On Oct. 27, 2023, the Federal Trade Commission (FTC) amended its Standards for Safeguarding Customer Information (the Safeguards Rule), promulgated under the Gramm-Leach-Bliley Act (GLBA), to require financial institutions to provide notice to the FTC of data breaches that impact 500 or more consumers (the Amendment). This comes after the FTC’s major update to the Safeguards Rule’s proactive security requirements in 2021.
The Safeguards Rule applies to financial institutions regulated by the FTC, which typically include non-banking entities.
The Amendment requires that financial institutions report any “notification event,” which the FTC has defined as an acquisition of unencrypted customer information without authorization of the individual to which the information pertains. Notably, the Amendment specifies that unauthorized acquisition will be presumed to include unauthorized access to unencrypted customer information, unless the financial institution has reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information. Financial institutions should accordingly presume that unauthorized access is a notification event unless there is proof that no acquisition occurred.
There are no exceptions for events that do not or are not likely to result in consumer harm. Similarly, there are no exceptions for breaches that involve non-sensitive types of information. This distinguishes the FTC’s Safeguards Rule requirements from the GLBA Interagency Guidance relied upon by banking entities, which requires notification only if sensitive customer information (e.g., Social Security number, driver’s license number, etc.) has been impacted.
30-Day Timing Requirement
The notification event must be reported to the FTC within 30 days of the event being “discovered.” The Amendment clarifies that an event is discovered on the first day when such event is known to the financial institution, including any person, other than the person committing the breach, who is the financial institution’s employee, officer, or other agent.
Notification Content and Publication
Notices to the FTC will be submitted electronically via a form on the FTC’s website. The notices will require the following information:
- Name and contact of the financial institution;
- Description of the types of information held by the reporting financial institution;
- If the information is possible to determine, the date or date range of the notification event; and
- A general description of the notification event.
The FTC intends to publish the notices it receives, which may lead to an increased risk of consumer class action lawsuits against the reporting entity. As stated in its comments to the amendment, the FTC believes that making the notices public will enable consumers to make more informed decisions about which financial institutions they choose to entrust with their information, providing financial institutions an “additional incentive” to comply with the Safeguards Rule.
No Individual Notification Requirement
Unlike the GLBA Interagency Guidance issued by banking regulators, the Amendment only requires notification to the FTC and does not require that financial institutions notify individuals. Financial institutions regulated by the FTC will still need to rely on state data breach notification laws to determine their obligations for individual notification.
The breach notification requirement will become effective 180 days after the Amendment is published in the Federal Register.