On October 27, 2023, the Federal Trade Commission (FTC) announced it is amending the Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA) to include a requirement for non-bank financial institutions to report certain data breaches and other security events to the agency.
The Safeguards Rule requires non-bank financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security program to keep customer information safe. As part of the agency process of adopting amendments to the Safeguards Rule, in 2021, the FTC requested comments on a proposed supplemental amendment requiring financial institutions to report certain data breaches and other security events to the FTC. The recent Amendment is the final version of the 2021 proposed supplemental amendment.
The Amendment requires non-bank financial institutions to notify the FTC as soon as possible and no later than 30 days after the discovery of a “notification event” involving the customer information of at least 500 people. A “notification event” is defined as the acquisition of unencrypted customer information without the authorization of the individual to which the information pertains. The Rule defines “customer information” as “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of [the financial institution or its] affiliates.”
Unauthorized acquisition of information will be presumed in the event of unauthorized access to unencrypted customer information, unless there is adequate evidence showing there was not unauthorized acquisition of such information.
Required Elements of the New Notification Requirement
The notice to the FTC required by the Amendment must include certain information about the event, including:
- a description of the type of information involved;
- if possible, the date or date range of the notification event;
- the number of consumers potentially affected;
- a general description of the notification event; and
- if applicable, whether law enforcement has determined that notifying the public of the breach would impede a criminal investigation or cause damage to national security.
- A Notification Event Includes Unauthorized Disclosure: As drafted, the definition of “notification event” includes any instance where unencrypted information is accessed by a third party without the consumer’s authorization. Read literally, this would mean that non-bank financial institutions need to obtain consumers’ consent before any sharing of covered information can occur, even if the relevant provisions of the GLBA’s Privacy Rule do not require such consent. This would significantly change consent requirements for financial institutions.
- Encryption as Proxy for Risk of Harm: The Amendment does extend the safe harbor, included in many state data breach notification laws, of carving out encrypted information from triggering any notification requirements. However, while many state laws include a “risk of harm” consideration for notification, such a determination has no bearing on this federal notification requirement. The strict use of encryption for determining whether notification is required is intended to both speed entities’ conclusion as to whether notification is required and tighten any discretionary loopholes that could be prevailed upon to abstain from notification. Of note, encrypted customer information will be considered unencrypted by the agency if the encryption key was accessed as part of the security event.
- “Discovery” as a Notification Trigger: While some state data breach notification laws (e.g., Alabama) use the “determination” that a breach has occurred as the triggering event for notification requirements, the Amendment uses the “discovery” of a qualifying event as a notification trigger, which is arguably a lower standard of certainty. This means that affected entities may not have time to fully investigate a possible incident before the 30-day notification clock starts ticking. Of note, this is in contrast to the recent SEC Cybersecurity Disclosure Rules, which require a disclosure of material cybersecurity incidents within four business days after the company determines that the incident is material. As a result of these divergent requirements, companies may have to keep track of different timelines after discovery of an incident.
- Presumption of Acquisition of Information: While the majority of state data breach notification laws allow for an entity to make their own determination as to whether personal information was either confirmed to have been or reasonably believed to have been acquired, the Amendment establishes the presumption that an unauthorized acquisition has occurred in the event of unauthorized access to unencrypted customer information. This presumption can only be rebutted by adequate evidence showing there was not unauthorized acquisition of such information. The presumption, ostensibly lowering one major threshold to notification, is currently applied to healthcare-related entities per the Health Breach Notification Rule.
The Amendment will become effective 180 days after publication in the Federal Register.
Wilson Sonsini Goodrich & Rosati routinely assists covered financial institutions, including financial technology companies, subject to the GLBA with compliance, and will monitor developments in enforcement and industry standards to continue to assist our clients.
For more information or advice concerning the Amendment to the Safeguards Rule, please contact Libby Weingarten, Maneesha Mithal, Demian Ahn, or another member of the firm’s privacy and cybersecurity practice.