Skip to content

Frustration-Free Risk Management

Simplify cybersecurity risk management and tackle your cybersecurity challenges with ease. TRAC automates the tedious risk assessment process and produces customized results that align with regulations, best practices, and your strategic goals.

Joe DavisJune 04, 20247 min read

Understanding the FTC's Recent Data Breach Notification Rules

Understanding the FTC's Recent Data Breach Notification Rules

The Federal Trade Commission (FTC) has taken a significant step towards safeguarding consumer personal information with the October 2023 landmark decision to enhance data security requirements for non-banking financial institutions (NBFIs). By amending the Safeguards Rule within the Gramm-Leach-Bliley Act (GLBA), certain businesses, such as pawn shops, check cashers, or insurance companies, may now be classified as NBFIs. This classification requires these businesses to report any data breaches affecting 500 or more consumers directly to the FTC as soon as possible but no later than 30 days after discovery. While the FTC's decision is a positive step forward for the protection of consumer information, business owners now face the challenge of establishing and maintaining adequate safeguards.



Who is Covered by the Amendment?

The Safeguards Rule ensures that providers of financial services absent a banking license maintain similar banking safeguards to protect the security and confidentiality of customer information. The Rule applies to a broad spectrum of financial service providers that are not subject to regulation by other federal entities. This includes accountants or tax preparation services, retailers extending credit through credit cards, automobile dealerships offering leasing options, personal property or real estate appraisers, and more. The Rule also covers entities like investment advisory companies and credit counseling services, reflecting the FTC’s broadened oversight.

Does the Amendment cover your business? The answer may surprise you. In November 2022, SBS published an article that shed light on the extensive scope of entities governed by the FTC, emphasizing the importance of robust data protection measures across varied non-banking sectors. With the FTC's latest amendment, the spotlight on these entities intensifies, underscoring a commitment to safeguarding consumer data amidst an escalating digital threat landscape. 

Under the Gramm-Leach-Bliley Act (GLBA), various businesses engaged in financial activities, not traditional banks or credit unions, are classified as non-bank financial institutions. These entities are subject to specific regulatory requirements, including privacy and data security obligations. Here's a list of such businesses that might fall under this category: 

  • Mortgage brokers and lenders
  • Payday lenders
  • Check cashing businesses
  • Non-bank lenders (e.g., peer-to-peer lending platforms)
  • Personal property or real estate appraisers
  • Professional tax preparers
  • Financial or credit advisors
  • Debt collection agencies
  • Credit reporting agencies
  • Student loan companies
  • Payment processing companies
  • Financial technology (FinTech) companies offering financial services
  • Investment advisors and brokers
  • Insurance companies
  • Retailers that issue branded credit cards
  •  Auto dealerships that offer financing or leasing options
  • Money transfer services

This list is not exhaustive
, and specific classification can depend on the nature of the business and its activities as defined by the GLBA and interpreted by the FTC and other relevant regulatory bodies. Businesses unsure of their status should consult with legal counsel to determine their obligations under the GLBA.


What Information is Covered?

The Federal Trade Commission's recent amendment to the Safeguards Rule marks a significant evolution in the data security landscape for non-banking financial institutions. At the heart of this amendment is the expanded definition of "customer information," now encompassing a broader spectrum of data than ever before. Under this enhanced framework, any records containing nonpublic personal information about a customer are subject to mandatory reporting in the event of a data breach. This broadened scope ensures that a wide array of information is protected, from the most sensitive to the seemingly mundane.

Sensitive data, which includes social security numbers, financial account numbers, and other personal financial details, has always been a primary concern for data protection laws. Including such information under the Safeguards Rule's amendment is unsurprising, yet critically important, as these pieces of information can lead to significant financial harm if compromised. The Rule's protective umbrella does not stop here; it also covers routine data such as contact information, which, while it might appear less sensitive on the surface, can still be exploited in phishing scams or other fraudulent activities if accessed by unauthorized parties.

