The Matrix

Notification Event

The new amendment to the Safeguards rule requires notification to the FTC upon discovery of a “notification event,” which is a defined term that deviates from existing terminology and arguably requires notification in a broad set of circumstances. A notification event means the “acquisition of unencrypted customer information without the authorization of the individual to which the information pertains.” Customer information is defined in the Safeguards Rule as records containing nonpublic personal information (“NPI”) about a customer of the financial institution, and NPI includes any information that a consumer provides to a financial institution to obtain a financial product or service or that the financial institution otherwise obtains about a consumer in connection with providing a financial product or service to the consumer.  Therefore, the type of information covered by the notice requirement is broader than the information that needs to be breached to trigger state notification laws.

Notably, the new Safeguards Rule notification requirement applies to the acquisition of unencrypted customer information without the authorization of the individual to which the information pertains. The FTC chose this new triggering definition instead of utilizing the existing “security event” definition contained in the Safeguards Rule, which triggers certain other data security program requirements under the rule. Under the broader “notification event” definition, the type of applicable information breaches conceivably could extend beyond actions by hackers to a company’s voluntary sharing of customer information with third parties without customer authorization.  In addition, the amended rule does not require the incident to be likely to result in the misuse of information, although that requirement was included in the proposed rule and is included in some state data breach notification requirements. It will be interesting to see how the FTC interprets this provision, particularly in light of the fact that the GLB Privacy Rule has established long-standing requirements for when covered financial institutions can disclose NPI, and the type of notice and consent that they must obtain.  The amended Safeguards Rule also provides that unauthorized access to unencrypted customer information will be presumed to result in unauthorized acquisition unless the financial institution has “reliable evidence” showing that that there has not been, or could not reasonably have been, unauthorized acquisition of such information.

Still, notification is only required for breaches of unencrypted customer information. The Safeguards Rule already requires covered financial institutions to protect by encryption all customer information held or transmitted by the company both in transit over external networks and at rest.  So companies complying with this requirement should be in a favorable position to prevent having to comply with this notification requirement.  However, the rule notes that customer information is also considered unencrypted if the encryption key was accessed by an unauthorized person.

Required Notice and Timing

If notice is requirement, it must be made to the FTC through a form on the FTC’s website as soon as possible, but no later than 30 days after discovery of the event by any employee, officer or other company agent. The notice must include:

• the name and contact information of the reporting financial institution;
• a description of the types of information that were involved in the notification event;
• if the information is possible to determine, the date or date range of the notification event;
• the number of consumers affected; and
• a general description of the notification event.

The FTC intends to enter notification events reports into a publicly available database.  If applicable, the notice should identify whether any law enforcement official has provided the financial institution with a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security, and a means for the FTC to contact the law enforcement official. The law enforcement officer may request an initial delay of up to 30 days following date when notice was provided to the FTC, and the delay may be extended for an additional period of up to 60 days if the law enforcement official seeks such an extension in writing.  Additional delay may be permitted only if FTC staff determines that public disclosure of a security event continues to impede a criminal investigation or cause damage to national security.