The FTC’s Press Release of October 27 states:
The FTC’s Safeguards Rule requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe. In October 2021, the FTC announced it had finalized changes to the Safeguards Rule to strengthen the data security safeguards that financial institutions are required to put in place to protect their customers’ financial information. The FTC also sought comment on a proposed supplemental amendment to the Safeguards Rule that would require financial institutions to report certain data breaches and other security events to the Commission. “Companies that are trusted with sensitive financial information need to be transparent if that information has been compromised,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The addition of this disclosure requirement to the Safeguards Rule should provide companies with additional incentive to safeguard consumers’ data.” The amendment announced today requires financial institutions to notify the FTC as soon as possible, and no later than 30 days after discovery, of a security breach involving the information of at least 500 consumers. Such an event requires notification if unencrypted customer information has been acquired without the authorization of the individual to which the information pertains. The notice to the FTC must include certain information about the event, such as the number of consumers affected or potentially affected.
The breach notification requirement becomes effective 180 days after publication of the rule in the Federal Register. The context of the New Rule is as follows:
In the NPRM, the Commission explained that its proposed amendments to the
Safeguards Rule were based primarily on the cybersecurity regulations issued by the New York Department of Financial Services, 23 NYCRR 500 (“Cybersecurity Regulations”). The Commission also noted that the Cybersecurity Regulations require covered entities to report security events to the superintendent of the Department of Financial Services. Relatedly, for many years, some other federal agencies enforcing the GLBA have required financial institutions to provide notice to the regulator, and in some instances notice to consumers as well. Although the Commission did not include a similar reporting requirement in the NPRM, it did seek comment on whether the Safeguards Rule should be amended to require that financial institutions report security events to the Commission. Specifically, the Commission requested comments on whether such a requirement should be added and, if so, (1) the appropriate deadline for reporting security events after discovery, (2) whether all security events should require notification or whether notification should be required only under certain circumstances, such as a determination of a likelihood of harm to customers or that the event affects a certain number of customers, (3) whether such reports should be made public, (4) whether events involving encrypted information should be included in the requirement, and (5) whether the requirement should allow law enforcement agencies to prevent or delay notification if notification would affect law-enforcement investigations. The final rule, which the Commission published in the Federal Register on December 9, 2021, did not include a reporting requirement. However, on the same date, the Commission published a Supplemental Notice of Proposed Rulemaking (“SNPRM”) in the Federal Register, which proposed further amending the Safeguards Rule to require financial institutions to report to the Commission certain security events as soon as possible, and no later than 30 days after discovery of the event. Specifically, the Commission proposed to require financial institutions to notify the Commission electronically through a form located on the FTC’s website about any security event that resulted or is reasonably likely to result in the misuse of customer information affecting at least 1,000 consumers. The Commission proposed that the notification include a limited set of information, consisting of (1) the name and contact information of the reporting financial institution, (2) a description of the types of information involved in the security event, (3) the date or the date range of the security event, if it can be determined, and (4) a general description of the security event. In response to the SNPRM, the Commission received 14 comments from various interested parties, including industry groups, consumer groups, and individual consumers.
Generally, the Rule does as follows:
The Final Rule requires financial institutions to report notification events, defined as the unauthorized acquisition of unencrypted customer information, involving at least 500 customers to the Commission. The notice to the Commission must include: (1) the name and contact information of the reporting financial institution; (2) a description of the types of information that were involved in the notification event; (3) if the information is possible to determine, the date or date range of the notification event; (4) the number of consumers affected; (5) a general description of the notification event; and,
if applicable, whether any law enforcement official has provided the financial institution with a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security, and a means for the Federal Trade Commission to contact the law enforcement official. The notice must be provided electronically through a form located on the FTC’s website, https://www.ftc.gov.
As to what constitutes a “notification event” the FTC Rule states
Accordingly, the Final Rule requires notification where customer information has been acquired, rather than when misuse is considered likely. Specifically, the Commission is adding a new § 314.2(m) that defines the term “[n]otification event” to mean the acquisition of unencrypted customer information without the authorization of the individual to which the information pertains. Section 314.2(m) also provides that unauthorized access of information will be presumed to result in unauthorized acquisition
unless the financial institution can show that there has not been, or could not reasonably have been, unauthorized acquisition of such information. This rebuttable presumption is consistent with the Health Breach Notification Rule. See 16 CFR 318.2(a) (“Unauthorized acquisition will be presumed to include unauthorized access to unsecured PHR identifiable health information unless the vendor of personal health records, PHR related entity, or third party service provider that experienced the breach has reliable evidence showing that there has not been, or could not reasonably have been,
unauthorized acquisition of such information.”). Here, too, the presumption is “intended to address the difficulty of determining whether access to data (i.e., the opportunity to view the data) did or did not lead to acquisition (i.e., the actual viewing or reading of the data).” The Commission also agrees that notification should not be required when harm to consumers is rendered extremely unlikely because the customer information is encrypted. Accordingly, the Final Rule does not require notification if the customer
information acquired is encrypted, so long as the encryption key was not accessed by an unauthorized person. See § 314.2(m). By requiring notice relating to unauthorized acquisition only of unencrypted customer information, this change brings the Rule into accord with the majority of state breach notification laws. If customer information was encrypted but the encryption key was also accessed without authorization, then the
customer information will be considered to be unencrypted. Someone who has both the encrypted information and the encryption key can easily decrypt the information. In summary, the Final Rule requires notification in the event that the financial institution discovers that unencrypted customer information has been acquired without authorization. See § 314.2(m). Unlike under the proposed rule, notification is not conditioned on the assessment of likelihood of misuse. The Commission believes that determining whether acquisition has occurred simplifies the requirement and will enable financial institutions to more speedily determine whether a notification event has occurred. In addition, the Commission believes that this change will reduce the number
of notifications by excluding events where encrypted information was acquired, while ensuring that it receives notice of events that are more likely to result in harm. As noted earlier, the Rule also includes a rebuttable presumption stating that when there is unauthorized access to data, unauthorized acquisition will be presumed unless the entity that experienced the breach “has reliable evidence showing that there has not been, or
could not reasonably have been, unauthorized acquisition of such information.” See § 314.2(m).