Last week, the Federal Trade Commission (“FTC” or “Commission”) finalized its supplemental revisions to the 2021 amendments to its implementation of the Gramm Leach Bliley Act Safeguards Rule (the “Amended Safeguards Rule”).[1]  The supplemental revisions to the Amended Safeguards Rule will require covered non-banking financial institutions—e.g., automobile dealerships, mortgage brokers, payday lenders, retailers that issue credit cards—[2] to report certain security breaches impacting unencrypted customer information to the Commission no later than thirty (30) days after discovery.[3]  The supplemental revisions to the Amended Safeguards Rule will take effect six (6) months after publication in the Federal Register.

The supplemental revisions to the Amended Safeguards Rule will require covered entities to report “notification events,” which are events involving the unauthorized acquisition of unencrypted customer information impacting at least 500 customers,[4] to the Commission as soon as possible, but in any event no later than thirty (30) days after discovery.  Customer information  is broadly defined to include any nonpublic personally identifiable financial information maintained in any format by or on behalf of a covered financial institution or its affiliates.[5]  Accordingly, in addition to obligations to notify customers and U.S. State authorities under State data breach notification laws, the supplemental revisions to the Amended Safeguards Rule will place FTC-regulated financial institutions in the same position as banks, which are subject to preexisting requirements to report data breaches to their prudential regulators. 

Under the Amended Safeguards Rule, covered entities are deemed to have knowledge of a notification event on the first day a qualifying event is known to any person (e.g., an employee, officer or agent of the covered entity), other than the person committing the breach.  Comments received during the rulemaking process pushed back on this notification trigger, suggesting instead that the notification process should begin when a covered financial institutions “determines” a security event has occurred, connoting a heightened level of certainty that such as event has occurred as opposed to mere discovery.  The Commission disagreed with these arguments, clarifying that thirty (30) days should be a sufficient amount of time to allow for FTC notification and to prepare the required notice, as companies should be able to “decide quickly whether a notification event has occurred by determining whether unencrypted customer information has been acquired and, if so, how many consumers are affected.”  In addition, the FTC concluded that the notification obligations require “minimal details and will not take significant time to prepare,” and, in any event, are largely similar to preexisting State data breach notification requirements that covered institutions will often need to prepare upon occurrence of such an event. 

The notice to the Commission, which must be provided electronically through on form on the FTC’s website, must include:

  1. The name and contact information of the reporting financial institution;
  2. A description of the types of information that were involved in the notification event;
  3. If the information is possible to determine, the date or date range of the notification event;
  4. The number of consumers affected;
  5. A general description of the notification event; and,
  6. If applicable, whether any law enforcement official has provided the financial institution with a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security, and a means for the FTC to contact the law enforcement official.[6]

Non-compliance with the Safeguards Rule can result in fines of up to approximately $50,120 per violation.[7]  Covered financial institutions should consider updating: (i) employee awareness training to include the new notification requirements, and (ii) incident response plans to ensure that appropriate reporting processes and channels are in place to report unauthorized access to unencrypted customer information within thirty (30) days of discovery. 

[1] The full text of the Amended Safeguards Rule is available here.

[2] Additionally, note that the 2021 amendments to the Safeguard rule also added “finders”—or companies that bring together buyers and sellers of any product or service for transactions covered by the Safeguards Rule—to its list of covered financial institutions.

[3] The Commission’s vote to approve the Amended Safeguards Rule comes almost five (5) years after the FTC first issued its rulemaking package to revitalize the Safeguards Rule back in April of 2019.  According to the initial Notice of Proposed Rulemaking, the Commission’s actions were based primarily on the cybersecurity regulations issued by the New York Department of Financial Services (“NYDFS”), 23 NYCRR 500, which requires covered entities to report certain cybersecurity events to the superintendent of NYDFS.  After several rounds of review and revision, the Commission published a final version of the amendments in the Federal Register on December 9, 2021, and shortly thereafter published a Supplemental Notice of Proposed Rulemaking to reflect the aforementioned security incident reporting requirements.

[4] The Amended Safeguards Rule clarifies that customer information is considered unencrypted for this purpose if the encryption key was accessed by an unauthorized person, and that unauthorized acquisition will be presumed to include unauthorized access to unencrypted customer information unless the covered entity has reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information.

[5] Specifically, “customer information” is defined as any record containing “nonpublic personal information” about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of the financial institution or its affiliates.  “Nonpublic personal information” means

[6] Note additionally that a law enforcement official may request an initial delay of up to thirty (30) days following the date when notice was provided to the FTC.  The delay may be extended for an additional period of up to sixty (60) days if the law enforcement official seeks such an extension in writing.  Additional delay may be permitted only if the FTC staff determines that public disclosure of a security event continues to impede a criminal investigation or cause damage to national security.

[7] Section 5(m)(1)(A) of the FTC Act, 15 U.S.C. § 45(m)(1)(A), as modified by the Section 4 of the Federal Civil Penalties Inflation Adjustment Act of 1990, 28 U.S.C. § 2461, as amended, and as implemented by 16 C.F.R. § 1.98(d).