In response to continuing data breaches at entities with lesser regulatory oversight, the FTC has revised its Safeguards Rule for the second time in many years. This new revision will take effect 180 days after publication in the Federal Register in April 2024. The last revision to the FTC’s Safeguards Rule wasn’t widely understood or adopted, which required a six month extension. Businesses and regulated entities shouldn’t hope for an extension this time.
The primary emphasis of the new revision is that a ‘notification event’ now triggers the reporting process, described as any unauthorized acquisition of unencrypted customer information. This is a change from the earlier draft of the Rule, which used the term ‘security event’ to describe unauthorized system access or information misuse. This change may result in some confusion, unfortunately, described below.
Scope and definitions
Who does this apply to?
The Rule applies to non-banking financial institutions such as motor vehicle dealers, payday lenders, investment firms, insurance companies, peer-to-peer lenders, and asset management firms.
Defining “customer information”
An expansive definition of “customer information” is adopted by the Rule, which could encompass any information collected in relation to the provision of financial services to consumers.
Changes to what constitutes a notification event
The revised Rule changes the requirements for what constitutes a notification event. Instead of being limited to sensitive customer information, it now includes any unauthorized acquisition of unencrypted customer information.
Service providers as potential “agents”
The revised Rule requires financial institutions to consider their service providers as potential “agents,” which could trigger a notification requirement. Financial institutions will need to assess the extent to which their service providers could be involved in notification events.
Lowered threshold for reporting
The threshold for reporting was initially proposed for 1,000 consumers but lowered to 500 in the final amendment. The FTC estimates that this change will likely lead to a small increase in the number of reported incidents, affecting an additional 155 organizations annually.
There are a number of new reporting requirements with this update:
- Institutions must report breaches when unencrypted data of 500 or more consumers is accessed without authorization.
- Reports must be made within 30 days of the incident discovery, through a form on the FTC website.
- The report should include the number of consumers affected, the nature of the data, and contact information for the institution.
- There is no requirement to report based on the potential risk of harm or misuse of information; acquisition of data without authorization is sufficient.
- If law enforcement determines that public notification would impede a criminal investigation or national security, an entity can delay this notification while there’s an ongoing investigation, up to 60 days beyond the initial reporting window.
- The Rule does not require affected institutions to assess the risk of harm to consumers before reporting an incident. State laws and other guidance already cover data breach notifications.
- The FTC does not automatically assume a violation of the Safeguards Rule upon the submission of a data breach report, nor does it guarantee an investigation or enforcement action will follow
Notification events will be published by the FTC into a publicly available database. This may lead to increased scrutiny from state regulators and potential civil actions.
The Rule clarifies that the updated data security requirements include the encryption of data both in transit and at rest. It provides an example regarding encryption, stating that customer information is considered unencrypted if the encryption key itself was accessed by an unauthorized person.
The Gramm-Leach-Bliley Act (GLBA) Privacy Rule requires financial institutions to provide notice of their privacy policies and practices to their customers and consumers, and to give them the opportunity to opt out of sharing their nonpublic personal information (NPI) with nonaffiliated third parties. NPI is any information that identifies a person and is related to their financial transactions or services.
The updated FTC Safeguards rule states that “in instances where an employee, officer, or other agent of the financial institution accesses customer information without authorization, a financial institution will be deemed to have knowledge of a notification event if the event is known to another employee, officer, or other agent of the financial institution.”
In practical terms, this means that if a first-party regulated entity has collected NPI about consumers who have then opted-out of data sharing practices, an agent at a third-party who views that NPI could trigger a notification event. For example, if a database query returns records to a third-party about all consumers, it may be a notification event if a subset of those records have a visible ‘opt out’ flag shown on screen. As the Rule has not yet taken effect, it is unclear how this confusion between standard business practices and the new notification event definition will be reconciled or enforced.
4 things you can do right now to prepare
Here are a few ways you can prepare for the changes:
1. Streamline your processes with Hyperproof
Encryption of data is a primary control mentioned throughout the updated Safeguards Rule. There are three types of encryption in practice:
- Encryption at rest
- Encryption in transit
- Encryption in use
Hyperproof’s Hypersyncs and automated control testing can help entities determine if their customer data are encrypted at rest (such as through review of Amazon storage, Azure storage, or even local disk storage), and in transit (via HTTPS). Organizations should also evaluate their key storage and rotation procedures to ensure that encryption keys are not stored alongside encrypted data. This extends to desktop and mobile endpoints where customer financial data may be accessed and cached and/or stored.
2. Review your data sharing practices with third parties
However, encryption in use is more difficult (and often costly) for most organizations to implement as a technical control. Organizations should instead review their data sharing practices with third parties and ensure that there are adequate controls that NPI for customers who have opted-out of data sharing practices are not being inadvertently transferred to third parties. For example, role-based access control on a database query could limit database queries conducted by third parties to not return any rows for NPI that has an ‘opt out’ flag or similar.
3. Provide update training
Entities should also provide training to employees about the updated Safeguards Rule. This can be tracked through Hyperproof’s Hypersync with KnowBe4, for example, which will help internal risk and audit teams ensure that there is a consistent understanding of the new Rule by all employees and potentially third-party agents.
4. Review your incident response plan
Organizations should also review their incident response plans in light of the lowered threshold of 500 consumers and expansive definition of “customer information.” Specifically, the typical “identification” phase of incident response plans should be updated to include guidance to determine if the data of 500 or more consumers were accessed in an unencrypted format. In practice, if a threat actor were to obtain the credentials of an authorized first or third-party user with access to consumer data, this will likely trigger a notification event, assuming there is evidence that the threat actor queried or accessed that data. Additionally, once there has been a determination that an incident has occurred, there should be a defined process for the entity to use the form provided by the FTC to report the incident within 30 days.
The new Safeguards Rule will be in effect in less than six months. While encryption is generally a widely-adopted practice, organizations should ensure that encryption is comprehensive for both data in use and at rest, and also that only authorized first and third-party users can access customer information for legitimate business purposes. Entities should also familiarize themselves with the new reporting requirements and form and be prepared to report notification events within thirty days of incident discovery.
Ready to take on GLBA and the FTC’s Safeguards Rule?
Get in touch and we’ll show you how you can leverage Hyperproof to stay ahead of regulatory changes and maintain compliance.