The FTC has now updated its Safeguards Rule to add breach notification requirements. It plans to host a new public database of instances in which consumers’ nonpublic information has been subjected to unauthorized access.
Effective May 13, 2024
Key features
Financial institutions subject to the FTC’s jurisdiction, which include mortgage lenders, payday lenders, collection agencies, check cashiers, credit counselors, and more – and all of their service providers may want to familiarize members of their workforce with processes they have in place to detect, report, investigate and resolve data security issues.
1. Report data breaches/unauthorized acquisitions affecting 500 or more consumers to the FTC via an electronic form located at its website www.ftc.gov¹
2. Breach notices must explain types of information involved in the “notification event,” date or date range of event, number of consumers affected, and whether law enforcement is involved and has provided a determination that notifying the public of the breach may have an impact on or impede a criminal investigation or cause damage to national security
3. Notification of a breach must occur “as soon as possible, but no later than 30 days after discovery of the event,” and
4. “Notification events” go beyond traditional data security breaches and include the unauthorized acquisition of unencrypted customer information.
5. The Safeguards Rule’s notification requirements do not pre-empt notifications that may also be required under state or other laws.²
Let’s get practical
If this new breach notification requirement in the FTC’s Safeguards Rule prompts you to review your own internal security incident compliance programs, you may want to keep in mind some of these unique features of the Safeguards Rule’s new notice requirements:
- The FTC’s new rule has a modernized description of personally identifiable non-public financial information a consumer provides. It includes, for example, information the financial institution collects through an internet “cookie” – which the FTC describes as “an information collecting device from a web server.”³
- Consistent with the FTC’s enforcement actions under its Health Breach Notification Rule, the FTC has also taken a broad-ranging view of what data security events must be reported to the FTC (and the public). In addition to traditional data breaches, the FTC now expects entities to report unauthorized acquisitions of 500 or more consumer’s information to be “notification events.”
- The Safeguards Rule now explains that a “notification event” is the “acquisition of … [unencrypted customer] information without the authorization of the individual to which the information pertains.” The Rule goes further to include a rebuttable presumption that customer information will be considered “unencrypted” “if the encryption key was accessed by an unauthorized person … unless you have reliable evidence showing that there has not been, or could not reasonably have been unauthorized acquisition of such information.”⁴
- Clarity on what triggers a “notification event.” The FTC explains it considers an event to be “discovered as of the first day on which such event is known.” This means that a financial institution is deemed to know of a notification event “if the event is known to any person, other than the person committing the breach, who is the financial institution’s employee, officer, or other agent.”⁵
-
- For health breaches the FTC had entities report electronically by sending an email within sixty (60) days of discovering a health breach to [email protected] with subject line “HBN – Request to Submit Document” to which the FTC replied with instructions for secure electronic submission of encrypted documents. See, www.ftc.gov/healthbreach. For this rule, see, 88 Federal Register 77508, published November 13, 2023.
- See, fn 1. The preamble to final rule which explains that this new notification requirement is not duplicative of state breach notification laws and instead is “designed to ensure that the Commission receives notice of security breaches affecting financial institutions under the Commission’s jurisdiction.”
- See, 16 CFR Section 314.2(n)(2)(F)
- See, 16 CFR Section 314.2(m)
- See, 16 CFR Section 314.2(j)
