On October 27, the Federal Trade Commission (FTC) announced a final rule amending the Standards for Safeguarding Customer Information (Safeguards Rule) under the Gramm-Leach-Bliley Act. The Safeguards Rule requires nonbanking financial institutions to develop, implement, and maintain a comprehensive information security program to keep their customers’ information safe. The amendment will require financial institutions to notify the FTC no later than 30 days after discovery of a security breach involving the information of 500 or more consumers. The amendment will go into effect 180 days after publication of the final rule in the Federal Register.
Specifically, the amendment applies to “notification events,” which are defined as the “acquisition of unencrypted customer information without the authorization of the individual to which the information pertains.” Notably, the FTC final rule requires notification where customer information has been acquired, rather than when misuse is considered likely, although the FTC agrees that notification should not be required when harm to consumers is rendered extremely unlikely because the customer information is encrypted. Although the FTC received public comments advocating for the inclusion of a “risk of harm” to consumers analysis, the FTC believes that determining whether acquisition has occurred simplifies the requirement and will enable financial institutions to more speedily determine whether a notification event has occurred.
If a notification event involves the information of 500 or more consumers, the covered entity must notify the FTC “as soon as possible, and no later than 30 days after discovery of the event” using a form on the FTC’s website. The FTC will deem a financial institution to have knowledge of a notification event if such event is known to any person, other than the person committing the breach, who is the financial institution’s employee, officer, or other agent.
The notice must include:
- The name and contact information of the reporting financial institution;
- A description of the types of information involved;
- If possible, the date or date range of the notification event;
- The number of consumers affected or potentially affected;
- A general description of the notification event; and
- If applicable, whether any law enforcement official has provided the financial institution with a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security, and the contact information for the law enforcement official.
This is a supplemental rulemaking to the Safeguards Rule updates previously finalized on December 9, 2021.
Four Quick Steps to Take Now:
- Incident Response Plan. Update your incident response plan in line with the requirements of the amendment and its 30-day period to notify the FTC.
- Service provider agreements and security assessment questionnaires. Update service provider contracts, statements of work, and security diligence assessment questionnaires to make sure service providers of financial institutions (including nonbanking financial institutions): (i) have developed, implemented, and maintained a comprehensive information security program around customers’ information; and (ii) are required to promptly notify their financial institution customers given that the 30-day notification clock starts when the triggering event is known not just by a company officer or employee, but also by an agent, including service providers.
- Update training to make sure the updated incident response plan, service provider contracting processes, and new amendment requirements are explained.
- Update/conduct cyber simulation tabletop training exercises that include FTC notification questions and third-party service provider security incident scenarios to further provide exposure and practice to the new amendment.
Troutman Pepper will continue to monitor important developments involving the FTC and the Safeguards Rule and will provide further updates as they become available. If you need assistance with complying with the requirement of the new amendment, please reach out to the authors of this article or any member of our Privacy & Cyber or Consumer Financial Services groups.