FTC Adds Data Breach Notification Requirement to Safeguards Rule

The Federal Trade Commission (FTC or Commission) has amended its Standards for Safeguarding Customer Information, commonly known as the "Safeguards Rule," to require non-bank financial institutions to report certain data breaches to the Commission. The amended Safeguards Rule requires covered "financial institutions" to report "notification events" affecting 500 or more consumers to the FTC "as soon as possible, and no later than 30 days after discovery" (the "Notification Requirement"). A "notification event" is defined as the "acquisition of unencrypted customer information without the authorization of the individual to which the information pertains." The FTC intends to make the notices it receives public, although financial institutions may request that public disclosure be delayed for law enforcement purposes.

The amendments go into effect 180 days after they are published in the Federal Register, meaning that covered financial institutions likely will be required to begin reporting notification events starting in Q2 2024. The amendments do not include any requirement to notify affected individuals of a data breach.

Financial institutions covered by the Safeguards Rule (and therefore the Notification Requirement) include neobanks, alternative lenders, money transmitters, retailers that extend credit to customers, mortgage brokers, certain investment advisors, and numerous other types of entities providing financial products or services. The U.S. Department of Education also requires institutions of higher education participating in certain federal student aid programs, as well as their third-party servicers, to comply with the Safeguards Rule.

We summarize the Notification Requirement and propose various compliance measures below.

Background

The FTC issued the first version of the Safeguards Rule in 2002 pursuant to the Gramm-Leach-Bliley Act (GLBA). Under GLBA, various federal agencies including the FTC, the U.S. Securities and Exchange Commission, the federal banking regulators—the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, and the Federal Reserve Board—and the National Credit Union Administration, are required to issue standards for the security of customer information for financial institutions subject to each agency's jurisdiction.[1]

The first version of the Safeguards Rule imposed relatively high-level requirements on covered institutions to implement a written information security program, including designating a qualified individual to lead the program, identifying information security risks, implementing and testing safeguards in response to those risks, overseeing service providers, and periodically adjusting the program based on changes to the business and other circumstances. In December 2021, the FTC overhauled the Safeguards Rule by expanding the existing requirements and enumerating new, more detailed ones. Under the current Safeguards Rule, which we discussed in a prior blog post and webinar, institutions must adopt various safeguards, including encrypting customer information in transit and at rest, multifactor authentication, secure software development as assessment measures, and annual written reports to the board of directors (or other governing body) regarding the institution's information security program and material security risks, among others.

The FTC's overhauled Safeguards Rule did not include any breach notification requirement. However, on the same day the FTC published the new Safeguards Rule, December 9, 2021, it also issued a Supplemental Notice of Proposed Rulemaking (SNPRM) to amend the Safeguards Rule to add breach notification.[2] The FTC issued the Notification Requirement in a final rule published on October 27, 2023 (the "Final Rule").

The FTC published the Final Rule shortly after the release by the Consumer Financial Protection Bureau (CFPB) of its proposed "Personal Financial Data Rights" rule under Section 1033 of the Consumer Financial Protection Act of 2010. The CFPB's proposed rule would require data providers and third parties not otherwise subject to GLBA to comply with the FTC's Safeguards Rule (we discuss the CFPB's proposal here), now including the Notification Requirement.

Covered Information

The Notification Requirement dramatically expands covered financial institutions' breach reporting obligations because of the range of data covered. The Notification Requirement applies to "customer information," which is broadly defined in the Safeguards Rule as records containing "nonpublic personal information about a customer of a financial institution." Nonpublic personal information is (i) personally identifiable financial information[3] and (ii) "[a]ny list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available." Customer information may include a broad array of data, from more sensitive types of data such as Social Security numbers, detailed financial and purchase histories, and account access information, to relatively routine and benign data, such as basic customer demographics and contact details.

