As the number of data breaches that occur increases with technological advances, so does the interest of government regulators. In addition to a state attorney general regulating a data incident at the state level, many federal administrative agencies may also respond to a data breach. For example, the Federal Trade Commission (“FTC”), which has a dedicated Bureau of Consumer Protection, enforces various laws, including the Federal Trade Commission Act, Health Breach Notification Rule, and the Standards for Safeguarding Consumer Information Rule (“Safeguards Rule”).
The Safeguards Rule first became effective in 2003 in response to the passage of the Gramm-Leach-Bliley Act by Congress in 1999, which required the FTC and other federal agencies to establish standards for financial institutions related to safeguarding certain data. The Safeguards Rule was later expanded in 2021, at which time the FTC also issued a Supplemental Notice of Proposed Rulemaking (“SNPRM”) that would add a reporting requirement for any security event affecting the personal information of at least 1,000 customers.
After reviewing comments submitted in response to the SNPRM, the FTC issued a final rule on October 27, 2023 that includes a revised reporting requirement. Covered financial institutions must report notification events to the FTC, which the final rule defines as the unauthorized acquisition of unencrypted customer information, involving at least 500 customers. The rule further clarifies that customer information should be considered unencrypted if the encryption key was accessed by an unauthorized person. Also, unauthorized access is presumed to include unauthorized acquisition unless the financial institution can rebut the presumption by showing that unauthorized acquisition did not or could not have reasonable occurred.
The notice must be provided electronically through a form on the FTC’s website and include: (1) the name and contact information of the reporting financial institution; (2) a description of the types of information that were involved in the notification event; (3) the date or date range of the notification event, if known; (4) the number of consumers affected; and (5) a general description of the notification event, and when applicable, whether the financial institution has been advised by law enforcement that notifying the public of the breach would impede a criminal investigation or be a risk to national security. If so, the law enforcement contact information must also be provided in the report.
The FTC’s jurisdiction applies to financial institutions that aren’t subject to the enforcement authority of another regulator under 15 U.S.C. § 6805. Examples of entities that are covered financial institutions subject to FTC regulations include mortgage lenders, mortgage brokers, and finance companies, and non-federally insured credit unions.
Covered financial institutions will have 30 days from the discovery of a notification event to report to the FTC and will be deemed to have knowledge of a notification event when the breach is known by any of the financial institution’s employees, officers, or other agents.
One stated intent of the final rule is to establish a uniform reporting requirement for covered financial institutions, to assist the agency in getting consistent information about notification events regardless of whether the financial institution is also required to provide a notice to consumers or state regulators. The FTC also expects that the reporting will lead to a better awareness of emerging risks to financial institutions’ security.
The final rule will become effective 180 days after publication in the Federal Register.