What’s new: The Federal Trade Commission (FTC) has announced a final rule amending the FTC Safeguards Rule that will require non-banking institutions, such as dealers, to report certain data breaches and other security events to the FTC.
The final rule requires financial institutions (including dealers) to report “notification events,” defined as the unauthorized acquisition of unencrypted customer information involving at least 500 customers, to the FTC. The FTC has stated that the rule and its notice requirement are specifically intended to facilitate enforcement of the FTC’s Safeguards Rule against entities that file reports.
The notice to the commission must be provided electronically through a form located on the FTC’s website and must include:
- The name and contact information of the reporting financial institution
- A description of the types of information that were involved in the notification event
- The date or date range of the notification event (if possible to determine)
- The number of consumers affected
- A general description of the notification event[1]
Notices will be available in a public database. The final rule does not impose a consumer notice requirement.
How we got here: When this rule was proposed, NADA submitted extensive comments opposing the notice requirement. While the FTC rejected much of NADA’s comments[2], several of NADA’s key points were included in the final rule, including:
- Notification is only required if the financial institution discovers that unencrypted customer information has been acquired without authorization[3] (the proposed rule applied to all “customer information”), and
- The FTC’s acknowledgement that “not every notification event is necessarily the result of a failure to comply with the Safeguards Rule.”
This rule will become effective 180 days after it is published in the federal register, which is expected shortly. Dealers and their qualified individuals should review the final rule to understand its requirements and scope and should consult with their technology providers and counsel regarding the implications of the new rule.
[1] And, if applicable, whether any law enforcement official has provided the financial institution with a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security, and a means for the Federal Trade Commission to contact the law enforcement official.
[2] Along with those of other industry commenters.
[3] This important change to the final rule underlines the imperative of dealers complying with the existing Safeguards Rule requirement to encrypt all customer information “at rest and in transit.”
This memorandum is not intended as legal advice. Dealers and their qualified individuals should consult with counsel regarding this rule, other federal laws, and related state or local laws, which are not addressed herein.