Financial institutions are now required to notify the Federal Trade Commission about any security breach that involves the information of 500 customers or more. The breach must be reported no later than 30 days after it is discovered.
The new requirement is a result of an FTC amendment to the Safeguards Rule of the Gramm-Leach-Bliley Act. The amendment was announced in October 2023 and took effect on May 13 of this year. The purpose of the waiting period was to allow institutions to prepare for the changes.
The amendment defines a notification event as the “acquisition of unencrypted customer information without the authorization of the individual to which [sic] the information pertains.” The amendment also states that unauthorized acquisition is presumed to include unauthorized access to unencrypted customer information unless there is “reliable evidence showing that there has not been, and could not reasonably have been, unauthorized acquisition of such information.”
A notification event is deemed to have been “discovered” on the first day that the event becomes known by the affected institution. Following discovery, the FTC requires that it be notified as soon as possible, and no later than 30 days after discovery, of a security breach involving the information of at least 500 consumers.
The amendment itself does not include any requirement to notify the affected persons of the incident, but state laws could apply that would require notification of individuals.
The purported goal of the amendment is to establish a uniform reporting requirement for all regulated financial institutions subject to Gramm-Leach-Bliley. The FTC argues that the amendment imposes a minimal burden on financial institutions because they will already be preparing state and consumer notifications. Because, in the view of the FTC, the burden of reporting is minimal, the amendment has no exemptions or alternatives for small entities. The FTC acknowledged that not every notification received by the FTC will result in an investigation and/or enforcement action.
Notifications can be provided via a form on the FTC's website. The form provides the specific details on what information must be included with the report, which will then be made public on the site. However, a reporting institution can request that public disclosure of the report be delayed for law enforcement purposes.
