Daniel B. Garrie
Neutral, JAMS
Cyber Security
Cell: (212) 826-5351
Email: daniel@lawandforensics.com
David Shonka
Partner, Redgrave LLP
In October 2023, the Federal Trade Commission (FTC) approved a significant amendment to the Safeguards Rule, enhancing the obligation of non-banking financial institutions to report certain data breaches and other security events to the agency. This amendment, which will take effect on May 13, 2024, represents a pivotal shift in the regulatory landscape for these institutions, fundamentally altering their responsibilities in the face of cybersecurity incidents. Companies subject to the Rule should take no comfort from the FTC’s statements that the required notifications include only a “limited set of information” that is “minimal.” Given the Agency’s interest in consumer privacy and its related concerns about Generative AI and, more fundamentally, about algorithmic decision-making, entities should not doubt where the Commission is going when it also states that the new notifications “will enable [it] to identify breaches that merit investigation more quickly and efficiently.” Indeed, the Commission acknowledges that the required “reports are unlikely to contain all the information the Commission would need to determine” whether enforcement action is warranted because “such determinations are typically made following investigations that afford entities the opportunity to provide context and information.” It is therefore critical that companies reevaluate their data breach reporting processes in the context of their broader cybersecurity programs to ensure they are prepared to meet their expanded risks and obligations under the Amended Rule.
Overview of the Amendment
The FTC’s amendment specifically targets non-bank financial institutions subject to its jurisdiction under the Gramm-Leach-Bliley Act (GLBA). The entities covered include a broad range of institutions, such as non-bank mortgage lenders, payday lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, debt collection agencies, credit counselors, tax preparation firms, non-federally insured credit unions, and investment advisors not registered with the Securities and Exchange Commission, among others.
The amendment requires covered entities to report “Notification Events,” defined as the “unauthorized acquisition of unencrypted customer information without the authorization of the individual to which the information pertains.” Should such an event involve the data of at least 500 consumers, the affected entity must notify the FTC as soon as possible, and no later than 30 days following the discovery of the event. This swift reporting timeline underscores the urgency with which the FTC expects these institutions to respond to data breaches.
Moreover, this new definition of a “notification event” expands the scope of a covered entity’s reporting obligations to include any unauthorized acquisitions of non-public customer information. In this way, the amendment implicates the privacy practices of covered entities as well as their cybersecurity practices. As already noted, this could have significant implications for how regulators interpret the new “notification event” definition, especially in light of the GLBA’s Privacy Rule, which generally does not require consumer authorization for sharing data with third parties.
The Rule broadly defines non-public customer information to include any personally identifiable information such as any information provided on an application to obtain a loan, credit card, or other financial product or service; the fact that an individual is or has been a customer or has obtained a financial product or service; any information obtained in connection with collecting on, or servicing, a credit account; and any information collected through internet “cookies.” See 16 C.F.R. § 314.2(n)(2) (listing examples of personally identifiable financial information). There is little doubt that the definition could include information included in an entity’s algorithmic databases.
The amendment imposes several specific requirements for the notification process, including:
• Name and Contact Information: The financial institution must provide its name and contact details in the notification.
• General Description of the Event: A brief overview of the notification event is required.
• Description of the Information Acquired: A comprehensive description of the types of information involved must be included.
• Date Range: If ascertainable, the date or date range of the notification event must be reported.
• Number of Affected Consumers: The institution must specify the number of consumers potentially impacted.
Challenges and Considerations
The amendment represents a new paradigm for non-banking financial institutions, posing challenges and necessitating a strategic reevaluation of their cybersecurity and data protection protocols. At a minimum, this will require of many entities a review and, if necessary, revising of cybersecurity policies and procedures, including incident response protocols, to ensure that proper and timely notifications are executed in the event of a data breach. The amendment may coincide with state data privacy and cybersecurity laws, adding a layer of complexity for compliance and legal teams in adjusting their procedures to meet the requirements of all regulating institutions effectively and efficiently. It is important that entities involve legal, business, and technical stakeholders in revising any policies and procedures to ensure that the revisions are technically and operationally feasible in the context of the entity’s information systems and workflows.
Covered entities also need to apply the same, if not heightened, reevaluation of their privacy policies and procedures. Some covered entities may not even be aware of the full extent of data sharing that takes place in the normal course of business, such as through partnerships and third-party applications. Covered entities must take steps to understand exactly how and where they obtain customer information and how that information flows through the company, where customer information is stored, and how it is shared. Without accurate data maps a covered entity will not be in an acceptable position to establish defensible procedures to ensure compliancy with the privacy-related aspects of the amended Safeguard Rule.
The amended statute also forces covered entities to consider the protocols and ramifications of public disclosure of data breaches. This may be especially important given the FTC’s recent action against a company for its alleged “failure to accurately communicate the scope and severity of [a] breach in its notification to consumers.” Unlike some federal data breach regulations, the FTC’s amendment includes public disclosure of consumer data breaches by the Commission. This aspect could potentially lead to increased cybersecurity risks and reputational damage for the institutions involved. Institutions must be prepared to manage the potential fallout from public disclosure, including security risks, reputational concerns, and potential class action lawsuits.
The FTC’s amendment to the Safeguards Rule marks a significant development in the regulatory framework for non-banking financial institutions. It underscores the importance of robust data security measures and rapid response mechanisms in the face of data incidents. As the amendment approaches its effective date, these institutions must proactively adapt their strategies and policies to ensure compliance and safeguard consumer information effectively. The focus is not only on preventing data breaches but also on transparent and timely reporting, reflecting a broader shift towards greater accountability and consumer protection in the financial sector.
Disclaimer: The content is intended for general informational purpos es only and should not be construed as legal advice. If you require legal or professional advice, please contact an attorney.