FTC amends Safeguards Rule to require non-banking financial institutions to report data breaches

Hogan Lovells
Contact

Hogan Lovells

Mock trials are a valuable tool for attorneys to evaluate how a jury may react to their case. With the growth of technology and in response to the global pandemic, online mock trials have become increasingly popular and may be a better fit for your jury research needs than the traditional in-person mock trial. In this article, we will explore some of the benefits of online mock trials and in-person mock trials and discuss why one format may be a better choice for your particular case.


Applicability

The FTC’s Safeguards Rule—and the Final Rule—apply to non-banking financial institutions, such as mortgage brokers, auto dealers, and payday lenders. The Final Rule will put such entities in a similar position as regulated banking organizations, which, under the Interagency Guidelines Establishing Information Security Standards,1 are required to notify their primary federal regulator of “incident[s] involving unauthorized access to or use of sensitive customer information.2


“Notification Event”

The Final Rule defines “notification event” to mean the “acquisition of unencrypted customer information3 without the authorization of the individual to which the information pertains.” The Final Rule specifies that unauthorized acquisition will be presumed to include unauthorized access to unencrypted customer information unless the financial institution “has reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information.” The Final Rule notes that this presumption is consistent with the FTC’s Health Breach Notification Rule4 and provides an example of evidence sufficient to rebut the presumption: “If an entity’s employee loses a laptop in a public place, the information would be accessible to unauthorized persons, giving rise to a presumption that unauthorized acquisition has occurred. The entity can rebut this presumption by showing, for example, that the laptop was recovered, and that forensic analysis revealed that files were never opened, altered, transferred, or otherwise compromised.”


Timing Requirements

Notification events must be reported to the FTC no later than 30 days after discovery. Notably, the Final Rule provides guidance on what it means to “discover” a notification event: entities shall treat a notification event as discovered as of the first day on which such event is known to the financial institution, and a notification event is “known” once it is known to any person, other than the person committing the breach, who is an employee, officer, or other agent of the financial institution. The Final Rule is somewhat unusual in this respect, as breach notification laws and regulations typically do not define “discovery” (and this definition may not align with how the date of discovery is determined for other breach reporting obligations).


Content Requirements

Notice to the FTC must be made electronically on a form to be located on the FTC’s website and must include:

  • The name and contact information of the reporting financial institution;
  • A description of the types of information that were involved in the notification event;
  • The date or date range of the notification event, if such information is possible to determine;
  • The number of consumers affected or potentially affected by the notification event;
  • A general description of the notification event; and
  • Whether any law enforcement official has provided the financial institution with a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security, and a means for the FTC to contact the law enforcement official.

Interaction with State Breach Notification Laws

The FTC’s Final Rule does not preempt general state data breach notification laws or other applicable requirements.


Next Steps

Non-banking financial institutions are well-advised to update their incident response plans to account for the Final Rule’s new notification obligations, and to confirm that employees are reminded of incident reporting processes as well as to report promptly any suspected/actual incident given the broad definition of “discovery” in the Final Rule. Additionally, such institutions may wish to confirm that customer information covered by the Safeguards Rule is encrypted where feasible, and that any exceptions are well understood and documented.


1/ The Interagency Guidelines are joint guidance issued by the OCC, FRB, and FDIC for implementing the GLBA's Safeguards Rule. See 12 C.F.R. pt. 208, App. D–2 (FRB) (“Regulation H”) and 12 C.F.R. pt. 225, App. F (FRB) (“Regulation Y”); 12 C.F.R. pt. 364, App. B (FDIC); 12 C.F.R. pt. 30, App. B (OCC).

2/ See, e.g., 12 C.F.R. pt. 364, App. B, Supp. A, sec. II(A)(1)(b).

3/ Information is considered unencrypted for this purpose if the encryption key was accessed by an unauthorized person.

4/ See 16 CFR 318.2(a) (“Unauthorized acquisition will be presumed to include unauthorized access to unsecured PHR identifiable health information unless the vendor of personal health records, PHR related entity, or third party service provider that experienced the breach has reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information.”)

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Hogan Lovells

Written by:

Hogan Lovells
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Hogan Lovells on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide