New FTC Rule Requires Vast New Range of Businesses to Report Data Breaches

This is one in a series of articles by ERMProtect tracking key changes in cyber regulations, standards, and laws that could impact our clients and prospective clients.

Starting on May 13, 2024, a broad new set of businesses, ranging from car dealerships to mortgage lenders, will need to report certain data breaches to the Federal Trade Commission.

The new rule is aimed at shedding light on the nature and scope of data breaches that occur in the non-banking financial sector, and ultimately, leading to better protection of consumer data.

The rule applies to non-bank financial institutions such as pay day lenders, certain retailers, financing companies, and more. These entities must report breaches of unencrypted data affecting more than 500 customers within 30 days of discovery.

The imminent change means businesses must immediately begin to train employees, agents, and officers for compliance with the rule. Affected businesses will need to update their incident response plans, policies, and procedures to incorporate the new requirement.

Covered financial institutions have under three months to make the necessary changes to their internal policies and procedures.

What Institutions Are Impacted?

The institutions impacted include but are not limited to the following.[1]

• Mortgage lenders and brokers, accountants, and tax preparers.
• Pay day lenders and entities acting as finders.
• Finance companies, collection agencies, and credit counselors.
• Account services, check cashiers, wire transferers.
• Certain travel agencies operated in connection with financial services.
• Tax preparation firms, and other financial advisors.
• Non-federally insured credit unions.
• Investment advisors that are not required to register with the Securities and Exchange Commission; and
• Retailers that extend credit by issuing their own credit card directly to consumers.
• Automobile dealerships that, in the ordinary course of business, lease cars on a nonoperating basis for longer than 90 days.
• Personal property or real estate appraisers or settlement services.
• Career counselors that specialize in providing career counseling services to individuals currently employed by, recently displaced from, or seeking employment with a financial organization.
• Investment advisory companies and credit counseling services.

Businesses may also be deemed financial institutions by engaging in certain activities that are considered financial services. Under the new rule, businesses that engage in any of the following activities are required to report notification events.[2]

• Print and sell checks to consumers.
• Regularly wire money to and from consumers.
• Cash checks for consumers.
• Operate a travel agency in connection with financial services.
• Provide mortgage broker services, investment advisory services, or credit counseling services.
• Act as a finder in bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate.

The new rule carves out certain businesses that are otherwise federally regulated. For example, entities already regulated by HIPPA would follow its data breach and privacy rules and regulations.

When Must Entities Report?

The rule states that the FTC must be notified of a breach no later than 30 days after a notification event. The 30-day deadline is believed to properly balance the need for prompt notification with the need to allow financial institutions to investigate a security event, determine whether the information was acquired without authorization, identify how many consumers were affected, and learn enough about that event to make the notification to the Commission meaningful.[3]

Consistent with other federal cybersecurity regulations, there are special circumstances involving law enforcement officers that may extend the reporting deadline. At the Commission’s discretion, if the appropriate procedure is followed, an extension of up to 60 days may be granted.

What Triggers a Notification Event?

A notification event is defined as “acquisition of unencrypted customer information without the authorization of the individual to which the information pertains.”[4]

Encrypted data is “transformed into a form that results in a low probability of assigning meaning to the data without the use of a cryptographic key.” Alternatively, data that “can easily be read by a malicious attacker in the event of a breach” is unencrypted data. For example, “sensitive data such as Social Security Numbers, financial information, or personal identifiers” can be read by malicious actors it is considered unencrypted.[5]

Notification is not conditioned on an assessment of the likelihood of misuse. Mere access to unencrypted data creates the presumption that such data has been acquired. Therefore, notice to the Commission is required unless the breached entity “has reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information.” [6]

Even encrypted data could trigger the notification requirement if the hacker could have accessed the encryption key.

Discovery of Notification Event

The 30-day reporting requirement begins as soon as a financial institution “discovers” a breach covered by the rule. A financial institution is deemed to have discovered a notification event as soon as one employee, officer, or agent knows about the event.[7]

Notably, the Commission utilized the operative term “discover” instead of “determine” to establish when the notice requirement is triggered. It rejected industry requests to utilize the higher knowledge standard that would be applied under the word determine.[8]

In so doing, the FTC expects companies to decide quickly whether a notification event has occurred.[9] This determination depends on whether unencrypted customer information has been accessed and, if so, how many consumers are affected. Under this view, there is not a significant difference between discovery and determination of a notification event.

The clock starts as soon as the lowest level employee becomes aware – not the CISO. A single employee’s knowledge is imputed to the entire enterprise.

