Under the Federal Trade Commission’s (“FTC”) new amendment to the Safeguards Rule (the “Amended Rule”), non-banking financial institutions will have to report certain data breaches and other security events to the agency.

Requirements

Approved on October 27, 2023 by a 3-0 vote by the Commission after a public comment period, the amendment requires non-banking financial institutions that are regulated by the FTC to report “notification events” the Commission as soon as possible, and no later than 30 days after discovery, of a security breach involving “the unauthorized acquisition of unencrypted customer information” of at least 500 consumers. The FTC will publish information from the notification event report on a publicly available database. The notice must include the following:

  • The name and contact information of the reporting financial institution;
  • A description of the types of information involved in the notification event;
  • The date or date range of the notification event, if determinable;
  • The number of customers affected; and
  • A general description of the event.
    • If applicable, the description should include whether any law enforcement official has provided the financial institution with a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security, along with a means for the FTC to contact the law enforcement official.

As used in the Amended Rule:

“Customer information” is “nonpublic personal information” about a customer;

A “customer” is a “consumer” (an individual who obtains or has obtained a financial product or service from the covered entity that is to be used primarily for personal, family, or household purposes) with a continuing relationship with the covered entity for the provision of such products or services (“customer relationship”);

“Non-public personal information” is “personally identifiable financial information,” which includes any information a consumer provides to a covered entity to obtain a product or service, information about a consumer resulting from financial transactions with them, or any other information obtained about a consumer in connection with providing them financial products or services. The only exemptions are “blind data” that contain no personal identifiers or publicly available information; and

Customer information will be considered to be “unencrypted” in situations in which the encryption key was also accessed without authorization, regardless of whether the customer information was encrypted.

The notice must be provided through an electronic form located on the FTC’s website. Notice is required as soon as possible, and not later than 30 days after discovery of the security breach.

The Amended Rule requires that a notification event must be treated as “discovered” as of the first day on which the event is known, and deems financial institutions to have knowledge of a notification event “if the event is known to any person, other than the person committing the breach, who is the financial institution’s employee, officer, or other agent.”  The Amended Rule clarifies the trigger for the notification event by conditioning notification upon discovery of unauthorized acquisition (not, as initially proposed, on its misuse).  The Amended Rule also provides a rebuttable presumption that “unauthorized acquisition will be presumed to include unauthorized access unless the financial institution can show that there has not been, or could not reasonably have been, unauthorized acquisition of such information.”  Accordingly, covered entities may need to analyze the forensic evidence surrounding the security breach to make this determination.

The Amended Rule requires covered entities to report any “notification event” involving the information of at least 500 consumer, which is lower than the 1,000 consumer threshold contained in the FTC’s 2021 proposed rule, to the FTC no later than 30 days after discovery of the notification event.  Notably, although the obligation to report to the FTC arises if the notification event involves 500 consumers, the definition of “notification event” hinges on unauthorized access of information belong to customers—a term defined more narrowly than “consumers.” Why the FTC uses the terms “customers” and “consumers” interchangeably is unclear.

Background

Set to come into effect 180 days after the publication of the rule in the Federal Register, this notification requirement is treated as supplementing the amendments to the Safeguards Rule that were issued in December 2021.

In the initial Notice of Proposed Rulemaking (“NPRM”), which solicited comments on what would become the 2021 Amendment, the Commission acknowledged that the proposed amendments were largely based on the New York Department of Financial Services cybersecurity regulations (“Cybersecurity Regulations”). However, the Cybersecurity Regulations, as well as other federal agencies enforcing the Graham-Leach-Bliley Act, required notification of a security event to the regulator, while the NPRM did not.

The Commission solicited comments on whether it should amend the Safeguards Rule to require financial institutions to report security events, and if so, sought opinions on how such a requirement would look. That comment period ultimately turned into a Supplemental Notice of Proposed Rulemaking, published on the same day the 2021 Amendment was published in the National Register, and eventually the supplemental amendment published on October 27, 2023.

Our Take

Covered entities are well-advised to consider the following actions prior to the Amended Rule’s effective date:

  1. Assess Rule Applicability: Companies should evaluate if the Safeguards Rule is relevant to their business operations. This involves understanding the defined terms such as “customer information” and “financial institution,” and recognizing that the Amended Rule encompasses institutions involved indirectly in financial activities, as per the Federal Reserve Board’s decision. If identified as a covered entity, companies must ascertain whether a security breach affects 500 or more customers.
  2. Ensure Authorized Consumer Disclosures: Covered entities should ensure that any planned disclosures of customer information are duly authorized. This involves confirming the accuracy and relevancy of privacy notices pursuant to the Gramm-Leach-Bliley (“GLB”) requirements, ensuring they are based on the consent of the individuals whose information is being disclosed.
  3. Review Customer Information Inventory and Controls: It is vital for covered entities to maintain an updated inventory of customer information and ensure that their cybersecurity measures are aligned with the substantial security obligations of the Safeguards Rule. This includes encrypting customer information both at rest and during transit. If the information is encrypted and the encryption key remains secure, there is no requirement for notification in case of a breach.
  4. Evaluate Logging Capabilities: Covered entities should scrutinize their logging capabilities, as the Amended Rule assumes unauthorized access in case of any unauthorized acquisition. Enhanced logging capabilities allow covered entities to rebut this assumption, providing grounds for deciding against notification under the Amended Rule.
  5. Update Incident Response Strategies: Entities should be ready for various situations that might necessitate notification to the FTC pursuant to the Amended Rule. This involves enhancing incident response strategies to ensure prompt escalation in cases where customer information is compromised, and also ensuring mechanisms are established to fulfill the notification obligations within 30 days from the discovery of the incident.