88 FR 217 pgs. 77499-77509 - Standards for Safeguarding Customer Information
Type: RULEVolume: 88Number: 217Pages: 77499 - 77509
Pages: 77499, 77500, 77501, 77502, 77503, 77504, 77505, 77506, 77507, 77508, 77509FR document: [FR Doc. 2023–24412 Filed 11–9–23; 8:45 am]
Agency: Federal Trade Commission
Official PDF Version: PDF Version
[top]
FEDERAL TRADE COMMISSION
16 CFR Part 314
RIN 3084-AB35
Standards for Safeguarding Customer Information
AGENCY:
Federal Trade Commission.
ACTION:
Final rule.
SUMMARY:
The Federal Trade Commission ("FTC" or "Commission") is issuing a final rule ("Final Rule") to amend the Standards for Safeguarding Customer Information ("Safeguards Rule" or "Rule") to require financial institutions to report to the Commission any notification event where unencrypted customer information involving 500 or more consumers is acquired without authorization.
DATES:
The amendments are effective May 13, 2024.
FOR FURTHER INFORMATION CONTACT:
David Lincicum (202-326-2773), Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580.
SUPPLEMENTARY INFORMATION:
I. Background
Congress enacted the Gramm Leach Bliley Act ("GLBA") in 1999. 1 The GLBA provides a framework for regulating the privacy and data security practices of a broad range of financial institutions. Among other things, the GLBA requires financial institutions to provide customers with information about the institutions' privacy practices and about their opt-out rights, and to implement security safeguards for customer information.
Footnotes:
1 ?Public Law 106-102, 113 Stat. 1338 (1999).
Subtitle A of Title V of the GLBA required the Commission and other Federal agencies to establish standards for financial institutions relating to administrative, technical, and physical safeguards for certain information. 2 Pursuant to the GLBA's directive, the Commission promulgated the Safeguards Rule in 2002. 3 The Safeguards Rule became effective on May 23, 2003. 4
Footnotes:
2 ? See 15 U.S.C. 6801(b), 6805(b)(2).
3 ?67 FR 36483 (May 23, 2002).
4 ? Id.
II. Regulatory Review of the Safeguards Rule
On April 4, 2019, the Commission issued a notice of proposed rulemaking ("NPRM") setting forth proposed amendments to the Safeguards Rule. 5 In response, the Commission received 49 comments from various interested parties including industry groups, consumer groups, and individual consumers. 6 On July 13, 2020, the Commission held a workshop concerning the proposed changes and conducted panels with information security experts discussing subjects related to the proposed amendments. 7 The Commission received 11 comments following the workshop. After reviewing the initial comments to the NPRM, conducting the workshop, and then reviewing the comments received following the workshop, the Commission issued final amendments to the Safeguards Rule on December 9, 2021. 8
Footnotes:
5 ?84 FR 13158 (Apr. 4, 2019).
6 ?The 49 relevant public comments received on or after March 15, 2019, can be found at Regulations.gov . See FTC Seeks Comment on Proposed Amendments to Safeguards and Privacy Rules, 16 CFR part 314, Project No. P145407, https://www.regulations.gov/docket/FTC-2019-0019/comments. The 11 relevant public comments relating to the subject matter of the July 13, 2020, workshop can be found at: https://www.regulations.gov/document/FTC-2020-0038-0001/comment. This notice cites comments using the last name of the individual submitter or the name of the organization, followed by the number based on the last two digits of the comment ID number.
7 ? See FTC, Information Security and Financial Institutions: FTC Workshop to Examine Safeguards Rule Tr. (July 13, 2020), https://www.ftc.gov/system/files/documents/public_events/1567141/transcript-glb-safeguards-workshop-full.pdf.
8 ?86 FR 70272 (Dec. 9. 2021).
[top] In the NPRM, the Commission explained that its proposed amendments to the Safeguards Rule were based primarily on the cybersecurity regulations issued by the New York Department of Financial Services, 23 NYCRR 500 ("Cybersecurity Regulations"). 9 The Commission also noted that the Cybersecurity Regulations require covered entities to report security events to the superintendent of the Department of Financial Services. 10 Relatedly, for many years, some other Federal agencies enforcing the GLBA have required financial institutions to provide notice to the regulator, and in some instances notice to consumers as well. 11 Although the Commission did not include a similar reporting requirement in the NPRM, it did seek comment on whether the Safeguards Rule should be amended to require that financial institutions report security events to the Commission. Specifically, the Commission requested comments on whether such a requirement should be added and, if so, (1) the appropriate deadline for reporting security events after discovery, (2) whether all security events should require notification or whether notification should be required only under certain circumstances, such as a determination of a likelihood of harm to customers or that the event
Footnotes:
9 ?84 FR 13158, 13163 (Apr. 4, 2019).
10 ? Id. at 13169.
11 ? See Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, 70 FR 15736, 15752 (Mar. 29, 2005) (originally issued by the Office of the Comptroller of the Currency; the Board of Governors of the Federal Reserve System; the Federal Deposit Insurance Corporation; and the Office of Thrift Supervision) ("At a minimum, an institution's response program should contain procedures for the following: . . . Notifying its primary Federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information, as defined below; . . . [and notifying] customers when warranted"), https://www.occ.treas.gov/news-issuances/federal-register/2005/70fr15736.pdf (emphasis in original).
12 ? Id.
