Compliance Corner: Updates to FTC’s Safeguards Rule

May 16, 2024
By Leslie Bender
The FTC has now updated its Safeguards Rule to add breach notification requirements. It plans to host a new public database of instances in which consumers’ nonpublic information has been subjected to unauthorized access.

Effective May 13, 2024

Key features

Financial institutions subject to the FTC’s jurisdiction, which include mortgage lenders, payday lenders, collection agencies, check cashiers, credit counselors, and more – and all of their service providers may want to familiarize members of their workforce with processes they have in place to detect, report, investigate and resolve data security issues.

Some key features in the new FTC Safeguards Rule’s breach notification provisions include these:

1. Report data breaches/unauthorized acquisitions affecting 500 or more consumers to the FTC via an electronic form located at its website www.ftc.gov¹

2. Breach notices must explain types of information involved in the “notification event,” date or date range of event, number of consumers affected, and whether law enforcement is involved and has provided a determination that notifying the public of the breach may have an impact on or impede a criminal investigation or cause damage to national security

3. Notification of a breach must occur “as soon as possible, but no later than 30 days after discovery of the event,” and

4. “Notification events” go beyond traditional data security breaches and include the unauthorized acquisition of unencrypted customer information.

5. The Safeguards Rule’s notification requirements do not pre-empt notifications that may also be required under state or other laws.²

Let’s get practical

If this new breach notification requirement in the FTC’s Safeguards Rule prompts you to review your own internal security incident compliance programs, you may want to keep in mind some of these unique features of the Safeguards Rule’s new notice requirements:

  • The FTC’s new rule has a modernized description of personally identifiable non-public financial information a consumer provides. It includes, for example, information the financial institution collects through an internet “cookie” – which the FTC describes as “an information collecting device from a web server.”³
  • Consistent with the FTC’s enforcement actions under its Health Breach Notification Rule, the FTC has also taken a broad-ranging view of what data security events must be reported to the FTC (and the public). In addition to traditional data breaches, the FTC now expects entities to report unauthorized acquisitions of 500 or more consumer’s information to be “notification events.”
  • The Safeguards Rule now explains that a “notification event” is the “acquisition of … [unencrypted customer] information without the authorization of the individual to which the information pertains.” The Rule goes further to include a rebuttable presumption that customer information will be considered “unencrypted” “if the encryption key was accessed by an unauthorized person … unless you have reliable evidence showing that there has not been, or could not reasonably have been unauthorized acquisition of such information.”⁴
  • Clarity on what triggers a “notification event.” The FTC explains it considers an event to be “discovered as of the first day on which such event is known.” This means that a financial institution is deemed to know of a notification event “if the event is known to any person, other than the person committing the breach, who is the financial institution’s employee, officer, or other agent.”⁵

    1. For health breaches the FTC had entities report electronically by sending an email within sixty (60) days of discovering a health breach to [email protected] with subject line “HBN – Request to Submit Document” to which the FTC replied with instructions for secure electronic submission of encrypted documents.  See, www.ftc.gov/healthbreach.  For this rule, see, 88 Federal Register 77508, published November 13, 2023.
    2. See, fn 1. The preamble to final rule which explains that this new notification requirement is not duplicative of state breach notification laws and instead is “designed to ensure that the Commission receives notice of security breaches affecting financial institutions under the Commission’s jurisdiction.”
    3. See, 16 CFR Section 314.2(n)(2)(F)
    4. See, 16 CFR Section 314.2(m)
    5. See, 16 CFR Section 314.2(j)

 

click here to read more about cyber compliance from Leslie Bender

Author

Leslie Bender

Senior Attorney
| Eversheds Sutherland
Leslie Bender counsels financial services and healthcare clients on a broad range of privacy, data security, and consumer financial protection laws. She provides counsel on matters including privacy, consumer financial protection, HIPAA, data security, labor and employment, litigation, contracts, alternative dispute resolution and mediation, government affairs, regulatory relations, and change and project management. Leslie has more than two decades of experience in privacy and consumer financial protection and related regulatory relations before various federal and state regulators. In addition, Leslie has more than 30 years of experience working with financial institutions, collection agencies, and as a compliance consultant and trainer for hospitals. Recognized as a national authority on information privacy and security law, she was one of the first privacy officers accredited by the International Association of Privacy Professionals as a Certified Information Privacy Professional.