Applicability
The FTC’s Safeguards Rule—and the Final Rule—apply to non-banking financial institutions, such as mortgage brokers, auto dealers, and payday lenders. The Final Rule will put such entities in a similar position as regulated banking organizations, which, under the Interagency Guidelines Establishing Information Security Standards,1 are required to notify their primary federal regulator of “incident[s] involving unauthorized access to or use of sensitive customer information.2
“Notification Event”
The Final Rule defines “notification event” to mean the “acquisition of unencrypted customer information3 without the authorization of the individual to which the information pertains.” The Final Rule specifies that unauthorized acquisition will be presumed to include unauthorized access to unencrypted customer information unless the financial institution “has reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information.” The Final Rule notes that this presumption is consistent with the FTC’s Health Breach Notification Rule4 and provides an example of evidence sufficient to rebut the presumption: “If an entity’s employee loses a laptop in a public place, the information would be accessible to unauthorized persons, giving rise to a presumption that unauthorized acquisition has occurred. The entity can rebut this presumption by showing, for example, that the laptop was recovered, and that forensic analysis revealed that files were never opened, altered, transferred, or otherwise compromised.”
Timing Requirements
Notification events must be reported to the FTC no later than 30 days after discovery. Notably, the Final Rule provides guidance on what it means to “discover” a notification event: entities shall treat a notification event as discovered as of the first day on which such event is known to the financial institution, and a notification event is “known” once it is known to any person, other than the person committing the breach, who is an employee, officer, or other agent of the financial institution. The Final Rule is somewhat unusual in this respect, as breach notification laws and regulations typically do not define “discovery” (and this definition may not align with how the date of discovery is determined for other breach reporting obligations).
Content Requirements
Notice to the FTC must be made electronically on a form to be located on the FTC’s website and must include:
- The name and contact information of the reporting financial institution;
- A description of the types of information that were involved in the notification event;
- The date or date range of the notification event, if such information is possible to determine;
- The number of consumers affected or potentially affected by the notification event;
- A general description of the notification event; and
- Whether any law enforcement official has provided the financial institution with a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security, and a means for the FTC to contact the law enforcement official.
Interaction with State Breach Notification Laws
The FTC’s Final Rule does not preempt general state data breach notification laws or other applicable requirements.
Next Steps
Non-banking financial institutions are well-advised to update their incident response plans to account for the Final Rule’s new notification obligations, and to confirm that employees are reminded of incident reporting processes as well as to report promptly any suspected/actual incident given the broad definition of “discovery” in the Final Rule. Additionally, such institutions may wish to confirm that customer information covered by the Safeguards Rule is encrypted where feasible, and that any exceptions are well understood and documented.
Authored by Roshni Patel, A.J. Santiago, Paul Otto, and Dan Ongaro.
1/ The Interagency Guidelines are joint guidance issued by the OCC, FRB, and FDIC for implementing the GLBA's Safeguards Rule. See 12 C.F.R. pt. 208, App. D–2 (FRB) (“Regulation H”) and 12 C.F.R. pt. 225, App. F (FRB) (“Regulation Y”); 12 C.F.R. pt. 364, App. B (FDIC); 12 C.F.R. pt. 30, App. B (OCC).
2/ See, e.g., 12 C.F.R. pt. 364, App. B, Supp. A, sec. II(A)(1)(b).
3/ Information is considered unencrypted for this purpose if the encryption key was accessed by an unauthorized person.
4/ See 16 CFR 318.2(a) (“Unauthorized acquisition will be presumed to include unauthorized access to unsecured PHR identifiable health information unless the vendor of personal health records, PHR related entity, or third party service provider that experienced the breach has reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information.”)
