New FTC Rule Expands Reach of Data Breach Notification Requirement to Non-Banking Financial Institutions

Jaburg Wilk
Contact

Jaburg Wilk

In an amendment to the Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA), which was officially announced on October 27, 2023, the Federal Trade Commission (FTC) will mandate that a wide array of nonbank financial institutions report instances of unauthorized acquisition of unencrypted, personally identifiable, nonpublic financial information pertaining to more than 500 customers. This new obligation to notify the FTC represents a significant departure for financial institutions governed by the FTC’s Safeguards Rule. It significantly expands the scope of reportable incidents compared to existing state and federal regulations. Furthermore, notifications must be made promptly, and the FTC will generally make these reports available to the public.

The New Rule Has Broad Application

The new notification requirement applies to nonbank financial institutions subject to the existing FTC Safeguards Rule, encompassing a diverse set of entities such as mortgage brokers, money transmitters, certain fintech companies, nonbank lenders, credit reporting agencies, accountants, tax preparation services, real estate appraisers, auto dealers involved in specific leasing activities, and credit counselors.

Events Triggering Notification Obligations Are More Expansive than Under State Breach Notification Laws

The notification obligation applies to “customer information,” referring to nonpublic, personally identifiable financial data maintained about customers with whom the institution maintains an ongoing relationship to provide financial products or services for personal, family, or household purposes. The definition of “customer information” is notably more expansive than that of state breach notification laws, encompassing all nonpublic, personally identifiable information about an institution’s customers, instead of the limited information types typically specified in state laws. For example, “customer information” could include information a consumer provides on a loan or cred card application, account balance information, overdraft history, the very fact that an individual has been a customer, and information collected through a cookie.

Notification is necessary for a “notification event” that impacts the customer information of at least 500 consumers. A “notification event” covers any “acquisition of unencrypted customer information without the authorization of the individual to which the information pertains.” This definition encompasses not only traditional data breaches but also voluntary and intentional sharing of customer information without customer authorization. The following issues remain unclear: (1) what standards govern whether customers authorized a sharing; and (2) who makes the determination that sharing was unauthorized.

There is No Harm Threshold to Trigger Notification Obligations

The proposed rule initially required notice only for incidents reasonably likely to result in information misuse, similar to many other breach notification laws. However, this requirement was removed from the final rule, meaning that all incidents, even those with no potential for harm, must be disclosed. The FTC’s rationale is that this approach will ease the assessment of incidents without a harm threshold.

Timeline and Required Contents of the Notification

Notification events must be reported to the FTC as soon as possible and within 30 days of discovery. Discovery is defined as the first day the event is known to the affected company, its employees, officers, or agents.

The notification to the FTC must include various information, such as the reporting company’s contact details, a description of the event, the date range of the event, the number of affected consumers, a general event description, and whether law enforcement has indicated that notifying the public might impede a criminal investigation or damage national security. Notifications will be conducted through an online reporting form available on FTC.gov.

Breach Notifications to the FTC will be Public

While the FTC declined to require individual notifications to affected consumers, it plans to publish notification event reports in a publicly accessible database. This is subject to a limited exception if law enforcement believes that public notice might obstruct a criminal investigation or jeopardize national security. This broader scope of required notifications means that the public could become aware of an incident through the FTC’s published report, even when individual notice is not mandated by state law and when there is no associated risk necessitating protective actions by individuals.

Takeaway

The broad definition of “customer information” will require notification for a wider variety of data events. Non-banking financial institutions should consider reviewing and revising their incident response procedures so that they can be prepared to conduct a separate analysis of FTC notification requirements.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Jaburg Wilk

Written by:

Jaburg Wilk
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Jaburg Wilk on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide