On October 27, 2023, the Federal Trade Commission (the “FTC”) adopted a final rule (“Final Rule”) to amend the Standards for Safeguarding Customer Information (the “Safeguards Rule”). Among other things, the Final Rule will require covered financial institutions to report any unauthorized acquisition of personal data involving at least 500 individuals to the FTC within 30 days of discovery, even if the breach was inadvertent and there is no risk of harm to affected individuals. The FTC will make such reports publicly available on its website.
Financial institutions covered by the Safeguards Rule (“Covered Institutions”) include, but are not limited to:
- Investment advisers that are not registered with the Securities and Exchange Commission;
- Fintech platforms, such as “neobanks”;
- Crypto platforms;
- Money services businesses; and
- Online lenders.
The Safeguards Rule, initially adopted in 2002 pursuant to the Gramm-Leach-Bliley Act, generally requires Covered Institutions to develop, implement, and maintain a comprehensive data security program designed to protect the security of customer information. The Final Rule becomes effective 180 days after publication in the Federal Register, which will likely be around May 1, 2024.
Under the Final Rule, Covered Institutions are required to notify the FTC as soon as possible, and no later than 30 days after discovery, of a “Notification Event” involving the customer information of at least 500 individuals. Customer information is personally identifiable financial information about an individual that is not publicly available. A Notification Event is defined as the acquisition of unencrypted customer information without the authorization of the individual to which the information pertains. Customer information is unencrypted if the encryption key was accessed by an unauthorized person.
The FTC presumes that any unauthorized access of information is unauthorized acquisition requiring notification unless the Covered Institution can rebut the presumption.
A Notification Event is treated as discovered on the first day the event is known to the Covered Institution. Knowledge of a Notification Event by any person, other than the person committing the breach, who is an employee, officer, or other agent of the Covered Institutions is imputed to the Covered Institutions.
The notice to the FTC must include (1) the name and contact information of the reporting financial institution, (2) a description of the types of information involved, (3) the date or date range of the notification event, if possible to determine, (4) the number of individuals affected, (5) a general description of the event, and if applicable, whether there has been a law enforcement determination that notification of the breach to the public should be delayed. The notice must be provided electronically through a form located on the FTC’s website.
Importantly, the unauthorized acquisition of customer information alone triggers the new notification requirement, independent of any “risk of harm” analysis. This requirement differs from many state data breach notification statutes, many of which exempt companies from notification requirements if the company determines there is no risk of substantial harm that could result from the unauthorized access of information. It also represents a change from the Notice of Proposed Rulemaking, which would have required Covered Institutions to make a report to the FTC only upon determining that, among other conditions, misuse of customer information had occurred, or was reasonably likely to occur.
The upshot of this new requirement is that even an inadvertent disclosure posing little risk of investor harm (for example, an inadvertent email erroneously sent by an Covered Institutions to a vendor containing investor information and the vendor promptly deletes the email) will necessitate the notification of the FTC. Even such inadvertent disclosures will be posted on the FTC’s public website.
Notification of the FTC is specifically required even if law enforcement requests that the Notification Event remain confidential. In such cases, the FTC will coordinate with law enforcement regarding confidentiality.
It should be noted that while the Final Rule applies only to Covered Institutions, Registered Investment Advisers (“RIAs”) may soon be subject to a similar notification requirement by the SEC. On February 9, 2022, the SEC voted to propose new cybersecurity risk management rules and amendments applicable to RIAs and investment companies. Under proposed Rule 204-6, RIAs would be required to report significant adviser related, or fund related, cybersecurity incidents to the Commission within 48 hours of having a reasonable basis to conclude that such an incident has occurred. The proposed rule would define a significant cybersecurity incident as a cybersecurity incident, or a group of related incidents, that significantly disrupts or degrades the adviser’s ability, or the ability of a private fund client of the adviser, to maintain critical operations, or leads to the unauthorized access or use of adviser information, resulting in substantial harm to the adviser, client, or an investor. The new rules also require RIAs and investment companies to adopt and implement written cybersecurity policies and procedures reasonably designed to minimize cybersecurity risk. The comment period was reopened earlier this year, and closed on May 22, 2023. Adoption of the rule has been delayed as the SEC reviews comments submitted on the proposals, many of which were critical.
If you have any questions about the new requirements, please reach out to your Seward & Kissel relationship attorney or Casey Jennings.