On October 27, 2023, the Federal Trade Commission (FTC) amended its Safeguards Rule (16 CFR Part 314) to require entities engaged in financial activities to disclose to the FTC data breaches involving 500 or more customers within 30 days after the breach.
Background
The Gramm-Leach-Bliley Act, also known as the Financial Services Modernization Act of 1999, provides a framework for regulating data security and privacy practices for entities engaged in activities that are financial in nature or incidental to a financial activity. The act requires those entities to protect the security and confidentiality of their customers’ nonpublic personal information and provide their customers with information about the entities’ privacy practices and customer opt-out rights. Accordingly, the FTC promulgated the Safeguards Rule in 2002. The rule sets forth regulations that address, among other topics, the types of entities that are subject to the act and the administrative, technical, and physical safeguards that covered entities must implement with respect to customer information. Notably, the Safeguards Rule states that these “… entities include, but are not limited to, mortgage lenders, ‘pay day’ lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, travel agencies operated in connection with financial services, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, investment advisors that are not required to register with the Securities and Exchange Commission, and entities acting as finders.”
While the Gramm-Leach-Bliley Act itself applies to all financial institutions, the Safeguards Rule applies only to those institutions falling under the purview of the FTC. Financial institutions that fall within the jurisdiction of separate regulators, such as the Securities and Exchange Commission and the Commodity Futures Trading Commission, are bound by separate regulations promulgated by those regulators under the act.
Deadline for Notification
This latest amendment to the Safeguards Rule introduces a new requirement for covered entities to notify the FTC of any “notification event” that involves the personal information of 500 or more customers as soon as possible and, in any event, no more than 30 days after such a breach becomes known to any employee, officer, or agent of a company holding personal customer information. The amended Safeguards Rule goes into effect on May 13, 2024. By that date, institutions must send their breach notices to the FTC using the online form located on the FTC’s website, https://www.ftc.gov.
Contents of Notification
The FTC has defined a notification event as the acquisition of unencrypted customer information without the authorization of the individual to which the information pertains. Customer information is considered unencrypted if the encryption key was accessed by an unauthorized person.
Unauthorized acquisition will be presumed to include unauthorized access to unencrypted customer information unless the covered entity has reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information.
The notice to the FTC must include:
- The name and contact information of the reporting entity
- A description of the types of information that were involved in the notification event
- If the information is possible to determine, the date or date range of the notification event
- The number of consumers affected
- A general description of the notification event
- Whether any law enforcement official has provided the entity with a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security and, if so, a means for the FTC to contact the law enforcement official
Business leaders and compliance professionals should be aware of the 30-day notice requirement and understand the types of incidents and data that are impacted by the amended Safeguards Rule. Companies should therefore review and update their written information security programs to avoid violating this new breach-notification regulation.
If you have any questions about the contents of this alert, please contact Renato Smith, co-chair of the Data Security & Technology Practice Area, at rsmith@barclaydamon.com; Rex McKeon, associate, at rmckeon@barclaydamon.com; or another member of the firm’s Data Security & Technology Practice Area.