[co-author: Amy Gopinathan]

On October 27, 2023, the Federal Trade FTC (FTC) approved amendments to its version of the Standards for Safeguarding Customer Information Rule (the Safeguards Rule) to require non-banking financial institutions regulated by the FTC, including financial technology companies, mortgage brokers, credit counselors, financial planners, and tax preparers, among others, to report certain data breaches and other security events directly to the FTC.¹

The FTC’s amended Safeguards Rule is significant for several reasons. First, it meaningfully changes the landscape for non-banking financial institutions, which did not previously have an obligation to report incidents to the FTC. Second, it covers an extremely broad category of information, which will effectively result in the reporting of all incidents that fall within the rule’s specifications. Third, the new rule applies to a broader category of incidents (it covers “notification events” as opposed to “security events”) and covers unauthorized disclosures of unencrypted data, in addition to pure data breaches, unless it can be shown that there has not been, or could not reasonably have been, unauthorized access to data. This is consistent with how the FTC has recently been interpreting security incidents in other contexts, including, for example, with the FTC’s Health Breach Notification Rule. Fourth, its notice trigger is significantly tighter than those required for banks and other financial institutions outside the jurisdiction of the FTC’s Safeguards Rule.² Fifth, the new rule will likely lead to increased exposure for non-banking financial institutions that experience security incidents, as the FTC has indicated that it “intends to enter notification event reports into a publicly available database.” Finally, the new rule may, in some instances, reduce notice obligations for non-banking financial institutions under existing state laws, as a number of states have carve-outs under their breach notice laws for entities that have their own notice procedures as required by the Gramm-Leach-Bliley Act (GLBA).

To prepare for the rule, covered entities should not only review their policies and procedures related to incident response and notice to ensure that they take the revisions to the Safeguards Rule into account, but also review their overall compliance with the Safeguards Rule and consider areas for enhancement.

Background

For added context, sections 501 and 505(b)(2) of the GLBA set forth standards for financial institutions in developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information. Subtitle A of Title V of the GLBA requires federal financial regulators, including the FTC, Office of the Comptroller of the Currency (OCC), Federal Reserve, Federal Deposit Insurance Corporation (FDIC), and National Credit Union Administration (NCUA), to implement those security standards for all financial institutions within each regulator’s jurisdiction. The FTC, for example, regulates financial institutions that are not otherwise subject to the enforcement authority of other regulators under Section 505 of the GLBA—usually described as non-banking financial institutions. Non-banking financial institutions under the FTC’s purview include mortgage lenders, “pay day” lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, travel agencies operated in connection with financial services, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, investment advisors that are not required to register with the Securities and Exchange Commission, and entities acting as finders.

The Safeguards Rule, which took effect in 2003, was previously updated by the FTC on December 9, 2021, with the amendments based largely on the New York Department of Financial Services (NYDFS), 23 NYCRR 500 (Part 500).³ As the FTC noted in the Proposing Release, Part 500, NYDFS (as well as other federal agencies enforcing the GLBA like the OCC, the Federal Reserve Board, and the FDIC) requires financial institutions to provide regulatory notice and consumer notice where appropriate. Additionally, the FTC noted in the Proposing Release that other federal agencies that enforce the GLBA have long required financial institutions to provide notice in accordance with the law (citing, for example, the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (Interagency Guidance)). Notably, the Interagency Guidance requires notification related to “sensitive customer information,”⁴ whereas the newly revised Safeguards Rule reaches “customer information.”⁵ In explaining the rationale for this choice, the FTC noted that “security events that trigger the notification requirement—where customers’ non-public personally identifiable unencrypted financial information has been acquired without authorization—are serious and support the need for FTC notification.”

Though the 2021 updates to the Safeguards Rule did not include a reporting requirement, the FTC did publish a Supplemental Notice of Proposed Rulemaking to address reporting of security events and sought comments on its proposal. The recently approved amendments to the Safeguards Rule reflect the culmination of that effort.

