FTC Requires Non-Bank Financial Institutions to Report Data Security Breaches Under Amended Safeguards Rule
On Friday, October 27, the Federal Trade Commission ("FTC") announced new amendments to the Safeguards Rule, requiring covered financial institutions to report certain data breaches to the FTC and reflecting its continuing focus on cybersecurity enforcement.
The Gramm-Leach-Bliley Act, enacted in 1999, requires financial institutions, broadly defined, to establish administrative, technical, and physical safeguards to protect customer information, but does not impose obligations to notify regulators of data breaches. It also tasked certain administrative agencies with establishing standards for appropriate safeguards. Pursuant to this directive, in 2002, the FTC promulgated the Safeguards Rule to establish such standards for financial institutions subject to the FTC's authority (i.e., non-banking financial institutions, including mortgage brokers, motor vehicle dealers, and payday lenders). The FTC Safeguards Rule was amended in 2021 and amended again on October 27, 2023.
The most recent amendment introduces a new reporting requirement: Covered financial institutions must notify the FTC of a "notification event" that involves the personal information of 500 or more consumers as soon as possible and no later than 30 days after discovery. This rule is the first FTC breach notification requirement promulgated since the FTC issued the Health Breach Notification Rule in 2009, the only other rule requiring notice to the FTC of certain data breaches.
Under the revised Safeguards Rule, notification event means acquisition of unencrypted customer information without the authorization of the individual to which the information pertains. Customer information is considered unencrypted for this purpose if the encryption key was accessed by an unauthorized person. Unauthorized acquisition will be presumed to include unauthorized access to unencrypted customer information unless the covered financial institution has reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information.
In the event of a notification event, financial institutions must provide the FTC with electronic notice via its website, which must include:
- Name and contact information of the reporting financial institution;
- Description of the types of information involved in the notification event;
- Date range of the notification event, if ascertainable;
- Number of consumers affected;
- Description of the notification event; and
- Whether law enforcement has provided a written determination that notifying the public would impede a criminal investigation or cause damage to national security, and contact information for the relevant law enforcement official, if applicable.
The FTC is authorized to bring enforcement action under Section 5 of the FTC Act for failure to comply with the Safeguards Rule. The revised Safeguards Rule will go into effect 180 days after publication in the Federal Register.