The Federal Trade Commission has approved an amendment to the Safeguards Rule under the Gramm-Leach-Bliley Act that creates a new data privacy regulatory reporting requirement for non-banking financial entities. Covered entities must notify the FTC within 30 days of discovery of a “notification event” that involves the unauthorized acquisition of unencrypted customer information of 500 or more consumers. The new rule, announced on October 27, takes effect 180 days after publication in the Federal Register, meaning approximately May 2024.
What entities does the new rule cover?
A “non-banking financial institution” is an entity engaged in an activity that is financial in nature or incidental to such financial activities, as described in section 4(k) of the Bank Holding Company Act of 1956.
Examples from the statute include the leasing office of a car dealership, appraisers of personal property or real estate, accountants or other tax preparation firms, travel agencies, title and escrow companies or any other business providing real estate settlement services, mortgage brokers, and more.
When is a notification event “discovered”?
Under the amendment, the 30-day clock for notification to the FTC begins running the date that the notification event is “discovered” or known to any person who is an employee, officer, or other agent of the covered entity and who is not the person who committed the breach.
The FTC rejected suggestions to have the clock begin running for the notification deadline on the date that the entity determined that the event met the requirements for notification, including the scope of impact.
What type of information is covered by this new rule?
The amendment applies to the unauthorized acquisition of unencrypted “customer information,” which is defined under Gramm-Leach as any record containing nonpublic personal information about a customer, in any form, that is handled or maintained by or on behalf of the covered entity or its affiliates. Under the rule, a consumer is a “customer” only if the consumer has a continuing relationship with the covered entity. A covered entity has a “continuing relationship” with a consumer if the covered entity provides one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes.
What is a notification event that triggers the FTC reporting requirement?
A "notification event" is defined as the acquisition of unencrypted customer information without the authorization of the customer.
The Rule presumes acquisition if there is unauthorized access to unencrypted customer information. The presumption can be rebutted only by reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of the information.
This means that a notification event could occur in instances where there is not a “data breach” as is commonly understood (such as cyber criminals breaking into a network and stealing data). Merely sharing customer data in a manner not authorized by the customer could potentially constitute a notification event.
Notification to the FTC
The affected business must notify the FTC as soon as possible, but no later than 30 days after the discovery of the notification event. The FTC will provide to the business a form to be filled out on its website. The form will require the affected entity to provide the following:
- Name and contact information of the reporting financial institution.
- Description of the information involved.
- Date or date range of the notification event.
- Number of consumers actually or potentially affected by the incident.
- General description of the event.
- Whether law enforcement has provided a written determination that notification of the breach would impede a criminal investigation or damage national security.
The FTC says that the initial notification requires “minimal details” and is intended to provide the FTC with information about emerging threats to financial institutions, to inform business and consumer education, and to assist it in determining whether any individual event should be investigated further.
The FTC intends to enter all notification event reports into a publicly available database.
Given this significant new regulation, non-banking financial services entities should update their customer data disclosure policies to clarify which disclosures are authorized by the customer. Covered entities should also review their incident response policies to ensure that procedures are in place for compliance with this rule when necessary.
Amir is a member of the Constangy Cyber Team and is based in the Philadelphia office. Prior to joining Constangy, Amir worked for the Camden County Prosecutor's Office, where he skillfully managed a diverse array of cases, honing ...
Donna is a partner in Constangy’s Portland office and a member of the Constangy Cyber Team. Donna evaluates the severity of potential data security incidents, such as ransomware attacks, company email compromise, and other ...
The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation.
- Suzie Allen
- John Babione
- Dafina Buçaj
- Jason Cherry
- Maria Efaplomatidis
- Jordan L. Fischer
- Sebastian Fischer
- Laura Funk
- Lauren Godfrey
- Amir Goodarzi
- Taren N. Greenidge
- Julie Hess
- Carolyn C. Ho
- Sean Hoar
- Julie A. Keersmaekers
- Donna Maddux
- David McMillan
- Amanda Novak
- Ashley L. Orler
- Alyssa Pearce
- Rebecca Pollack
- Allison Prout
- Todd Rowe
- Sarah Rugnetta
- Allen Sattler
- Alyssa Watzman
- Aubrey Weaver