The Federal Trade Commission (FTC or Commission) has joined other federal agencies in regulating cybersecurity breaches. On October 27, 2023, the FTC approved an amendment to the Safeguards Rule to include a notification requirement for data breaches. Under the new notification obligation, financial institutions covered by the FTC's Safeguards Rule must report to the Commission any notification event affecting 500 or more consumers no later than 30 days after discovery of the event. The amended Safeguards Rule does not go into effect until May 13, 2024.

Who Is Covered?

The Safeguards Rule was enacted to ensure financial institutions maintain safeguards to protect the security of customer information. The Safeguards Rule applies to financial institutions not subject to another regulator's enforcement, such as:

  • An accountant or tax preparation service in the business of completing income tax returns
  • A retailer that extends credit by issuing its own credit card directly to consumers
  • An automobile dealership that, as a usual part of its business, leases automobiles on a non-operating basis for longer than 90 days
  • A personal property or real estate appraiser
  • A career counselor that specializes in providing career counseling services to individuals currently employed by or recently displaced from a financial organization; individuals who are seeking employment with a financial organization; or individuals who are currently employed by or seeking placement with the finance, accounting or audit departments of any company
  • A business that prints and sells checks for consumers, either as its sole business or as one of its product lines
  • A business that regularly wires money to and from consumers
  • A check-cashing business
  • A business that operates a travel agency in connection with financial services
  • An entity that provides real estate settlement services
  • A mortgage broker
  • An investment advisory company; a credit counseling service
  • A company acting as a finder in bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate. 16 CFR 3.142(h)(2).

Nonbanking financial institutions will now have to notify the FTC as well as states attorneys general and other agencies, if applicable.

What Information Is Covered?
Under the notice requirement, covered financial institutions must report to the Commission when "customer information" is involved:

  • "Customer information" is defined as "records containing nonpublic personal information about a customer." 16 CFR 3.142(d).
  • "Nonpublic personal information" means "personally identifiable financial information; and ...any list, description, or other groups of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available." 16 CFR 3.142(l).

The broad definition of "customer information" allows for a wide array of information to be included, from sensitive information such as social security numbers, financial information and account access to routine information such as contact information. This differs from state breach notification laws, which only require notification for specific categories of data such as social security numbers, medical information, government-issued identification and credit card information. Nonbanking financial institutions will have to reevaluate their notice obligation given the large amount of data covered under the Safeguards Rule.

It is important to note that the notice requirement only applies to customers and not consumers. A consumer is "an individual who obtains or has obtained a financial product or service from you [a covered financial institution] that is to be used primarily for personal, family, or household purposes." 16 CFR 3.142(b)(1). A consumer becomes a customer when there is a continuous relationship between the consumer and the covered financial institution. Therefore, isolated transactions such as purchasing a money order would not trigger the notification requirement.

When Is Notification Required?

The notice obligation is trigged when the financial institution suffers a notification event. A "notification event" is defined as the "acquisition of unencrypted customer information without the authorization of the individual to which the information pertains." 88 FR 77499 (November 13. 2023). The Commission took a middle of the road approach to the definition of "notification event." Some aspects are similar to state breach notification laws while other aspects are broader than the norm. Furthermore, there is no harm threshold.

Acquisition: The notification requirement includes a rebuttable presumption that unauthorized access of information will be presumed to result in unauthorized acquisition unless the financial institution can show that there has not been, or could not reasonably have been, unauthorized acquisitions of such information. The rebuttable presumption is consistent with trends seen in some state breach notification laws and federal agencies breach notification requirements. However, the Commission takes a broad view on what is considered an "acquisition."

"Acquisition" does not require exfiltration of the data, merely viewing or reading the data will suffice. Similarly, "access" is satisfied when there is an opportunity to view the data. The broad interpretation complicates the task for financial institutions to rebut the presumption because they must prove that the unauthorized party, despite having the opportunity, did not view customer information.

Encrypted Data: The notification requirement includes a safe harbor for encrypted data. Financial institutions are not required to notify the FTC so long as the customer information acquired is encrypted. Customer information is no longer encrypted if an authorized actor acquires both the encrypted customer information and the encryption key. The safe harbor aligns with the majority of state breach notification laws.

Authorization of the Individual: The definition of "notification event" covers more than data breaches and security events. Under the definition, voluntary and/or intentional sharing of a customer's information without the individual's authorization is considered a notification event.

Notification Deadline and Content

The FTC requires financial institutions to notify within 30 days from discovery of the notification event involving at least 500 consumers. According to 88 FR 77499, discovery occurs on "the first day on which such event is known" to any person who is the financial institution's employee, officer or other agent. This time line mirrors the time frame dictated for notifying state attorneys general in a majority of state breach notification laws.

The notification must be submitted electronically via a form on the FTC's website, and must include:

  • The name and contact information of the reporting financial institution
  • A description of the types of information involved in the notification event
  • The date or date range of the notification event
  • A general description of the notification event
  • The number of affected consumers
  • Whether a law enforcement official informed the financial institution in writing that "public disclosure would impede a criminal investigation or cause damage to national security" along with contact information for the law enforcement official.

Notice Will Be Public

The Commission intends to enter notification event reports into a publicly available database. There will be no distinction as to what notification event report shall be made public. Thus, a notification event that may not trigger notice requirement under state breach notification laws will still be made public. The Commission believes the transparency will benefit both consumers and organizations because it will incentive organizations to have better safeguards.

Takeaway

The notification requirement expands nonbanking financial institutions' obligation to notify because of the vast information that is covered. Nonbanking financial institutions need to reassess their incident response protocol to ensure compliance with the revised Safeguards Rule. While the 30 days' notice timing deadline does mirror the majority of state breach notification laws, the date of discovery may differ from state breach notification laws. Lastly, nonbanking financial institutions must be mindful that notices to the FTC will be made public.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.