On Oct. 27, the Federal Trade Commission issued a final rule to amend its Standards for Safeguarding Customer Information, the Safeguards Rule.
This amendment will require non-depository financial institutions, such as motor vehicle dealers and sales finance companies, to report certain data breaches and other security events to the FTC. The data breach reporting amendment will become effective on May 13, 2024.
The Safeguards Rule took effect in 2003 to implement the information security requirements in the Gramm-Leach-Bliley Act. The rule generally requires that non-depository financial institutions under the FTC’s jurisdiction implement, maintain and develop a security program to protect customer information.
The Safeguards Rule defines “customer information” to mean “any record containing nonpublic information about a customer of a financial institution, whether in paper, electronic or other form, that is handled by or on behalf of [the financial institution] or [the financial institution’s] affiliates.”
The rule requires financial institutions to develop written information security programs detailing how they will protect customer information, including how they will protect against anticipated threats and unauthorized access to the information. The information security programs must be appropriate to the complexity, size, nature and scope of the businesses and their activities, and consider the sensitivity of the information.
Amendment to Safeguards Rule
The amendment to the Safeguards Rule requires financial institutions to report to the FTC any notification event wherein unencrypted customer information involving 500 or more consumers is acquired without authorization.
A “notification event” is defined as the “acquisition of unencrypted customer information without the authorization of the individual to which the information pertains.” Unauthorized acquisition is presumed after unauthorized access “unless [the institution has] reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information.”
The financial institution must notify the FTC “as soon as possible, but no later than 30 days after discovery of the event.” The institution’s discovery will be measured from the first day the notification event is known by any “employee, officer or other agent of the financial institution” other than the person who actually committed the breach.
According to the amendment, non-depository financial institutions must make the data breach notification electronically on a form to be located on the FTC’s website, and include the following information:
- The name and contact information of the reporting financial institution;
- A description of the types of information involved in the data breach;
- The date or date range of the data breach, if it is possible to determine;
- The number of consumers affected or potentially affected;
- A general description of the data breach;
- Whether any law enforcement official has provided a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security; and
- A means for the FTC to contact the law enforcement official.
The Safeguards Rule was last amended in 2021 to add data security requirements and protocols, such as requiring financial institutions to use encryption to secure customer information. But the 2021 Safeguards Rule amendment did not include a data breach reporting requirement.
Dealers and sales finance companies can limit the impact of the latest amendment and avoid the duty to notify the FTC by encrypting customer information as contemplated by the 2021 amendments. An effective program for encrypting customer information can help dealers and finance companies avoid a security breach under state laws that might also require them to provide a separate breach notification to consumers, state agencies and consumer reporting agencies.
Dealers and sales finance companies should ensure they can promptly identify and report such security breaches to the FTC and focus on the encryption of customer information.
Dealers and sales finance companies should also be aware that each state has its own data breach laws and reporting requirements that apply when a data breach occurs.
Rachael Aspery is and Associate, Paul Lysoby is an Associate, and David Thompson is a Member at law firm McGlinchey.