FTC Amends Safeguard Rule to Require Nonbank Financial Institutions to Report Data Breaches
On October 27, 2023, the Federal Trade Commission (“FTC”) issued a final rule amending its Safeguard Rule to require nonbank financial institutions subject to the rule, such as mortgage lenders, mortgage brokers, motor vehicle dealers, and payday lenders, to report certain data breaches to the FTC. The rule will become effective 180 days after publication of the rule in the Federal Register.
Data breaches that require reporting are specifically referred to in the rule as “notification events.” A “notification event” is defined as the acquisition of unencrypted customer information without the authorization of the individual to which the information pertains, involving at least 500 customers. Customer information is considered unencrypted, for purposes of this rule, if the encryption key was accessed by an unauthorized person. Unauthorized acquisition will be presumed to include unauthorized access to unencrypted customer information unless there is reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information.
If the notification event involves the information of at least 500 customers, a financial institution subject to the FTC’s enforcement authority must electronically notify the FTC through a form located on the FTC’s website, https://www.ftc.gov, as soon as possible, and no later than 30 days, after discovery of the event. The notice must include the following:
1. The name and contact information of the reporting financial institution.
2. A description of the types of information that were involved in the notification event.
3. The date or range of the notification event (if the information is possible to determine).
4. The number of consumers affected or potentially affected.
5. A general description of the notification event.
6. If applicable, whether any law enforcement official has provided the financial institution with a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security, and a means for the FTC to contact the law enforcement official. Note that a law enforcement official may request an initial delay of public notice of up to 30 days following the date when notice was provided to the FTC. The delay may be extended for an additional period of up to 60 days if the law enforcement official seeks such an extension in writing. Additional delay may be permitted only if the Commission staff determines that public disclosure of a security event continues to impede a criminal investigation or cause damage to national security
The notices will become publicly available on the FTC’s website in a searchable database.
The final rule provides that a notification event will be treated as discovered as of the first day on which such event is known to the financial institution. A financial institution is deemed to have knowledge of a notification event if such event is known to any individual, other than the individual committing the breach, who is the financial institution’s employee, officer, or other agent.
Although many commenters generally supported the inclusion of the notification requirement in the rule, some opposed it due, in part, to the below reasons:
1. The proposed notification requirement would duplicate state data breach notification laws and is, therefore, unnecessary.
2. The FTC could achieve their goal of monitoring for emerging data security threats and facilitating a prompt investigative response to major security breaches by accessing and reviewing regulated entities’ reports to consumers and state authorities under state notification laws.
3. The notification requirement would not improve financial institution’s data security.
In response, the FTC answered, respectively, that:
1. State breach notification laws provide notice to consumers and in some cases also to state regulators, while the notice requirement of the final rule requires notice to the FTC and is designed to ensure that the FTC receives notice of security breaches affecting financial institutions under the FTC’s jurisdiction.
2. Such an approach would be extremely burdensome on the FTC and would require the diversion of resources from enforcement to search for and collect information about breaches involving regulated financial institutions.
3. The Safeguards Rule notice requirement will establish a uniform reporting requirement for all regulated financial institutions, assisting the FTC in getting consistent information about notification events affecting those financial institutions regardless of which state’s consumers are affected.
4. The notification requirement will increase the efficiency and effectiveness of the FTC’s enforcement of the Rule. While state data breach notification laws require notice to consumers, some states do not require that such notices be provided to state regulators as well, and not all state regulators that do receive such notices publish them. By requiring financial institutions to provide notice directly to the FTC, the FTC will not have to devote resources to continually search for data breach notifications posted by other sources to know that a financial institution has experienced a breach. Without a notification, the FTC would have no guarantee that it has found all breaches in its searches.
The final rule and the FTC’s press release are available here: https://www.ftc.gov/news-events/news/press-releases/2023/10/ftc-amends-safeguards-rule-require-non-banking-financial-institutions-report-data-security-breaches.
If you would like to discuss any of the issues in this blog post, please email mfeliciano@garrishorn.com.