On May 13, 2024, the FTC’s new rule (the “Rule”) requiring certain financial institutions to report cyber incidents to the Commission will go into effect. The Rule, which is an amendment to the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, will for the first time require “non-banking financial institutions” to report a wide range of data breaches and other unauthorized data disclosures to the FTC within 30 days of discovery. The FTC will publish notifications in a publicly accessible database.
Under the new Rule, non-banking financial institutions, such as mortgage brokers, financial advisors, motor vehicle dealers, and payday lenders, among others, must now notify the FTC of any “notification event” impacting 500 or more customers. A “notification event” is broadly defined to mean “acquisition of unencrypted customer information without the authorization of the individual to which the information pertains.”
The list of information elements covered by the Rule is expansive and broader than state data breach reporting laws. Earlier proposed versions of the Rule applied only to “sensitive customer information.” The Final Rule, however, removes the word “sensitive,” broadening the Rule’s scope to cover any non-public personal information collected by an organization, including for example, credit scores, account balances, purchase history, and even the fact that an individual is a customer of a business. See 16 C.F.R. § 314.2(n)(2). None of these example elements trigger notice under state law but require notice to the Commission under the new Rule. Additionally, while states limit application of their reporting laws to electronic records, the new FTC Rule covers paper records as well. See 16 CFR 314.2(d). (“…any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.”).
Moreover, while many states include some sort of risk-of-harm analysis before determining whether a cyber incident triggers notice, the new FTC Rule does not. The Commission reasoned that incorporating risk to consumers in a notice analysis would allow “financial institutions to underestimate the likelihood of misuse, and, thereby, the need to report the security event.” See Federal Register / Vol. 88, No. 217, 77503. Accordingly, any access not expressly authorized by the consumer triggers notice. This includes employees who, without authorization, read documents containing consumers’ personal information. See Id., FN 49 (citing 74 FR 42962, 42966 (Aug. 25, 2009)) (“If the unauthorized employee read the data and/or shared it [ ], he or she ‘acquired” the information, thus triggering the notification obligation in the rule.”).
Another example of the breadth of the Rule is its position on access versus acquisition. Many states’ data breach reporting laws, including Alabama, California, and Illinois, trigger notice on acquisition only. In other words, under these state statutes, simply accessing personal information without authorization is not sufficient to trigger notice. The information must be acquired (e.g., exfiltrated from the network). By contrast, the FTC has taken the position that if unauthorized access has occurred, acquisition is assumed unless forensic evidence can prove acquisition did not occur. See Id.
Interestingly, while the law requires institutions to report such notification events to the FTC, it does not require notice to individuals affected by the notification event. The Commission expressly rejected adding such a requirement, reasoning that it would be redundant to state data breach reporting laws. Relevant state laws, however, provide a narrower definition of what triggers notice. This omission may create a dilemma for companies who have experienced a security incident involving elements that do not trigger individual notice under state law but requires notice to the FTC under its new Rule. The FTC’s intention to publish such notices further complicates matters. The notices to the Commission must include, among other elements, the name of the organization, a description of the types of information involved, and the number of individuals affected by the incident. Consumers who view the database, or are made aware through news reports, may learn that a company they do business with has experienced a “notification event” but may be unaware of whether their information was part of that event. Accordingly, companies may struggle with the decision on whether to go beyond their legal obligations and notify individuals to mitigate confusion and foster transparency, yet at the same time increasing risk of litigation to the organization.