On October 27, 2023, the Federal Trade Commission (“FTC”) approved an amendment (“Amended Rule”) to the Standards for Safeguarding Customer Information (the “Safeguards Rule”) that will require non-banking financial institutions (“covered entities”) to notify the FTC as soon as possible, and no later than 30 days after discovery, of a security breach involving the unauthorized acquisition of unencrypted customer information of at least 500 consumers. The notice to the FTC must include certain information about the event, such as the number of consumers affected or potentially affected. The FTC will publish information from the notification event report on a publicly available database. The Amended Rule, which applies to all covered entities subject to the Safeguards Rule, will be effective on May 13, 2024.
We previously wrote about the FTC’s 2021 amendments to the Safeguards Rule, which expanded the scope of covered entities to include non-banking financial institutions such as mortgage lenders and brokers, motor vehicle dealers, and payday lenders, among many others. The 2021 amendments also increased information security program requirements for these covered entities and required new oversight responsibilities. The FTC had also issued a 2021 supplemental notice of proposed rulemaking requesting comments on a breach notification requirement for covered entities that had been pending until now.
In this blog post, we discuss the Amended Rule’s requirements and potential impacts.
What is the trigger for notification to the FTC?
The Amended Rule requires covered entities to report any “notification event” involving the information of at least 500 consumers—which is lower than the 1,000 consumer threshold contained in the FTC’s 2021 proposed rule—to the FTC no later than 30 days after discovery of the notification event. Notably, although the obligation to report to the FTC arises if the notification event involves 500 consumers, the definition of “notification event” hinges on unauthorized access of information belong to customers—a term defined more narrowly than “consumers.” The FTC’s intent in using both terms here is unclear, and likewise elsewhere in the Adopting Release it uses “customers” and “consumers” interchangeably in this context.
The Amended Rule defines a “notification event” as the “acquisition of unencrypted customer information without the authorization of the individual to which the information pertains,” where:
- “Customer information” is “nonpublic personal information” about a customer;
- A “customer” is a “consumer” (an individual who obtains or has obtained a financial product or service from the covered entity that is to be used primarily for personal, family, or household purposes) with a continuing relationship with the covered entity for the provision of such products or services (“customer relationship”);
- “Non-public personal information” is “personally identifiable financial information,” which includes any information a consumer provides to a covered entity to obtain a product or service, information about a consumer resulting from financial transactions with them, or any other information obtained about a consumer in connection with providing them financial products or services. The only exemptions are “blind data” that contain no personal identifiers or publicly available information; and
- Customer information will be considered to be “unencrypted” in situations in which the encryption key was also accessed without authorization, regardless of whether the customer information was encrypted.
The Amended Rule requires that a notification event must be treated as “discovered” as of the first day on which the event is known, and deems financial institutions to have knowledge of a notification event “if the event is known to any person, other than the person committing the breach, who is the financial institution’s employee, officer, or other agent.” The Amended Rule clarifies the trigger for the notification requirement by conditioning notification on discovery of unauthorized acquisition (not, as proposed, on its misuse). The Amended Rule also provides a rebuttable presumption that “unauthorized acquisition will be presumed to include unauthorized access unless the financial institution can show that there has not been, or could not reasonably have been, unauthorized acquisition of such information.” Covered entities may accordingly need to conduct a close examination of the forensic evidence surrounding the security breach to make this determination.
What does unauthorized acquisition mean under the Amended Rule?
Unauthorized acquisition turns on the absence of authorization by the customer to whom the information pertains, and not on authorization by the covered entity that collects information from the individual customer. This marks a departure from most state data breach notification laws and parallels the FTC’s 2009 Health Breach Notification Rule. In recent enforcement actions and guidance, the FTC has interpreted “unauthorized acquisition” broadly as “a company’s disclosure of covered information without a person’s authorization,” such as through the use of third-party tracking tools used for advertising. The FTC may well adopt a similar approach here.
What content is required in the notification to the FTC?
The Amended Rule states that covered entities must notify the FTC of a notification event through an electronic form submission on the FTC’s website that provides the following details: (1) the name and contact information of the reporting financial institution; (2) a description of the types of information that were involved in the notification event; (3) if the information is possible to determine, the date or date range of the notification event; (4) the number of consumers affected or potentially affected by the notification event; (5) a general description of the notification event; and (6) whether any law enforcement official has provided the financial institution with a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security, and a means for the FTC to contact the law enforcement official.
Will notices to the FTC be made public?
Yes. While the Amended Rule does not require covered entities to directly notify affected consumers, the FTC intends to enter notification events into a publicly available database.
What is the timeline for notification to the FTC?
The Amended Rule requires notification to the FTC no later than 30 days after discovery of a notification event.
While the FTC does not provide a provision for delayed notification to it on the basis that the notification would impede a criminal investigation or cause damage to national security, the Amended Rule permits law enforcement to submit requests for delaying notification to the public of up to 30 days following the date of notice to the FTC. The delay may be extended for an additional 60 days upon written request, with further extensions possible only if the FTC staff determines that public disclosure of a security event would continue to impede a criminal investigation or cause damage to national security.
Steps to Consider
Given the scope of the Amendment, covered entities should consider the following steps prior to the Amended Rule’s effective date:
- Determine Applicability: Companies should assess whether the Safeguards Rule applies to any of its business(es), noting the applicable definitions of “customer information” and “financial institution,” which include institutions that are engaged in activities incidental to financial activities, as determined by the Federal Reserve Board. If a company determines that it is a covered entity, it will then need to determine whether a security breach impacts 500 or more customers.
- Ensuring Proper Consumer Authorization for Contemplated Disclosures: Given that notification events are based on authorization from individuals whose information is at issue, covered entities might consider assessing and ensuring that their contemplated disclosures of customer information are authorized, such as by ensuring that applicable Gramm-Leach-Bliley (“GLB”) privacy notices are accurate and up to date.
- Review Data Inventory and Controls over Customer Information: Covered entities should ensure that inventories of customer information are current and that their cybersecurity programs comply with the Safeguards Rule’s substantive security requirements, including that customer information is encrypted at rest and in transit. The Amended Rule does not require notification if the customer information acquired is encrypted, so long as the encryption key was not accessed by an unauthorized person.
- Review Logging Capabilities: Given that a triggering event includes a rebuttable presumption that unauthorized acquisition will be presumed to include unauthorized access, covered entities may want to evaluate their current logging capabilities. Comprehensive logging capabilities will better enable covered entities to rebut the presumption of unauthorized access in justifying a decision to not make a notification under the Amended Rule.
- Update Incident Response Plans and Processes: Covered entities should consider preparing for the broad set of circumstances that may trigger notification to the FTC under the Amended Rule. This may include updating incident response plans to require escalation where customer information is at issue and where the triggering threshold could be met, and ensuring that processes are in place to meet the 30-days from discovery notification deadline.
To subscribe to the Data Blog, please click here.