For years, the Gramm-Leach-Bliley Act (GLBA) has required financial institutions to maintain reasonable safeguards for consumer data, but has only had limited breach-reporting requirements. To the extent financial institutions were subject to breach-reporting obligations, these were set by non-GLBA legislation, such as state law, or by relatively narrow incident-reporting rules under Interagency Guidelines overseen by banking regulators.
This changed on May 13, 2024, when new breach notification requirements under the Federal Trade Commission’s (FTC) GLBA Safeguards Rule came into effect. These new FTC rules represent a significant change for financial institutions overseen by the FTC, requiring a new form of regulatory notification covering a much wider range of incidents. This post briefly summarizes the new requirements, and proposes next steps financial institutions can consider.
What happened? Why is it important?
GLBA has long had its Safeguards Rule that requires financial institutions to maintain the security of customer and consumer information. However, GLBA itself does not contain breach-notification obligations. Instead, financial institutions’ breach-reporting obligations primarily derived from state law. Additionally, a subset of financial institutions overseen by banking regulators are subject to breach reporting guidance in Interagency Guidance on Establishing Security Standards. But, in addition to applying only to a subset of financial institutions, these Guidelines also only required reporting of incidents that impacted a defined subset of “sensitive” customer data fields.
Now, as of May 13, 2024, a new breach reporting obligation under the FTC’s GLBA data security regulations went live. Going forward, financial institutions subject to FTC jurisdiction are now required to report data breaches that impact 500 or more individuals to the FTC.
This may represent a substantial change to in-scope financial services companies. Until now, the FTC’s GLBA rules did not contain breach-reporting obligations; FTC-overseen financial institutions generally reviewed breach-notification obligations under state laws, not under GLBA or federal standards. The FTC’s new breach notification obligations for financial institutions it oversees thus potentially require businesses to implement new policies and processes to aid compliance.
Who is covered?
Financial institutions subject to FTC jurisdiction are required to comply. These are financial institutions that are not subject to supervision by other financial regulators, such as the Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Association, the Office of Thrift Supervision, the U.S. Securities Exchange Commission (SEC), or state insurance commissioners. FTC financial institutions generally include:
- Mortgage lenders,
- Finance companies,
- Mortgage brokers,
- Account servicers,
- Wire transferors,
- Non-federally insured credit unions, and
- Investment advisers that are not required to register with the SEC.
What must be reported to the FTC?
Data breaches are considered reportable if they involve the unauthorized acquisition of unencrypted customer information of 500 or more individuals. Unlike in state data breach laws and the Interagency Guidelines applicable to banks, “customer information” is defined broadly as any nonpublic public personal information whatsoever relating to customer – not an enumerated list of particularly sensitive data fields like SSN, credit/debit card numbers, or the like. Thus, the FTC’s breach-notification rule potentially requires reporting (or evaluation for reporting) for a broader range of incidents than in the past.
As stated above, breaches are considered reportable if they involve “acquisition” of customer information. In-scope entities would thus potentially have to report incidents where data is “taken” in some way, such as copied, downloaded, or exfiltrated. Unauthorized “acquisition” of unencrypted customer information will be presumed to include unauthorized access of such information unless the financial institution has “reliable” evidence that there has not been, or could not reasonably have been, unauthorized acquisition of the information.
Unlike under certain state laws, the FTC’s breach notification requirement does not contain a “risk of harm” analysis or “risk of harm” threshold. Previous drafts of the FTC’s rules would have required a risk of “misuse” to have been apparent from the incident, but the FTC removed this requirement from the final rule.
In-scope entities required to notify the FTC would have to do so within 30 days of discovering the breach. This is largely consistent with reporting deadlines in some state data breach statutes.
In efforts to make reporting easy for companies, the FTC has provided an online “Security Event Reporting Form.” The FTC has stated it intends to publish breach reports it receives on its websites.
What are penalties for noncompliance?
Noncompliance is subject to enforcement by the FTC. Notably, the FTC has read GLBA in the past as granting it authority to issue fines and civil penalties for “first-time” offenses. Recent FTC cases show the FTC aggressively investigating companies that fail to report security incidents, and imposing substantial non-monetary penalties as well, such as mandated security programs, annual executive compliance certifications, or years of third-party monitoring.
What can our company do?
If your company is in-scope for FTC supervision, we recommend reviewing internal breach-reporting processes to confirm they can enable compliance with the FTC’s new rules.
- Incident response plans should be updated as needed to make sure that (a) incidents are reviewed, escalated, and evaluated under the FTC’s definition of a reportable incident, and (b) incident evaluation timelines enable you to meet FTC deadlines.
- Internal data and IT mapping should be updated to reflect where “customer information” potentially subject to FTC breach reporting obligations is stored. Data may need to be considered for reclassification based on whether it may trigger FTC reporting requirements.
- This is also an opportunity for companies to confirm that their broader cybersecurity and information security programs are compliant with FTC GLBA Safeguards Rule standards. Any reporting to the FTC could be met with broader requests for information about the company’s security practices. The FTC has published detailed guidance about the elements it expects businesses’ security programs to include. (We summarized the FTC’s requirements on our Privacy Blog as well.) After a breach notification to the FTC, all of these could potentially become fair game for FTC follow-up requests.
- Lastly, it may be prudent to review contracts with vendors to confirm that vendors provide incident-notification terms needed to enable companies to comply with the FTC’s new breach-reporting requirements.