing data in an encrypted format also changes the notification requirement. Notification also is not required when customer information is encrypted provided that the encryption key was not accessed by an unauthorized individual or person. Businesses subject to the Safeguards Rule must report a triggering Notification Event to the FTC within thirty (30) days from the date of discovery. Discovery means the very first day it is known by any employee, officer, or other agent of the business. Reports that must be filed via an electronic form via the FTC website. All reports filed will be made public and will be published in an online searchable database.
What if businesses do not comply? When it comes to enforcement and compliance with the Safeguards Rule, the FTC is taking violations very seriously. The FTC can impose penalties of up to $100,000.00 per violation and Directors and Officers of business can be personally fined. Liability does not stop with paying fines and/or penalties to the FTC. Affected consumers and employees can sue the company directly for breach of data privacy. There will also likely be damage to business reputation that may impact company revenue and growth potential.
Just like the rest of the US Government, the FTC is ramping up its requirements and wants to provide consumers with more protection and more visibility into unauthorized access to their information. Ignorance of the FTC Safeguards Rule is not an excuse. If there is any possibility your business is subject to the amended Safeguards Rule, you should consult with an appropriate professional with the assistance of counsel as soon as possible. Professionals can help mitigate risk and cost to your business and help you perform remediation to implement a compliant information security program.
Business Reality: the cost of compliance is far less than the cost of penalties, fines, and lawsuits for failure to comply.
[View source.]
