On October 27, 2023, the Federal Trade Commission (FTC) finalized an amendment to the Safeguards Rule that will impose data breach reporting requirements on nonbanking financial entities subject to the Gramm-Leach-Bliley Act (GLBA). The amended Safeguards Rule will come into effect 180 days after publication in the Federal Register, or at some point in 2024. For many nonbanking financial entities, the reporting requirements will be new, and preparing for them now will be a critical compliance and control step.
The Safeguards Rule applies to financial institutions that fall under the FTC’s jurisdiction and are not subject to the authority of another regulator under the GLBA (subject to certain, specific exceptions). These in-scope institutions may engage in the following types of activities:
Lending, exchanging, transferring or safeguarding money;
Insuring, guaranteeing or indemnifying against loss;
Providing financial investment advice;
Issuing or selling instruments or economic instruments; and
Underwriting, or dealing in, or making a market in securities.
Some examples listed in the Safeguards Rule of entities that would fall under the FTC’s umbrella include:
A retailer that extends credit;
An automobile dealership that leases automobiles on a nonoperating basis for longer than 90 days;
A personal property or real estate appraiser;
A career counselor focused on providing career counseling to individuals employed or seeking to be employed in financial organizations;
Check cashers; and
If you are not sure whether your organization is subject to the Safeguards Rule, please contact the authors or your McDermott contact.
NEW BREACH REPORTING REQUIREMENTS
Many US state data breach reporting laws expressly exempt from their reach entities that are subject to the GLBA. As a result, historically, when a GLBA entity experienced a data security breach, its notification obligations may have been limited. The FTC’s recent amendments to the Safeguards Rule change that.
Under the amendments, GLBA-covered entities subject to the FTC’s jurisdiction must report to the FTC within 30 days after discovery of an incident impacting more than 500 consumers. Discovery means the first day on which the event is known to any employee, officer or other agent of the institution. Entities will file the notification electronically through a form located on the FTC’s website and include the following information:
The name and contact information of the reporting financial institution;
A description of the types of information involved in the notification event;
If the information is possible to determine, the date or date range of the notification event;
The number of consumers potentially affected by the event;
A general description of the notification event; and
If applicable, whether any law enforcement official has provided the financial institution with a written determination that notifying the public of the breach would impede a criminal investigation, and a means for the FTC to contact the law enforcement official.
The initial reporting can—and should be—updated once additional information is discovered.
ENCRYPTION SAFE HARBOR
The amended rule creates a safe harbor for encrypted data. Notification is required only when unencrypted customer information is acquired (though unauthorized acquisition will be presumed to include unauthorized access unless there is reliable evidence showing that the information was not actually, or could not have reasonably been, acquired). The amended rule states that customer information is considered unencrypted if the encryption key was accessed by an unauthorized person.
These new requirements create new compliance and corporate control mechanisms that nonbanking financial institutions will need to follow to remain in compliance with the Safeguards Rule. If you have questions or need assistance in readiness work for the new state consumer laws, please contact your regular McDermott lawyer or the authors.
The authors thank James Mann for his invaluable input on this article.