FTC Publishes Final Data Breach Notification Amendment to Safeguards Rule
The Federal Trade Commission (FTC) recently published a final rule (the Amendment) amending the Standards for Safeguarding Customer Information, known as the “Safeguards Rule,” implemented pursuant to the Gramm-Leach-Bliley Act (GLBA). The Amendment will require certain non-bank financial institutions to report to the FTC incidents involving the unauthorized acquisition of unencrypted, personally identifiable, nonpublic financial information of at least 500 customers. These reports will be accessible to the public through a new database to be created by the FTC. The reports must include, in addition to other information, the name of the financial institution affected by the breach, the date of the breach, the number of consumers potentially affected, and a general description of the data breach itself. The Amendment was adopted following the 2021 adoption of a more comprehensive set of amendments to the Safeguards Rule, which were discussed in a previous advisory by Arnold & Porter. The 2021 amendments left open the question of how the FTC would address data breaches experienced by non-bank financial institutions. The Amendment answers that question, as discussed further below, and the obligations it imposes will be effective on May 13, 2024.
The Safeguards Rule applies only to non-bank financial institutions subject to the FTC’s oversight under GLBA. The definition of “financial institutions” under the Safeguards Rule encompasses all entities significantly engaged in activities determined by the Federal Reserve Board to be incidental to financial activities, but the FTC’s jurisdiction over these entities is limited to non-bank institutions such as:
- Non-bank mortgage lenders
- Payday lenders
- Finance companies
- Mortgage brokers
- Account servicers
- Check cashers
- Wire transferors
- Travel agencies operated in connection with financial services
- Debt collection agencies
- Credit counselors and other financial advisors
- Tax preparation firms
- Non-federally insured credit unions
- Investment advisors that are not required to register with the Securities and Exchange Commission
- Entities acting as intermediary “finders”
Thus, the Safeguards Rule does not apply to depository institutions including banks, savings associations insured by the Federal Deposit Insurance Corporation (FDIC), and credit unions, nor does it apply to insurance companies regulated by state insurance departments. The Safeguards Rule also does not apply to securities broker-dealers, investment companies, or investment advisers regulated by the Securities and Exchange Commission.
The reporting obligations of the institutions subject to the Safeguards Rule Amendment extend only to security breaches. “Customer information” is defined by the Safeguards Rule as “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of [the financial institution or its] affiliates.” In some cases, breaches involving such information will also require the affected financial institution to provide notifications under applicable state laws; accordingly, financial institutions subject to the Safeguards Rule should pay close attention to whether notifications are required not only to the FTC but also to state authorities and affected state residents.
The Amendment requires non-bank financial institutions to notify the FTC after the discovery of a “Notification Event” involving a data breach that affects the information of at least 500 individuals. The Amendment defines a Notification Event as the acquisition of unencrypted customer information without the authorization of the affected customer themselves. Importantly, under the amendment, unauthorized acquisition is presumed if unauthorized access to customer information has occurred unless there is reliable evidence demonstrating that customer information has not been, or could not reasonably have been, acquired. Thus, if a financial institution is aware a bad actor has accessed the customer information maintained by the institution, the institution must presume that the bad actor acquired that customer information unless there is reliable evidence to the contrary.
Upon discovery that unencrypted customer information was acquired without authorization, financial institutions subject to the amendment must notify the FTC as soon as possible – and no later than 30 days after discovery. Discovery occurs on the first day a notification event becomes known to the affected financial institution or any of its employees, officers, or agents.
Required Elements of the Notification
The notice to the FTC required by the Amendment must include certain information about the data breach, including:
- The name and contact information of the reporting financial institution
- A description of the types of information involved in the event
- If possible, the date or date range of the notification event
- The number of consumers potentially affected by the event
- A general description of the notification event
- If applicable, whether law enforcement has determined that notifying the public of the breach would impede a criminal investigation or cause damage to national security
The notice must be submitted through an electronic form to be available on the FTC’s website.
As noted above, every report of a data breach made to the FTC pursuant to the Safeguards Rule will be accessible in a publicly available database. There was industry pushback during the rulemaking process regarding potential negative effects that could follow mandated public disclosure of consumer data breaches, such as the risk of “pile-on” cybersecurity attacks on vulnerable institutions. However, the FTC concluded that the interest in providing actionable information for individuals who were directly affected and giving consumers an opportunity to consider proactive safety measures outweighed the potential negative effects of public reporting. The FTC’s approach places the Safeguards Rule in contrast with other federal data breach regulations, such as the Interagency Computer-Security Incident Notification rule jointly promulgated by the Office of the Comptroller of the Currency, FDIC, and Federal Reserve Board that took effect in May 2022, which does not require that incident reports be made publicly accessible.
The Amendment was formally published in the Federal Register on November 13 and it will take effect on May 13, 2024. In the meantime, it may be prudent for financial institutions to:
- Determine whether they are subject to the Safeguards Rule. The siloed nature of financial regulation in the United States, as well as the broad scope of relevant covered financial activities, can make identifying the applicability of regulations like the Safeguards Rule potentially daunting. Non-bank financial institutions that believe they may be subject to the FTC’s regulatory authority under GLBA should consult with their legal counsel to determine whether they are required to comply with the Amendment.
- Revisit their security response plans. Financial institutions should review and, as needed, revise their security response plans and disclosure processes to account for the new requirements of the amendment.
- Prepare for data breaches to go public. Financial institutions should be prepared to navigate any potential harms, including security risks and reputational damage, that may emerge from the public disclosure of a data breach affecting customer information.
- Identify what state laws overlap with the Amendment’s data breach notification requirement. The FTC’s Amendment may overlap with state data privacy and cybersecurity laws that provide additional data breach reporting requirements. Financial institutions should identify what information is required to be reported under the multiple cybersecurity regimes and make sure their compliance and legal teams are prepared to handle overlapping cybersecurity and data privacy requirements.
Institutions interested in how the Amendment may impact their businesses may contact any of the authors of this Advisory or their usual Arnold & Porter contact. The firm’s Financial Services and Privacy, Cybersecurity, and Data Strategy teams would be pleased to assist with any questions about the Amendment, the Safeguards Rule, or cybersecurity and data privacy issues facing financial institutions more broadly.
© Arnold & Porter Kaye Scholer LLP 2023 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.