This extended definition of "customer information" under the FTC's amendment surpasses the narrower scope of many state breach notification laws. Typically, state laws mandate notification for breaches involving specific categories of personal data — for example, social security numbers, driver's license numbers, or health information. The FTC’s proactive approach reflects an understanding of the evolving nature of personal data and its potential for exploitation in various forms. The amendment aims to offer a more robust protection framework for consumers' data by requiring reports on breaches involving nonpublic personal information. 

Moreover, the extension of "customer information" to include all records of nonpublic personal information represents a significant shift towards a more inclusive understanding of what constitutes personal data in today’s digital age. It recognizes that even information not traditionally viewed as sensitive can have privacy implications and that the security of all types of customer data is paramount. This holistic approach to data protection underlines the FTC's commitment to safeguarding consumer privacy and financial integrity in a rapidly changing technological landscape. 


Notification Requirements and Public Disclosure

A pivotal aspect of the Federal Trade Commission's recent amendment to the Safeguards Rule is establishing a rigorous new requirement for financial institutions to report specific types of security incidents, termed "notification events," directly to the FTC. This mandate focuses on incidents involving the unauthorized acquisition of unencrypted customer information. By setting a threshold for reporting based on the nature of the information compromised rather than the method of compromise or the perceived severity of the incident, the FTC aims to create a more uniform and actionable framework for data breach response and notification. 

The concept of a "notification event" under this amendment is notably broad, capturing any instance where unencrypted customer information may have been accessed without authorization. This approach is grounded in a "rebuttable presumption" principle. Essentially, if an institution's unencrypted data is accessed without authorization, it is presumed that this access led to data acquisition, placing the onus on the financial institution to prove otherwise if it believes the data was not compromised. This presumption is significant as it lowers the threshold for what triggers a mandatory report, emphasizing the FTC's prioritization of caution and consumer protection in data security matters.

Furthermore, the amendment acknowledges the role of encryption as a critical safeguard in protecting customer information. It offers a "safe harbor" provision for data breaches involving encrypted data, exempting financial institutions from the reporting requirement if they can demonstrate that the encryption key was not compromised along with the data. This aspect of the rule underscores the FTC's recognition of encryption as a fundamental security practice while incentivizing its adoption among financial institutions.

Another groundbreaking feature of the amendment is the FTC's decision to make these notification event reports publicly accessible through a dedicated database. This move towards greater transparency is designed to serve multiple purposes. Firstly, it lets consumers be more informed about the security practices and breach history of financial institutions, potentially influencing consumer choice and trust. Secondly, by publicizing this information, the FTC aims to incentivize financial institutions to strengthen their data security measures. The prospect of public disclosure of security lapses creates a reputational risk that institutions will likely mitigate by adopting more robust data protection protocols.

This strategy of enhancing transparency aligns with broader cybersecurity and data protection regulation trends, where public accountability is increasingly seen as a tool for improving corporate behavior. By providing a mechanism for public scrutiny of financial institutions' handling of data breaches, the FTC leverages societal and market pressures to encourage better security practices industry-wide.


Implications for Non-Bank Financial Institutions

The FTC's amendment signals a significant shift towards greater accountability and transparency in handling customer information by non-bank financial institutions. This change necessitates thoroughly reassessing current data security protocols and incident response strategies to comply with the new reporting timelines. The public nature of breach notifications underscores the FTC's commitment to consumer protection, encouraging institutions to bolster their data security measures. 

The FTC's amendment to the Safeguards Rule represents a critical step in safeguarding consumer financial data. As the amendment took effect in May 2024, non-bank financial institutions must gear up to meet these new reporting requirements, which are pivotal in maintaining consumer trust and ensuring the financial sector's resilience in the digital era. This synthesis, informed predominantly by the first article and supplemented with essential updates from the second, provides a comprehensive overview of the FTC's updated regulatory landscape. 




Joe Davis

Joe Davis is an Information Security Consultant at SBS CyberSecurity. He specializes in information security management and bridging the gap between information technology and information security.