In an amendment to the Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA), which was officially announced on October 27, 2023, the Federal Trade Commission (FTC) will mandate that a wide array of nonbank financial institutions report instances of unauthorized acquisition of unencrypted, personally identifiable, nonpublic financial information pertaining to more than 500 customers. This new obligation to notify the FTC represents a significant departure for financial institutions governed by the FTC’s Safeguards Rule. It significantly expands the scope of reportable incidents compared to existing state and federal regulations. Furthermore, notifications must be made promptly, and the FTC will generally make these reports available to the public.
The New Rule Has Broad Application
The new notification requirement applies to nonbank financial institutions subject to the existing FTC Safeguards Rule, encompassing a diverse set of entities such as mortgage brokers, money transmitters, certain fintech companies, nonbank lenders, credit reporting agencies, accountants, tax preparation services, real estate appraisers, auto dealers involved in specific leasing activities, and credit counselors.
Events Triggering Notification Obligations Are More Expansive than Under State Breach Notification Laws
The notification obligation applies to “customer information,” referring to nonpublic, personally identifiable financial data maintained about customers with whom the institution maintains an ongoing relationship to provide financial products or services for personal, family, or household purposes. The definition of “customer information” is notably more expansive than that of state breach notification laws, encompassing all nonpublic, personally identifiable information about an institution’s customers, instead of the limited information types typically specified in state laws. For example, “customer information” could include information a consumer provides on a loan or cred card application, account balance information, overdraft history, the very fact that an individual has been a customer, and information collected through a cookie.
Notification is necessary for a “notification event” that impacts the customer information of at least 500 consumers. A “notification event” covers any “acquisition of unencrypted customer information without the authorization of the individual to which the information pertains.” This definition encompasses not only traditional data breaches but also voluntary and intentional sharing of customer information without customer authorization. The following issues remain unclear: (1) what standards govern whether customers authorized a sharing; and (2) who makes the determination that sharing was unauthorized.
There is No Harm Threshold to Trigger Notification Obligations
The proposed rule initially required notice only for incidents reasonably likely to result in information misuse, similar to many other breach notification laws. However, this requirement was removed from the final rule, meaning that all incidents, even those with no potential for harm, must be disclosed. The FTC’s rationale is that this approach will ease the assessment of incidents without a harm threshold.
Timeline and Required Contents of the Notification
Notification events must be reported to the FTC as soon as possible and within 30 days of discovery. Discovery is defined as the first day the event is known to the affected company, its employees, officers, or agents.
The notification to the FTC must include various information, such as the reporting company’s contact details, a description of the event, the date range of the event, the number of affected consumers, a general event description, and whether law enforcement has indicated that notifying the public might impede a criminal investigation or damage national security. Notifications will be conducted through an online reporting form available on FTC.gov.
Breach Notifications to the FTC will be Public
While the FTC declined to require individual notifications to affected consumers, it plans to publish notification event reports in a publicly accessible database. This is subject to a limited exception if law enforcement believes that public notice might obstruct a criminal investigation or jeopardize national security. This broader scope of required notifications means that the public could become aware of an incident through the FTC’s published report, even when individual notice is not mandated by state law and when there is no associated risk necessitating protective actions by individuals.
Takeaway
The broad definition of “customer information” will require notification for a wider variety of data events. Non-banking financial institutions should consider reviewing and revising their incident response procedures so that they can be prepared to conduct a separate analysis of FTC notification requirements.