FTC to Enact Amendment to Safeguards Rule Regarding Non-Bank Financial Institution Data Breaches

The Federal Trade Commission (FTC) made a significant announcement on October 27, 2023 regarding changes to the Safeguards Rule of the Gramm-Leach-Bliley Act (GLBA). These changes now require non-bank financial institutions to report specific data breaches and security incidents to the agency.

‍

The Safeguards Rule was designed to ensure that non-bank financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, establish and maintain robust security programs to protect customer information. In 2021, the FTC initiated a process to amend the Safeguards Rule, soliciting public comments on a proposed supplemental amendment requiring non-bank financial institutions to report data breaches and security events to the FTC. The recent announcement represents the final version of this proposal (the “Amendment”).

Under the Amendment, non-bank financial institutions are now required to notify the FTC as soon as possible (and in any event not later than thirty days) following the discovery of a "notification event" that involves the personal information of at least 500 individuals. A "notification event" is defined as the unauthorized acquisition of unencrypted customer information. The term "customer information" encompasses any record containing nonpublic personal information about a customer of a non-bank financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of the non-bank financial institution or its affiliates. The presumption is that unauthorized acquisition of information shall have occurred whenever unauthorized access to unencrypted customer information takes place, unless sufficient evidence proves otherwise.

‍

‍

The notification to the FTC mandated by this Amendment must include:

1) the name and contact information of the reporting non-bank financial institution;

2) a description of the types of information involved in the notification event;

3) if possible, the date or date range of the notification event;

4) the number of consumers affected; and

5) a general description of the notification event.

The Amendment will take effect 180 days after being published in the Federal Register.

One point that could have significant practical impact is that the sharing of any unencrypted data absent consumer authorization could, under the Amendment, constitute a “notification event” giving rise to a breach requiring notification to the FTC. Non-bank financial institutions may now need to secure consumer consent before sharing this information with third parties and partners, which could have a notable influence on consent prerequisites for financial entities regarding data sharing.