FTC Amends Safeguards Rule to Require Notification of Unauthorized Data Acquisitions to the Agency

BakerHostetler
Contact

BakerHostetler

Key Takeaways

  • Last week, the Federal Trade Commission (FTC or Commission) announced changes to the FTC Safeguards Rule (Rule) that will require nonbank financial institutions to provide notice to the agency within 30 days of discovering a “notification event” affecting more than 500 people.
  • Given that “financial institution” and “notification event” are terms that are broadly defined, legal, compliance, privacy and security professionals at these financial institutions need to consider these new requirements, which likely will become effective sometime after May 1, 2024.[1]
  • In particular, prior to the effective date, financial institutions that do not have a federal functional regulator should update their written incident response plan to ensure that there are proper procedures in place to identify when notification to the FTC is required.

Background

Back in 2021, the FTC announced substantial changes to the Rule that imposed more detailed and rigorous security requirements for covered financial institutions and was largely based on the New York State Department of Financial Services Cybersecurity Regulations, which contain information security standards and a regulatory notification requirement. At that time, the agency also issued a separate rulemaking notice that asked whether it should require financial institutions to report certain data breaches and other security events to the Commission, and 14 comments reflecting a range of viewpoints were filed in response. The agency then issued a Federal Register notice that details the comments and adopts a new notification requirement.

New FTC Notification Requirement

The Rule applies to nonbank financial institutions, which can include a wide range of entities, including mortgage lenders, payday lenders, collection agencies, auto dealers, financial advisers, tax preparation firms and financial technology (fintech) firms that do not have a federal functional regulator. Helpful guidance on the FTC website details the somewhat complex statutory roadmap that can help you determine whether you are covered by the Rule and these new requirements.

If you have information that is subject to the Rule, the first question will be whether a “notification event” has occurred. Notification events occur when there is “acquisition of unencrypted customer information without the authorization of the individual to which the information pertains.” Significantly, unlike its proposal, the Rule is not conditioned on an assessment of the likelihood such information is misused. Instead, the trigger is mere acquisition, which can occur in many different circumstances, including when a hacker acquires information; but the Rule may also be triggered if a company voluntarily shares information with third parties in a way that is inconsistent with representations made to consumers. It should be noted that this provision applies to “customer information,” which is defined in the Rule as records containing “non-public personal information” about a customer. Further, “non-public personal information” is defined as “personally identifiable financial information” and excludes information that is publicly available or not “personally identifiable.”

If such a notification event involving unencrypted customer information of more than 500 people occurs, the Rule then requires notice to be made within 30 days of discovery through a form that will eventually be located on the FTC’s website. The information to be provided is straightforward and includes the types of information involved and the number of affected customers. As for when “discovery” is deemed to occur, the Federal Register notice discusses this in some detail and the agency indicates that “you shall be deemed to have knowledge of a notification event if such event is known to any person, other than the person committing the breach, who is your employee, officer, or other agent.”

These changes require notice to the FTC only and do not require customer notification, but of course, many if not most of the incidents that require notice to the FTC will likely trigger such notification requirements from other state or federal regulations. And the FTC has indicated that it “intends to enter notification event reports into a publicly available database.”

Finally, the Commission notes in the Federal Register notice that although many of the incidents at issue already require notification pursuant to other regulatory requirements, notice to the FTC will “enable the Commission to monitor for emerging data security threats affecting financial institutions and to facilitate prompt investigative response to major security breaches.”


[1] The effective date is currently imprecise because the Rule becomes effective 180 days after it is published in the Federal Register; that has not yet happened but will likely occur within a few weeks.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© BakerHostetler

Written by:

BakerHostetler
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

BakerHostetler on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide