Non-bank financial institutions will have a new data breach disclosure requirement effective May 13, 2024. The Federal Trade Commission (FTC) recently updated the Gramm-Leach-Bliley Safeguards Rule (“Safeguards Rule”), adding the breach notice obligation to existing Safeguards Rule data security requirements. . As a result, a wide range of non-bank financial Institutions may need to update their internal security safeguards and processes, including their security breach assessment and incident response plans, service provider and vendor agreements, and audit process.
The FTC’s Safeguards Rule requires non-banking financial institutions—such as mortgage brokers, motor vehicle dealers, tax preparers, credit reporting agencies, and lenders—to develop and maintain a comprehensive security program to keep their customers’ nonpublic personal information safe.
Security Breach Notification Event
Under the FTC’s amendment to the Safeguards Rule,, financial institutions will be required to notify the FTC as soon as possible, and no later than 30 days after discovery, of a security breach involving the information of at least 500 consumers. The event requires notification if unencrypted customer information has been acquired without the authorization of the individual to whom the information pertains. In the rule, the FTC stated its intention to enter breach notification reports into a publicly available database.
Key Notice Elements
The notice to the FTC must include certain information about the event, such as the number of consumers affected or potentially affected. The notice shall be made electronically on a form located on the FTC’s website.
The notice shall include the following:
(i) the name and contact information of the reporting financial institution
(ii) a description of the types of information that were involved in the notification event
(iii) the date or date range of the notification event, if possible to determine
(iv) the number of consumers affected or potentially affected by the notification event
(v) a general description of the notification event and
(vi) whether any law enforcement official has provided the notifier with a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security, and a means for the FTC to contact the law enforcement official
Significance of the Date of Discovery
The notification event shall be treated as discovered as of the first day on which such event is known to the non-bank financial institution.
A law enforcement official may request an initial notification delay of up to 30 days following the date when notice was provided to the FTC. The delay may be extended for an additional period of up to 60 days if the law enforcement official seeks such an extension in writing. Additional delay may be permitted only if the FTC staff determines that public disclosure of a security event continues to impede a criminal investigation or cause damage to national security.
Background
Congress enacted the Gramm-Leach-Bliley Act (GLBA) in 1999. The GLBA provides a framework for regulating the privacy and data security practices of a broad range of financial institutions. Among other things, the GLBA requires financial institutions to provide customers with information about the institutions' privacy practices and about customers’ opt-out rights and to implement security safeguards for customer information.
The FTC previously amended the Safeguards Rule in 2022 to include specific criteria for what safeguards non-bank financial institutions must implement as part of their information security programs. This includes, among other things, a written information security program, risk assessments, appointment of a qualified individual, penetration testing and vulnerability assessments, encryption of customer information at rest and in transit, multifactor authentication, and reports to the board of directors or governing bodies of the financial institution.
Related Articles
- Privacy and Data Security Resources
- Four Cybersecurity Law Issues for Financial Services to Track in 2023
- CFPB Weighs in on Data Security; Will Firms with Poor Security Be in the Crosshairs?
- Key Actions for Public Companies under the SEC's New Cybersecurity Rules
- Comprehensive Risk Management in the Age of Regulation F
- Privacy Developments at the State and Federal Levels
- CFPB Weighs in on Data Security; Will Firms with Poor Security Be in the Crosshairs?
- Evaluating the Cybersecurity Risk of Mailing and Publishing Partners
- What to Expect When You're Under a CFPB Investigation – Negotiating the Scope of the CID