Under state data breach reporting laws, companies are required to report breaches of only enumerated categories of data, such as Social Security numbers and other government-issued ID numbers, financial account numbers in combination with access credentials, usernames and passwords, and medical information. But given the broad definition of customer information under the Safeguards Rule, covered financial institutions will have to assess their breach reporting obligations for a much larger set of data than they typically do now.[4]

At the same time, it is important to note that the Safeguards Rule, and therefore the Notification Requirement, does not apply to information about "consumers" who are not "customers." Under the Safeguards Rule, a "consumer" is any individual that obtains a financial product or service from a financial institution to be used for a personal, family, or household purpose." A "customer" is a type of consumer: specifically, a consumer with which the financial institution has a "customer relationship," defined as a "continuing relationship" between the institution and customer under which the institution provides a financial product or service. No customer relationship may exist, for example, where a consumer engages in only "isolated transactions" with the institution, such as by purchasing a money order or making a wire transfer. The Notification Requirement applies only to customer information, and therefore is not triggered by a breach affecting only consumers who are not customers.

Covered Incidents

A "notification event" is defined as "acquisition of unencrypted customer information without the authorization of the individual to which the information pertains (emphasis added)." This definition raises several points for consideration:

• Acquisition: The Notification Requirement is triggered by unauthorized "acquisition" and includes a rebuttable presumption that unauthorized "access" is unauthorized acquisition unless the institution has "reliable evidence" showing that acquisition could not reasonably have occurred. On the surface, the Notification Requirement takes a sort of middle approach vis-à-vis state data breach notification laws: under most state laws, personal data must be acquired to trigger notification obligations, but a small and growing number of states require notification where personal data has only been accessed.[5] However, it is important to note that the FTC has a very broad view of those terms. The FTC describes "acquisition" as "the actual viewing or reading of the data," even if the data is not copied or downloaded, and "access" as merely "the opportunity to view the data"[6] (emphasis added). Based on the FTC's reading of those terms, the rebuttable presumption may only be available if an institution has reliable evidence that unauthorized actors did not actually view customer information—even if they had the opportunity to do so.
• Unencrypted: The Notification Requirement treats encrypted data much like state data breach notification laws do. Institutions need not report acquisitions of encrypted data; however, encrypted data is considered unencrypted for the purposes of the Notification Requirement if the encryption key was accessed by an unauthorized person.
• Without Authorization of the Individual to Which the Information Pertains: Typically, when breach notification laws refer to acquisition of data being unauthorized, it is understood that they are referring to whether the acquisition was authorized by the entity that owns the data, not whether it was authorized by the individual who is the subject of the data. By specifying that a notification event occurs when acquisition was unauthorized by the individual data subject, the Notification Requirement potentially encompasses a broader range of incidents than state data breach notification laws. If, for example, a financial institution's employee uses customer information for a purpose that is authorized by the institution but inconsistent with the institution's privacy statement or customer agreement, one could argue that the use is acquisition not authorized by the consumer. Whether the FTC would take that novel position remains to be seen. Notably, the FTC's Health Data Breach Rule (HNBR) includes similar language in its definition of "breach of security,"[7] and the FTC has taken the position that the HNBR applies to disclosures authorized by company holding the data but not the data subject.

Notification Obligation

Financial institutions must notify the FTC "as soon as possible, and no later than 30 days after discovery" of a notification event involving at least 500 consumers. Although not clear from the text of the amendments, the FTC appears to take the position that the Notification Requirement begins to run when an institution discovers that a notification event has occurred, and not when it discovers specifically that the notification event affects 500 or more consumers. The FTC dismissed concerns that a financial institution may not know how many consumers were affected, or other key information such as whether information was only accessed without acquisition, at the time it discovers a data breach, stating that it expects financial institutions "will be able to decide quickly whether a notification event has occurred." Where it is difficult to ascertain how many consumers may have been affected—for example, where a data breach affected unstructured data containing an unknown amount of consumer data—institutions may face significant time pressures to meet the 30-day reporting requirement.

The Notification Requirement does not include any "risk of harm" analysis or threshold. Under the SNPRM, financial institutions would have been required to notify the FTC only where "misuse" of customer information had occurred or was "reasonably likely" to occur. The final version of the Notification Requirement removes the misuse language and simply requires notification upon discovery that customer information has been "acquired" without authorization.