Overview of the Revised Rule

The amendments to the Safeguards Rule will become effective 180 days after publication in the Federal Register. At a high level, the rule requires that financial institutions report “notification events” to the FTC within 30 days of discovery of the notification event where the information of 500 consumers is involved.

A “notification event” is defined as the “unauthorized acquisition of unencrypted customer information without the authorization of the individual to which the information pertains.” This is broader than the definition of a “security event” that was included in the rule’s original proposal. This new definition of a “notification event” likely means that covered entities must comply with the rule’s obligations with respect to unauthorized disclosures of data (in addition to actual data breaches). (This is consistent with how the FTC has recently started interpreting the Health Breach Notification Rule.) There is also an open question as to how this definition of a “notification event” aligns with the requirements of the GLBA’s Privacy Rule (which generally does not require consumer authorization for sharing data with third parties).

Other relevant terms under the updated rule are also defined broadly. Under the Safeguards Rule, “customer information” is defined expansively and covers a vast amount of data, including, for example, the fact that an individual is or has been a customer, any information provided by the consumer (to obtain a loan, credit card, or other financial product or service), and information collected from websites via cookie.⁶ Furthermore, under the revised rule, “unauthorized acquisition” is presumed to include unauthorized access to unencrypted customer information unless the financial institution has “reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information.” These broad definitions will make it so that covered entities will have to comply with the Safeguards Rule’s new notice provisions in a wide range of circumstances.

Under the new rule, notice must be provided through the FTC website and must include:

• Name and contact information of the reporting financial institutions;
• Description of types of information involved;
• Date or date range (if possible to determine);
• Number of consumers affected;
• General description of the notification event; and
• If applicable, whether any law enforcement official has provided a written determination that notifying the public would impede a criminal investigation or damage national security, and contact information for that law enforcement official.

Finally, while there is no exception to the 30-day reporting requirement, there is a law enforcement exception for “notifying the public of the breach,” which would delay public disclosure of the reports submitted by up to 30 days following the date when notice was provided to the FTC (with potential to extend for an additional 60 days). However, such a delay must be requested by law enforcement, not the financial institution.

Next Steps

Non-banking financial institutions, such as financial technology companies, mortgage brokers, credit counselors, financial planners, and tax preparers, should expect to see an increase in FTC engagement on cybersecurity-related risks for financial institutions and an increase in investigative activity. As the SEC noted in providing the rationale for the notice requirement, “the FTC will not have to devote resources to continually search for breach notifications posted by other sources in order to know that a financial institution has experienced a breach” and will be able to “identify breaches that merit investigation more quickly and efficiently.” Additionally, non-banking financial institutions should be prepared for increased media exposure and litigation risk, as the FTC has indicated that it will make incident reports publicly available.

¹ For examples of covered entities, see 16 C.F.R. § 314.2(h)(1).

² See Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, 70 FR 15736, 15752 (Mar. 29, 2005) (originally issued by the Office of the Comptroller of the Currency; the Board of Governors of the Federal Reserve System; the Federal Deposit Insurance Corporation; and the Office of Thrift Supervision) (“At a minimum, an institution’s response program should contain procedures for the following: … Notifying its primary Federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information.”), https://www.occ.treas.gov/news-issuances/federal-register/2005/70fr15736.pdf (emphasis in original).

³ Note that amendments to Part 500 were finalized on November 1, 2023. We will be following up in a separate blog post discussing the revisions and next steps.

⁴ Defined in the Interagency Guidance as “a customer’s name, address, or telephone number, in conjunction with the customer’s social security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account” and including “any combination of components of customer information that would allow someone to log onto or access the customer’s account, such as user name and password or password and account number.”

⁵ Customer information is defined as “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.” 16 CFR 314.2(d).

⁶ See 16 C.F.R. § 314.2(n)(2) (listing examples of personally identifiable financial information).