FTC Finalizes New Notification Requirement for GLBA Safeguards Rule

FTC Finalizes New Notification Requirement for GLBA Safeguards Rule

November 15, 2023, Covington Alert

On October 27, 2023, the Federal Trade Commission (“FTC” or “Commission”) announced that it had finalized an amendment to the FTC’s Standards for Safeguarding Consumer Information (“Safeguards Rule”), a regulation requiring financial institutions subject to FTC jurisdiction under the Gramm-Leach-Bliley Act (“GLBA”) to implement measures to keep customers’ nonpublic personal information secure.[1]  The amendment will create an obligation for these institutions to report certain data breaches and other security events to the Commission within thirty days of discovery if 500 or more consumers’ information is involved.  The FTC will create an online form to submit these notifications, which will be published on a publicly-available database.

The FTC originally proposed amending the Safeguards Rule to add a breach notification requirement in late 2021.  The finalized amendment was published in the Federal Register on November 13, 2023 and will take effect on May 13, 2024.

The FTC’s final rule differs from the proposal in several respects:

• Lowering of the Notification Threshold.  The final amendment requires notification to the FTC thirty days after discovering the triggering event if the information of at least 500 consumers is involved.  By contrast, the original proposal required notification if “at least 1,000 consumers have been affected or reasonably may be affected[.]”
• Expanded Definition of Notifiable Events.  The final amendment requires notification for a “notification event,” which is defined as the “acquisition of unencrypted customer information[2] without the authorization of the individual to which the information pertains.” (emphasis added).  Unauthorized acquisition is broadly defined to include unauthorized access, unless there is “reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information” (the “rebuttable presumption”).  This approach differs from the proposed amendment from 2021, which used the pre-existing definition of “security event” in the Safeguards Rule and would have required notification to the FTC only if “misuse of customer information has occurred or is reasonably likely” to occur.
  • Most notably, this definition states that an acquisition of information is unauthorized if the individual associated with the information—not the business maintaining the information—does not authorize it to be disclosed.  The FTC does not elaborate on whether disclosures authorized by the relevant financial institution could nonetheless be treated as a notification event if not “authorized” by the individual to which the information pertains.  That approach could be at odds with the GLBA’s opt-out framework, although it would mirror the FTC’s recent interpretation of the scope of notification obligations under the Health Breach Notification Rule (“HBNR”).[3]  That interpretation of the HBNR has not yet been tested in court.
  • As the FTC suggested that its changes to the final rule and notification criteria were “minor” and did not seek further notice and comment on the changes, it may indicate that the change should be read narrowly.[4]
• Additional Required Content of the Notification. The FTC’s final version of the amendment added a requirement that a notification state “whether any law enforcement official has provided [the business] with a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security,” and provide contact information for law enforcement.  The disclosure content requirements were also updated to include the number of impacted consumers.  Other content requirements are consistent between the proposed and final amendments, namely:
  • The financial institution’s name and contact information;
  • A description of the event and information involved; and
  • A date range of the notification event.

These revisions to the Safeguards Rule could substantially increase enforcement risk for businesses that experience a security incident requiring notification to the FTC.  As the FTC previously updated the Safeguards Rule in late 2021 to include more specific information security requirements, these newly-required notifications could enable the FTC to more easily identify potential violations of the Safeguards Rule for further investigation.  Entities that are subject to the FTC’s Safeguards Rule should not only prepare for compliance with the new notification requirement, but also review the information security requirements included in the Safeguards Rule to ensure that their practices comply with these requirements before an incident occurs.  For additional information on those 2021 updates, please see our prior alert here.

For further information on the FTC’s changes to the Safeguards Rule, please contact the members of Covington’s Data Privacy and Cybersecurity Practice Group.