Financial institutions are now required to notify the Federal Trade Commission about any security breach that involves the information of 500 customers or more. The breach must be reported no later than 30 days after it is discovered.
The new requirement is a result of an FTC amendment to the Safeguards Rule of the Gramm-Leach-Bliley Act. The amendment was announced in October 2023 and took effect on May 13 of this year. The purpose of the waiting period was to allow institutions to prepare for the changes.
The amendment defines a notification event as the “acquisition of unencrypted customer information without the authorization of the individual to which [sic] the information pertains.” The amendment also states that unauthorized acquisition is presumed to include unauthorized access to unencrypted customer information unless there is “reliable evidence showing that there has not been, and could not reasonably have been, unauthorized acquisition of such information.”
A notification event is deemed to have been “discovered” on the first day that the event becomes known by the affected institution. Following discovery, the FTC requires that it be notified as soon as possible, and no later than 30 days after discovery, of a security breach involving the information of at least 500 consumers.
The amendment itself does not include any requirement to notify the affected persons of the incident, but state laws could apply that would require notification of individuals.
The purported goal of the amendment is to establish a uniform reporting requirement for all regulated financial institutions subject to Gramm-Leach-Bliley. The FTC argues that the amendment imposes a minimal burden on financial institutions because they will already be preparing state and consumer notifications. Because, in the view of the FTC, the burden of reporting is minimal, the amendment has no exemptions or alternatives for small entities. The FTC acknowledged that not every notification received by the FTC will result in an investigation and/or enforcement action.
Notifications can be provided via a form on the FTC's website. The form provides the specific details on what information must be included with the report, which will then be made public on the site. However, a reporting institution can request that public disclosure of the report be delayed for law enforcement purposes.
The Constangy Cybersecurity & Data Privacy Team assists businesses of all sizes and industries with implementing necessary updates to their privacy and compliance programs to address these complex and evolving regulatory requirements. If you would like additional information on how to prepare your organization, please contact us at cyber@constangy.com. The Team also assists with information security and incident response policies and procedures and supports with incident response, including breaches. We are here to help! The Constangy Cyber Team is available 24/7. Contact us at breachresponse@constangy.com or by phone at 877-DTA-BRCH.
Associate AttorneyBefore coming to a law firm, Suzie worked for Leidos as a contractor for the Department of Health and Human Services, Office for Civil Rights. There, she investigated and advised HIPAA covered-entitles in response to complaints made ...
PartnerHe brings over ten years of combined incident response and risk management experience to his role on our Rapid Response Team. During the seven years prior to joining the Constangy Cyber Team, Matt worked at a boutique incident ...
The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation.
