Financial institutions are now required to notify the Federal Trade Commission about any security breach that involves the information of 500 customers or more. The breach must be reported no later than 30 days after it is discovered.
The new requirement is a result of an FTC amendment to the Safeguards Rule of the Gramm-Leach-Bliley Act. The amendment was announced in October 2023 and took effect on May 13 of this year. The purpose of the waiting period was to allow institutions to prepare for the changes.
The amendment defines a notification event as the “acquisition of unencrypted customer information without the authorization of the individual to which [sic] the information pertains.” The amendment also states that unauthorized acquisition is presumed to include unauthorized access to unencrypted customer information unless there is “reliable evidence showing that there has not been, and could not reasonably have been, unauthorized acquisition of such information.”
A notification event is deemed to have been “discovered” on the first day that the event becomes known by the affected institution. Following discovery, the FTC requires that it be notified as soon as possible, and no later than 30 days after discovery, of a security breach involving the information of at least 500 consumers.
The amendment itself does not include any requirement to notify the affected persons of the incident, but state laws could apply that would require notification of individuals.
The purported goal of the amendment is to establish a uniform reporting requirement for all regulated financial institutions subject to Gramm-Leach-Bliley. The FTC argues that the amendment imposes a minimal burden on financial institutions because they will already be preparing state and consumer notifications. Because, in the view of the FTC, the burden of reporting is minimal, the amendment has no exemptions or alternatives for small entities. The FTC acknowledged that not every notification received by the FTC will result in an investigation and/or enforcement action.
Notifications can be provided via a form on the FTC's website. The form provides the specific details on what information must be included with the report, which will then be made public on the site. However, a reporting institution can request that public disclosure of the report be delayed for law enforcement purposes.
The Constangy Cybersecurity & Data Privacy Team assists businesses of all sizes and industries with implementing necessary updates to their privacy and compliance programs to address these complex and evolving regulatory requirements. If you would like additional information on how to prepare your organization, please contact us at cyber@constangy.com. The Team also assists with information security and incident response policies and procedures and supports with incident response, including breaches. We are here to help! The Constangy Cyber Team is available 24/7. Contact us at breachresponse@constangy.com or by phone at 877-DTA-BRCH.
- Attorney
Suzie is a member of the Constangy Cyber Team and is located in New York. She works with clients in responding to data security incidents and other privacy matters. Before coming to a law firm, Suzie worked for Leidos as a contractor for ...
- Partner
Matt Toldero is a partner and member of the Constangy Cyber Team and is affiliated with our Winston-Salem, North Carolina office. He brings over ten years of combined incident response and risk management experience to his role on our ...
The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation.
Subscribe
Contributors
- Suzie Allen
- John Babione
- Bert Bender
- Ansley Bryan
- Jason Cherry
- Christopher R. Deubert
- Maria Efaplomatidis
- Sebastian Fischer
- Laura Funk
- Lauren Godfrey
- Taren N. Greenidge
- Chasity Henry
- Julie Hess
- Sean Hoar
- Donna Maddux
- David McMillan
- Ashley L. Orler
- Todd Rowe
- Melissa J. Sachs
- Allen Sattler
- Brent Sedge
- Matthew Toldero
- Alyssa Watzman
- Aubrey Weaver
- Xuan Zhou