FTC announces amendment to safeguards rule provision

Digital threats to financial data are constantly evolving and prolific, and regulatory bodies are adapting to ensure the protection of sensitive customer information. On October 27, 2023, the Federal Trade Commission, FTC, approved an amendment to the Standards for Safeguarding Customer Information, known as the Safeguards Rule, under the Gramm-Leach-Bliley Act, or GLBA. This amendment brings a significant change to the regulatory landscape: imposing new notification requirements on a wide range of nonbank financial institutions in the event of unauthorized acquisitions of unencrypted, personally identifiable, nonpublic financial information pertaining to more than 500 customers.

The Evolution of the Safeguards Rule

The Gramm-Leach-Bliley Safeguards Rule was originally implemented in 2003 to ensure the security, confidentiality, and integrity of customer information held by financial institutions. However, as the landscape of cybersecurity threats continued to evolve, the FTC recognized the need to update and strengthen these protections.

In response to these changing threats, the FTC had previously published amendments to the Safeguards Rule on December 9, 2021. These amendments introduced more robust cybersecurity requirements, including provisions related to risk assessments, access restrictions, service provider assessments, and incident response plans. These changes were aimed at enhancing the security posture of financial institutions, reflecting the growing importance of cybersecurity in the financial sector.

Notification Requirements

One notable addition to the Safeguards Rule in the 2023 amendment is the introduction of security event notification obligations. Under the revised rule, non-banking financial institutions are now required to notify the FTC when they discover a “notification event.” A “notification event” is any “acquisition of unencrypted customer information without the authorization of the individual to which the information pertains." This notification requirement is a crucial component of the updated rule, and it brings financial institutions in line with existing security incident notification regulations.

The key difference in the revised rule is that it broadens the scope of notification events. While existing guidelines primarily focused on sensitive customer information, the new requirement mandates notification in the event of an unauthorized acquisition of unencrypted customer information. "Customer information" refers to records that contain "non-public personal information" about a customer, where "non-public personal information" is further defined as "personally identifiable financial information" and specifically excludes publicly available or non-personally identifiable data. This definition encompasses a broader spectrum of nonpublic personal information about a customer.
Financial institutions that experience a “notification event” affecting at least 500 consumers must notify the FTC as soon as possible, and no later than 30 days after discovery of the event. Discovery is considered to occur on "the first day on which such event is known" to the affected company.

The notification must include:

(1) The name and contact information of the reporting financial institution;

(2) A description of the types of information that were involved in the notification event;

(3) If the information is possible to determine, the date or date range of the notification event;

(4) The number of consumers affected;

(5) A general description of the notification event; and, if applicable, whether any law enforcement official has provided the financial institution with a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security, and a means for the Federal Trade Commission to contact the law enforcement official.

Implications and Considerations

The FTC's amendment to the Safeguards Rule underscores the increasing importance of data security in the financial sector. With the ever-evolving landscape of cyber threats, financial institutions must stay vigilant and proactive in protecting customer data.
The new notification requirements are intended to ensure that the FTC remains informed about data breaches and security incidents affecting non-banking financial institutions. The FTC also intends to publish notification event reports in a publicly accessible database. However, there is a limited exception if law enforcement indicates that public notice might impede a criminal investigation or pose a threat to national security. While these institutions may already be subject to state or federal regulatory notification requirements, the FTC's amendment mandates what is hoped to be consistent reporting to ensure that the agency is well-informed about security events.

Financial institutions are advised to prepare for compliance with the amended Safeguards Rule, which will take effect 180 days after publication in the Federal Register. This grace period provides institutions with an opportunity to update their incident response plans and train their teams in accordance with the new requirements.

Conclusion

As the financial sector observes the 20th anniversary of the Gramm-Leach-Bliley Safeguards Rule, it is clear that the landscape of data security has exponentially changed over the last two decades. The latest amendments to the rule, introduced by the FTC, reinforce the commitment to protect consumer data in an era of evolving cybersecurity threats. By requiring non-banking financial institutions to report data breaches and security events, the FTC is taking proactive steps in attempts to enhance the security of financial data and protect the interests of consumers.
If you have any questions about your company’s compliance with cyber regulations, concerns about vulnerability to attacks or other breaches, or if you want to learn more about proactive cybersecurity defense, contact a member of McDonald Hopkins’ national data privacy and cybersecurity team.