A New General Notice Requirement for Financial Institutions
FTC Further Amends Safeguards Rule to Require Data Breach Reporting
- The Federal Trade Commission (FTC) announced an amendment to the Gramm-Leach-Bliley Safeguards Rule (Safeguards Rule) on Oct. 27, 2023, that will require non-banking financial institutions to report certain security events to the FTC.
- The amendment will apply to financial institutions under the FTC's jurisdiction that suffer a security event in which unencrypted customer information affecting at least 500 consumers is acquired without authorization.
- Only notification to the FTC is required. This amendment to the Safeguards Rule helps the FTC enforce the Rule by incentivizing financial institutions to avoid potential follow-up regulatory review and the reputational hit of public disclosure.
- The FTC notification obligation applies irrespective of the particular data elements involved, and regardless of any particular risk of harm. The timing obligation is also straightforward: within 30 days of discovery of the event. Amendments to the Safeguards Rule will take effect 180 days after being published in the Federal Register.
The Federal Trade Commission (FTC) on Oct. 27, 2023, announced further amendments to the Gramm-Leach-Bliley Safeguards Rule (Safeguards Rule). The Safeguards Rule became effective in 2003, requiring certain financial institutions to implement comprehensive security measures for the protection of customer data. As threats to the security of financial data continued to evolve and proliferate, the FTC published amendments to the Safeguards Rule on Dec. 9, 2021, to add more robust cybersecurity requirements – including requirements related to risk assessments, access restrictions, service provider assessment requirements and incident response plans. (See Holland & Knight's previous alert, "The Impact of Cybersecurity Regulations on the Financial Services Industry in 2022," Jan. 12, 2022.)
Though the 2021 amendments did not address security event notification obligations, the FTC noted that other federal agencies enforcing the Gramm-Leach-Bliley Act (GLBA) have long required financial institutions to provide security incident notice under the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice.
Under the revised Rule, non-banking financial institutions are required to notify the FTC upon "discovery" of a "notification event." For many financial institutions, the revised Rule is additive to existing security incident notification regulations, such as the Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, which require financial institutions to provide notice to their primary federal regulator in the event of any computer security incident.
Notably, the revised Rule differs from existing Interagency Guidance notification requirements to individuals by requiring notification in the event of unauthorized acquisition of unencrypted customer information (any nonpublic personal information about a customer of a financial institution), rather than only sensitive customer information (technically, a customer's name, address or telephone number in conjunction with sensitive personal information such as a Social Security number, driver's license number or account number).
Under the revised Rule, financial institutions that experience a notification event involving at least 500 consumers must notify the FTC as soon as possible, but no later than 30 days after discovery of the notification event. A notification event is considered "discovered" as of the first day in which such event is known to the financial institution, including any of the institution's employees, officers or other agents. A financial institution will need to consider to what extent its service providers could be considered "agents" under the requirement; in any event, this set trigger is one more reason for preferring simple triggers based on discovery in contractual notification obligations.
The notice must be made electronically on a form to be published on the FTC's website, which requires the following:
- the name and contact information of the reporting financial institution
- a description of the types of information of the reporting financial institution
- if the information is possible to determine, the date or date range of the notification event
- a general description of the notification event
The FTC security event reports will be entered into a publicly available database, although publication may be delayed based on a request of law enforcement.
Though the FTC acknowledged that entities covered by the Rule may be subject to additional state or federal regulatory notification requirements, the FTC declined to provide any carve-outs to the notification requirement to ensure the FTC receives consistent information regarding security events. As a result, entities covered by the rule must notify the FTC regardless of their notification obligations to other federal or state regulators.
The FTC did not see a need to add a requirement to notify affected individuals, given that data breach notification requirements exist in all states, and also pursuant to Interagency Guidance under the GLBA itself. Nonetheless, given that those notification laws trigger notification based on specific types of personal information and, in some cases, a risk of harm, there may well be many notices to the FTC for data incidents that do not require notification to individuals.
Conclusion and Considerations
The amendment to the Safeguards Rule will take effect 180 days after it is published in the Federal Register, providing financial institutions some time to prepare. Financial institutions should update their incident response plans and ensure that response team members are appropriately trained as to these new requirements. No matter what, financial institutions will have one more good reason to protect customer data, which is exactly what the FTC has in mind.
Holland & Knight regularly advises industry entities on preparing for and complying with these reporting requirements. If you have any questions regarding this Safeguards Rule amendment or other cybersecurity regulations, please contact the authors.
Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.