The Notification Requirement is surprisingly silent on financial institutions' obligations when data breaches occur at their service providers.[8] A financial institution is considered to have discovered a notification incident "if such event is known to any person, other than the person committing the breach, who is [the institution's] employee, officer, or other agent." This language indicates that financial institutions are not considered to have knowledge of a notification event that occurred at a service provider (which would not typically be considered the financial institution's "agent") until the service provider makes the institution aware of the event. Although there is no specific requirement that institutions obligate their vendors to notify them of security incidents, the Safeguards Rule does require institutions to oversee their service providers, including by entering into contracts requiring service providers to maintain appropriate security safeguards for customer information. The FTC may take the position that financial institutions must require their service providers to report notification events to them under these broader service provider oversight obligations. Additionally, the FTC might argue that because customer information is defined to include information "that is handled or maintained by or on behalf of" a financial institution, institutions' responsibility for third-party notification events is assumed.

Report Requirements and Publication

Notifications to the FTC, which must be submitted via electronic form on the FTC website, must include the following information:

• The name and contact information of the reporting financial institution;
• A description of the types of information that were involved in the notification event;
• If the information is possible to determine, the date or date range of the notification event;
• The number of consumers affected;
• A general description of the notification event; and
• If applicable, whether any law enforcement official has provided the financial institution with a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security, and a means for the Federal Trade Commission to contact the law enforcement official. A law enforcement official may request a delay in publication of the report for up to 30 days. The delay may be extended for an additional 60 days in response to a written request from the law enforcement official. Any further delay is only permitted if the FTC staff "determines that public disclosure of a security event continues to impede a criminal investigation or cause damage to national security."

The FTC intends to make the reports it receives publicly available on its website. Financial institutions should take note that plaintiffs attorneys are likely to monitor these postings (as they do with public postings of data breach reports by various state attorneys general and the Department of Health and Human Services Office of Civil Rights) and may use them as a basis for commencing consumer class actions.

Preparing for Compliance

Financial institutions subject to the Safeguards Rule are advised to consider the following steps for preparing to comply with the Notification Requirement:

• Assess Safeguards Rule Compliance and Address Gaps Now: The FTC issued the Notification Requirement to support its enforcement efforts.[9] The FTC intends to review breach reports and assess whether a breach may have been the result of an institution's failure to comply with the Safeguards Rule's technical, administrative, and physical safeguards. Institutions should prepare for this increased scrutiny by assessing and remedying any compliance gaps with the Safeguards Rule. The FTC acknowledges that a breach may occur even if an institution fully complies with the Safeguards Rule, so institutions should be prepared to show the FTC that the notification incident occurred notwithstanding their compliance with the rule.[10]
• Review and Update Incident Response Plans. The Notification Requirement dramatically expands covered financial institutions' breach reporting obligations. Under state data breach reporting laws, companies are required to report breaches of only enumerated categories of data, such as Social Security numbers and other government-issued ID numbers, financial account numbers in combination with access credentials, usernames and passwords, and medical information. But given the broad definition of customer information under the Safeguards Rule, covered financial institutions will have to assess their breach reporting obligations for a much larger set of data. Institutions should update their incident response plans to address these expanded obligations and educate their incident response teams about them. Institutions also should determine who will be responsible for submitting any required report to the FTC. Reports should be reviewed by counsel prior to submission, given that they may form the basis for FTC enforcement or consumer class actions.[11]
• Revise Any Data Maps, Information Classification Schemes and Similar Documentation. Financial institutions also should review their data maps, data inventories, information classification schemes, and similar data management documentation to ensure that they properly address the many types of records that may be considered "customer information" containing "non-public personal information" subject to the Notification Requirement. Doing so will help financial institutions more quickly assess the impact of a security incident and determine whether it is a "notification event" under the amended Safeguards Rule (for example, by informing them of whether customer information may be present on a compromised system). Quick assessment will be important given the 30-day notification deadline, and that the FTC appears not to distinguish between when an institution becomes aware of a notification event and when it determines that the event triggers the reporting obligation.
• Assess and Amend Service Provider Agreements. Although there is no specific requirement in the Safeguards Rule that institutions obligate their service providers to notify them of notification events, the FTC may argue that such an obligation is assumed by the Safeguards Rule provisions. Accordingly, financial institutions should review their relevant service provider agreements and determine whether any amendments are necessary to support their compliance with the Notification Requirement.

+++

DWT's privacy and security team regularly counsels clients on compliance with evolving data breach notification laws—both proactively and following a potential data breach—and other data privacy and security requirements. We will continue to monitor the developments of the FTC's amended Safeguards Rule, including any enforcement of the Notification Requirement.