Federal jurisdiction under the Gramm Leach Bliley Act (“GLBA”) is a patchwork, particularly for banks –the Federal Reserve, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency all exercise authority over various banking institutions. But for nonbanking financial institutions, the key regulator has been the Federal Trade Commission (“FTC”). Through the Safeguards Rule, the FTC imposed requirements to implement and maintain an information security program with key administrative, technical, and physical safeguards to protect consumer data. But crucially, the Safeguards Rule did not contain its own data breach reporting rules. That changes in May 2024, and GLBA-covered fintechs and other nonbank financial institutions need to prepare.

While breach notices have been required by bank regulators under the GLBA, this is a new challenge for nonbank financial institutions. Companies subject to the revised Safeguard Rule include:

• wire transferors,
• retailers who issue their own credit cards to consumers;
• mortgage brokers and lenders;
• payday lenders;
• check cashers;
• travel agencies operated in connection with financial services,
• non-federally insured credit unions;
• investment advisors not required to register with the SEC;
• collections agencies;
• automobile dealerships that lease vehicles for more than 90 days; and
• other businesses governed by the Safeguards Rule.

Incident Reporting to the FTC

In revisions finalized in October 2023, the FTC added a requirement that nonbank financial institutions report incidents to the agency when they impact the unencrypted data of 500 or more consumers. The FTC expects those reports to contain:

• “the name and contact information of the reporting financial institution;
• a description of the types of information that were involved in the notification event;
• if the information is possible to determine, the date or date range of the notification event;
• the number of consumers affected or potentially affected by the notification event;
• a general description of the notification event; and
• whether any law enforcement official has provided you with a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security, and a means for the Federal Trade Commission to contact the law enforcement official.”

Importantly, the amended Safeguard Rule does not require notification to impacted individuals. 

The last element supports a mechanism allowing law enforcement officers to request a delay of up to 30 days (with up to 60 days’ further extension available) if FTC staff “determines that public disclosure of a security event continues to impede a criminal investigation or cause damage to national security.” Breaches must be reported to the FTC as soon as possible (but no later than 30 days after discovery) and are deemed discovered when any employee, officer, or other agent of the financial institution is aware of the breach. The new rules do not require new reporting to individuals.

Taken as a whole, the rule’s changes are broad. The covered customer information encompasses any nonpublic personal information handled or maintained by the financial institution or its affiliates. The FTC will also presume that unauthorized access results in acquisition unless the institution has reliable evidence to the contrary. Further, unlike many state incident reporting laws, there is no “risk of harm” analysis that allows companies to refrain from reporting incidents with little or no impact or risk.

Finally and perhaps most significantly, the FTC plans to publish a public database of notification events reported, with the goal of providing consumers with more information and encouraging companies to devote greater resources to protecting customer data. As has been seen with states and other regulators that publish lists of incident reports, this database can be expected to serve as a source of information for plaintiff’s attorneys and may in turn lead to an increase in data breach-related litigation against companies that experience incidents.

Impacts and Preparations

While the FTC’s goals are to encourage companies to devote more resources to protection of customer data, the agency can and likely will use these reports to initiate investigations, and bring enforcement actions against companies who fail to provide notice or otherwise violate FTC requirements.

As cybersecurity threats increase and the costs – and consequences – of public disclosure ramp up, covered companies face significantly increased regulatory and litigation risk if they fail to prepare appropriately for these new rules. Companies should prioritize updating incident response plans to ensure issues are escalated appropriately, and revisit relevant parts of their security and privacy programs to ensure they reflect new requirements. Tabletop exercises should also begin to incorporate these new disclosure considerations to help executives and legal leaders prepare for a new element of regulatory reporting and public disclosure.

The FTC continues to show significant appetite for enforcement against what it views as inadequate privacy and cybersecurity practices, and against companies who know of issues and have further incidents after failing to effectively remediate gaps. These new rules provide yet more evidence of the array of risks that come to companies who do not take appropriate cybersecurity and privacy compliance steps.