Constangy Cyber attorneys Donna Maddux and Amir Goodarzi co-authored an article published in the December 2023 issue of HR.com’s Legal and Compliance Excellent detailing an amendment to the Federal Trade Commission’s (FTC) Safeguards Rule, which will change how and when entities must report a consumer data breach.
The FTC approved an amendment to the Safeguards Rule under the Gramm-Leach-Bliley Act to enhance the reporting requirements for non-banking financial entities. Under the amendment, entities must report to the FTC within 30 days of having a “notification event” where 500 or more customers’ data is exposed in a cyber incident or distributed in a manner not authorized by the customer.
Breaking down the amendment, Maddux and Goodarzi explained that non-banking financial entities are those that engage in any activity that is financial or even incidental to those financial activities. That broad definition means that examples of affected businesses could include everything from the leasing office of a car dealership to travel agencies and property appraisers. These entities “should update their customer data disclosure policies to clarify which disclosures are authorized by the customer...” and “…also review their incident response policies to ensure that procedures are in place for compliance with this rule, when necessary,” suggested Maddux and Goodarzi.
Maddux and Goodarzi noted several important elements of the amendment to keep in mind:
- When the clock starts - The new rule places the 30-day clock from when a notification event becomes known by an employee, officer, or other agent of the covered entity.
- Type of information covered – the amendment involves the breach of customer information, defined as “any record containing nonpublic personal information about a customer, in any form, that is handled or maintained by or on behalf of the covered entity or its affiliates.
- Who is a customer – the customer must have a continuous relationship with the covered entity, defined as the covered entity providing one or more financial products or services to the customer.
- Notification events that trigger FTC reporting requirements - could mean a data breach in the traditional sense of cyber theft or simply sharing of customer data in a manner they didn’t authorize.
- The FTC notification process – affected businesses notify the FTC within 30 days after the notification event and complete a form providing information about the incident and their response.
These new rules, which are slated to go into effect in May 2024, are significant for a wide range of non-banking financial services entities. These organizations should update their customer data disclosure policies and incident response plans to remain compliant.
For the full article, please click here.