The Federal Trade Commission (FTC) on Oct. 27, 2023, announced further amendments to the Gramm-Leach-Bliley Safeguards Rule (Safeguards Rule). The Safeguards Rule became effective in 2003, requiring certain financial institutions to implement comprehensive security measures for the protection of customer data. As threats to the security of financial data continued to evolve and proliferate, the FTC published amendments to the Safeguards Rule on Dec. 9, 2021, to add more robust cybersecurity requirements – including requirements related to risk assessments, access restrictions, service provider assessment requirements and incident response plans. (See Holland & Knight's previous alert, "The Impact of Cybersecurity Regulations on the Financial Services Industry in 2022," Jan. 12, 2022.)
Though the 2021 amendments did not address security event notification obligations, the FTC noted that other federal agencies enforcing the Gramm-Leach-Bliley Act (GLBA) have long required financial institutions to provide security incident notice under the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice.
Notification Requirements
Under the revised Rule, non-banking financial institutions are required to notify the FTC upon "discovery" of a "notification event." For many financial institutions, the revised Rule is additive to existing security incident notification regulations, such as the Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, which require financial institutions to provide notice to their primary federal regulator in the event of any computer security incident.
Notably, the revised Rule differs from existing Interagency Guidance notification requirements to individuals by requiring notification in the event of unauthorized acquisition of unencrypted customer information (any nonpublic personal information about a customer of a financial institution), rather than only sensitive customer information (technically, a customer's name, address or telephone number in conjunction with sensitive personal information such as a Social Security number, driver's license number or account number).
Under the revised Rule, financial institutions that experience a notification event involving at least 500 consumers must notify the FTC as soon as possible, but no later than 30 days after discovery of the notification event. A notification event is considered "discovered" as of the first day in which such event is known to the financial institution, including any of the institution's employees, officers or other agents. A financial institution will need to consider to what extent its service providers could be considered "agents" under the requirement; in any event, this set trigger is one more reason for preferring simple triggers based on discovery in contractual notification obligations.
The notice must be made electronically on a form to be published on the FTC's website, which requires the following:
- the name and contact information of the reporting financial institution
- a description of the types of information of the reporting financial institution
- if the information is possible to determine, the date or date range of the notification event
- a general description of the notification event
The FTC security event reports will be entered into a publicly available database, although publication may be delayed based on a request of law enforcement.
Though the FTC acknowledged that entities covered by the Rule may be subject to additional state or federal regulatory notification requirements, the FTC declined to provide any carve-outs to the notification requirement to ensure the FTC receives consistent information regarding security events. As a result, entities covered by the rule must notify the FTC regardless of their notification obligations to other federal or state regulators.
The FTC did not see a need to add a requirement to notify affected individuals, given that data breach notification requirements exist in all states, and also pursuant to Interagency Guidance under the GLBA itself. Nonetheless, given that those notification laws trigger notification based on specific types of personal information and, in some cases, a risk of harm, there may well be many notices to the FTC for data incidents that do not require notification to individuals.
Conclusion and Considerations
The amendment to the Safeguards Rule will take effect 180 days after it is published in the Federal Register, providing financial institutions some time to prepare. Financial institutions should update their incident response plans and ensure that response team members are appropriately trained as to these new requirements. No matter what, financial institutions will have one more good reason to protect customer data, which is exactly what the FTC has in mind.