For example, if a cashier at a small car dealership learns of a breach related to its financing services, the entire dealership is deemed to be aware, and the reporting clock starts ticking. That is because financing a customer’s purchase is a financial service sufficient to establish a customer relationship. Thus, it brings the dealership within the scope of the new rule’s definition of financial institution.

Penalties for Non-Compliance

A failure to comply with the new rule will expose non-bank financial institutions to enforcement action by the Federal Trade Commission. The exact liability is unclear; however, it is safe to say the FTC has the power, resources, and authority to impose civil penalties for knowing violations of the new rule.

For example, the Commission has enforcement authority under Section 5 of the FTC Act to impose civil penalties for unfair or deceptive practices.^[10] Under Section 5, these penalties may be up to $10,000 per violation.^[11] Previous violations of the Safeguards Rule have subjected entities to monetary penalties of more than $500 million.^[12] Actual penalties will depend on the facts and circumstances of each violation.

Contents of Notice

This notice must be made electronically on a form on the FTC’s website with the below elements. Each element is necessary, in the Commission’s view, to reach an appropriate level of disclosure. The Commission reserves the right to request more information, if needed, to better evaluate the impact of a particular event.

The notice provided to the FTC must include the following.

1. Name and contact information of the reporting financial institution.
2. A description of the types of information that were involved in the notification event.
3. If the information is possible to determine, the date or date range of the notification event.
4. A general description of the notification event.
5. A description of the status and role of local law enforcement with respect to the breach and law enforcement’s permission to request an extension to the deadline for notice to the FTC. [13]

Publication of Notices

The Commission disagreed with the industry comments that making notices public would pose an additional risk to financial institution’s data security. This conclusion rests on two pillars.[14]

First, the information required by the notice is already made public by many state breach notification laws. Additionally, the general scope of information required is unlikely to provide potential attackers any advantage in compromising the financial institution’s security.

The Commission believes that not every breach stems from a failure in safeguards, the Commission rejected the industry view that publication is an undue shame on breached financial institutions. Therefore, it rejected an approach based on a confidential reporting system.

Accordingly, the Commission believes the interest in providing the public with information regarding breaches to financial institutions outweighs industry protests.

Background

The new rule expands to non-financial institutions requirements of the Safeguards Rule, which applies to all financial institutions under the FTC’s jurisdiction pursuant to Graham-Leach-Bliley Act (“GLBA”), first enacted 1999.[15] Under GLBA, each “financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.” [16]

The FTC’s Safeguards Rule was enacted to provide appropriate standards for the administrative, technical, and physical safeguards of financial institutions.

(1)   To ensure the security and confidentiality of customer records and information.

(2)   To protect against any anticipated threats or hazards to the security or integrity of such records.

(3)   To protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer. [17]

FTC’s Justification for New Rule

The Commission believes the new rule, as adopted, will have the following effects. First, it will ensure that the Commission is aware of notification events that might suggest a non-banking financial institution’s security program does not comply with the Rule’s requirements, thus warranting enforcement. Second, the Commission does not believe the reporting requirement will create a significant financial burden for those required to comply. Third, smaller entities will not be adversely harmed by the new rule Fourth, the industry-wide cost burden is expected to be feasible.

ERM Protect Can Help!

For 26 years, ERMProtect has provided more than 400 organizations in 39+ industry verticals with cybersecurity services and independent assessments of their cybersecurity compliance. With regard to the new rule, we can provide internal awareness training, establish breach response protocols, and ensure the technical requirements of the Safeguards Rule are met. We perform gap assessments and audits related to all the major frameworks, regulations, and laws related to privacy and security. For more information, contact Silka Gonzalez at sgonzalez@ermprotect.com or Judy Miller at jmiller@ermprotect.com.

References:

[1]16 CFR §314.1(b).

[2] 16 CFR § 314.2(h)(2).

[3] See 16 CFR  § 314.2(j)(1)(vi).

[4] See 16 CFR §314.2(m).

[5] 16 CFR §314.2(f).

[6] See supra note 2.

[7]  16 CFR §314.4(j)(2).

[8] 88 FR 77502 (Nov. 13, 2023).

[9] Id.

[10] 15 U.S.C. § 45.

[11] 15 U.S.C. § 45(l).

[12] See FTC v. Equifax, Inc., (N.D. Ga. 2019).

[13] 16 CFR §314.4(j)(1).

[14] See supra note 8.

[15] Public Law 106–102, 113 Stat. 1338 (1999).

[16] 15 U.S.C. § 6801(a).

[17] 15 U.S.C. § 6801(b).