FTC requires non-banking financial institutions to report data security incidents affecting more than 500 individuals. Learn more about this GLBA Safeguards Rule update.
Under the GLBA Safeguards Rule updates announced on October 27, 2023, the Federal Trade Commission (FTC) requires non-banking financial institutions to inform them about any unauthorized access to unencrypted, personally identifiable, nonpublic financial data affecting more than 500 customers.
Notification must be conducted via an online reporting form on FTC.gov and include:
The updated notification requirement represents a wider range of reportable incidents compared to the existing state or federal regulations. Let’s figure out what are the main updates of the GLBA Safeguards Rule.
The new notification obligation applies to financial institutions that are subject to the GLBA Safeguards Rule. The list of the entities is broad and involves mortgage brokers, fintech companies, nonbank lenders, credit reporting agencies, accountants and tax preparation services, real estate appraisers, auto dealers that engage in certain leasing activities, credit counselors, and even higher education institutions.
More about who must comply with GLBA read in our article All you need to Know about GLBA Compliance in Higher Education.
The requirement to notify pertains to “customer information,” referring to nonpublic, personally identifiable financial details held about a “customer.”
A customer is defined as a consumer with an ongoing relationship where the institution offers financial products or services for personal, family, or household purposes.
Nonpublic, personally identifiable financial information (NPI) includes any information that a consumer provides to a financial institution to obtain a financial product or service or that the financial institution otherwise obtains about a consumer in connection with providing a financial product or service to that consumer (see id. § 314.2(c)-(e), (l), (n).)
The scope of information subject to the notification requirement is notably wider than that specified in state breach notification laws, like CCPA. It encompasses all personally identifiable nonpublic information about customers, going beyond the specific types outlined in state laws. This could involve various details such as contact information, customer-associated cookies and browsing information, and even the simple fact that an individual has availed themselves of a product or service from the institution.
A notice is required for a “notification event” affecting the customer information of at least 500 consumers.
A notification event is any “acquisition of unencrypted customer information without the authorization of the individual to which the information pertains.” In the event of unauthorized access to customer information, the onus is on the affected company to demonstrate that unencrypted customer information was not or could not reasonably have been acquired. Otherwise, the incident is presumed to involve unencrypted customer information.
Notably, the definition of “notification event” covers not only data breaches and security incidents as traditionally understood, but also voluntary and/or intentional sharing of customer information by a financial institution if done without the customer’s authorization (Similarly to the Health Breach Notification Rule, or HBNR).
At the same time, there is no harm threshold in the updated rule, so all incidents, even those with no risk of harm, must be disclosed.
Notification events must be reported to the FTC as soon as possible and no later than 30 days after they are discovered. Discovery takes place on the initial day when the affected company or any of its employees, officers, or agents becomes aware of the notification event.
Note, that organizations are not obligated to notify affected consumers personally. Yet, the FTC will make the reports of notification events publicly accessible in a database (except for situations when the public notice would hinder a criminal investigation or jeopardize national security). Such a publication would mean that the public could learn of an incident from the FTC-published report.
The GLBA Safeguards Rule becomes effective 180 days after the publication. Together with the new data security obligations under the Safeguards Rule that the FTC announced in December 2021, these new notification obligations mark a substantial expansion of the requirements applicable to financial institutions (and other in-scope entities) falling under the purview of the FTC’s Safeguards Rule.
Knowing your data breach reporting obligation under the GLBA Safeguards Rule is good, but preventing reportable events from happening is much better. So, it is very important to maintain overall compliance with the GLBA Safeguard Rule and follow best security practices to protect the sensitive information of your customers.
Planet 9 employs seasoned professionals with years of experience working in the financial industry who can help with addressing all GLBA requirements and thereby prevent GLBA violations and data incidents from happening. A typical approach consists of the following process:
Depending on your internal resources’ expertise and availability, Planet 9 can implement the entire road map, position you to execute the road map independently or supplement your team.
Feel free to contact the Planet 9 team for help with GLBA compliance for your business. We’ll be happy to assist!