On October 27, 2023, the Federal Trade Commission (FTC) unanimously approved an amendment to the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule to require certain covered financial institutions to report a broad range of data breaches and other unauthorized data disclosures to the FTC. With a broader scope than existing obligations, quick timelines, and potentially public notices, the new rule ushers in a significant change for covered financial institutions’ notification obligations.
Under the new rule, certain non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, must now notify the FTC of any “notification event” impacting 500 or more customers. A “notification event” is broadly defined to mean “acquisition of unencrypted customer information without the authorization of the individual to which the information pertains.” The definition makes clear that unauthorized access will be presumed to include unauthorized acquisition absent reliable evidence to the contrary.
Under the GLBA, “customer information” includes any nonpublic personal information about a customer (i.e., an individual with whom the covered financial institution has a continuing relationship), which includes data categories that would not generally rise to the level of requiring notification under existing state data breach notification laws, such as a Social Security number, a driver’s license number, medical information or account login information. And, unlike under many state data breach laws, the new Safeguards Rule requires notification even if the event poses no risk of harm to customers.
Covered financial institutions are still required to notify the FTC, assuming the above thresholds are met, even if they provided separate notice to other federal or state regulators. For example, certain state financial services licensing regimes, such those applicable to money transmission or lending activity, include separate data breach notification requirements. Any such requirements will continue to apply to state-licensed financial services companies, as applicable.
In the wake of a notification event, notification must be made to the FTC as soon as possible and no later than 30 days after discovery of the event. An event is deemed discoverable – meaning, the notification clock starts running – on the first day the event is known to an employee, officer or other agent. The notification to the FTC must include:
- The name and contact information of the reporting financial institution.
- A description of the types of information involved.
- The date or date range of the event (if possible).
- The number of affected or potentially affected customers.
- A general description of the event.
- Whether law enforcement has indicated that public notification would impede a criminal investigation or damage national security.
Unless delayed at the request of law enforcement, notifications will be made publicly available in an FTC database.
The new rule takes effect on May 13, 2024. In the meantime, covered financial institutions should review and update their incident response policies and procedures to ensure compliance with the new rule’s requirements, as well as train relevant personnel on these new obligations. Financial institutions also should closely review disclosures of customer information to ensure they have the necessary authorizations for any such disclosures to avoid triggering a notification event.