The final rule, which the Commission published in the Federal Register on December 9, 2021, did not include a reporting requirement. 13 However, on the same date, the Commission published a supplemental notice of proposed rulemaking ("SNPRM") in the Federal Register , which proposed further amending the Safeguards Rule to require financial institutions to report to the Commission certain security events as soon as possible, and no later than 30 days after discovery of the event. 14 Specifically, the Commission proposed to require financial institutions to notify the Commission electronically through a form located on the FTC's website about any security event that resulted or is reasonably likely to result in the misuse of customer information affecting at least 1,000 consumers. The Commission proposed that the notification include a limited set of information, consisting of (1) the name and contact information of the reporting financial institution, (2) a description of the types of information involved in the security event, (3) the date or the date range of the security event, if it can be determined, and (4) a general description of the security event. In response to the SNPRM, the Commission received 14 comments from various interested parties, including industry groups, consumer groups, and individual consumers. 15
Footnotes:
13 ?86 FR 70272 (Dec. 9. 2021).
14 ? See 86 FR 70062, 70067 (Dec. 9, 2021).
15 ?The 14 relevant public comments received can be found at Regulations.gov . See FTC Seeks Comment on Proposed Amendments to Safeguards and Privacy Rules, 16 CFR part 314, Project No. P145407, https://www.regulations.gov/docket/FTC-2021-0071/comments.
After reviewing the comments, the Commission now finalizes the proposed amendments with minor changes.
III. Overview of Final Rule
The Final Rule requires financial institutions to report notification events, defined as the unauthorized acquisition of unencrypted customer information, involving at least 500 customers to the Commission. The notice to the Commission must include: (1) the name and contact information of the reporting financial institution; (2) a description of the types of information that were involved in the notification event; (3) if the information is possible to determine, the date or date range of the notification event; (4) the number of consumers affected; (5) a general description of the notification event; and, if applicable, whether any law enforcement official has provided the financial institution with a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security, and a means for the Federal Trade Commission to contact the law enforcement official. The notice must be provided electronically through a form located on the FTC's website, https://www.ftc.gov.
IV. Detailed Analysis
The following section discusses the comments that the Commission received in response to the SNPRM.
General Comments
Several commenters generally supported the inclusion of a notification requirement in the Rule. 16 Some of these commenters pointed to frequent data breaches as an indication that companies' data security practices are inadequate and stated that requiring companies to provide notice to the Commission would enable the Commission to more easily enforce the Rule. 17 The Clearing House argued that the requirement is appropriate because it would place financial institutions covered by the Rule in the same position as banks, which are required to report data breaches to their prudential regulators. 18 The Electronic Privacy Information Center ("EPIC") suggested that the amendment would incentivize "use of strong data security measures by financial institutions, bring additional accountability and transparency to the handling of security events, and enhance the data security and privacy of all consumers."? 19
Footnotes:
16 ? See Anonymous (Comment 2); Briggs (Comment 4); Clearing House Association L.L.C. ("Clearing House") (Comment 11); Anonymous (Comment 14); Securities Industry and Financial Markets Association ("SIFMA") and Bank Policy Institute ("BPI") ("SIFMA/BPI") (Comment 15) (supporting notification requirement for financial institutions that are not regulated by non-FTC financial agencies); American Council on Education (Comment 18) (supporting proposed notice requirement with revisions); Electronic Privacy Information Center ("EPIC") (Comment 19).
17 ? See, e.g., Anonymous (Comment 2); Briggs (Comment 4); The Clearing House (Comment 11) at 2 (describing breaches in the fintech industry).
18 ?Clearing House (Comment 11) at 1-2.
19 ?EPIC (Comment 19) at 2.
[top] Other commenters opposed the proposal. 20 Many of these commenters argued that the proposed notification requirement would be duplicative of State breach notification laws and is, therefore, unnecessary. 21 The Commission, however, disagrees that requiring financial institutions to provide notice to the Commission is redundant because of State breach notification laws. State breach notification laws provide notice to consumers and in some cases also to State regulators, while the notice requirement of the Final Rule requires notice to the Commission and is designed to ensure that the Commission receives notice of security breaches affecting financial institutions under the Commission's jurisdiction. Notice to consumers or to State regulators does not achieve this purpose. Receipt of these notices will enable the Commission to monitor for emerging data security threats affecting financial institutions and to facilitate prompt investigative response to major security breaches. CTIA argued that the Commission could achieve this goal by accessing and reviewing regulated entities' reports to consumers and State authorities under State notification laws. 22 The Commission disagrees that this indirect method would be as efficient or effective as requiring regulated financial institutions to directly notify the Commission. 23 Such an approach would be extremely burdensome on the Commission and would require the diversion of resources from enforcement to search for and collect information about breaches involving regulated financial institutions. Also, as some of the commenters noted, 24 State laws vary in what types of incidents must be
Footnotes:
20 ? See American Financial Services Association ("AFSA") (Comment 12); Consumer Data Industry Association ("CDIA") (Comment 13); American Escrow Association (Comment 16); CTIA (Comment 20); National Automobile Dealers Association ("NADA") (Comment 21); U.S. Chamber of Commerce (Comment 22).
21 ? See, e.g., AFSA (Comment 12) at 3; CDIA (Comment 13) at 2-3; CTIA (Comment 20) at 2-4; NADA (Comment 21) at 2-3; U.S. Chamber of Commerce (Comment 22) at 3.
22 ?CTIA (Comment 20) at 6-7.
23 ?While some States that require notification to a State agency make companies' breach notifications public, see, e.g., N.H. Dep't of Just., Off. of Attorney Gen., Security Breach Notifications, https://www.doj.nh.gov/consumer/security-breaches/, other States do not make notifications public, and as noted above, not all States require notice to a State government agency. Some non-governmental sources report breach notifications, but there is no guarantee that such sources are comprehensive as they depend in part on reporting by consumers who received a breach notification letter. Thus, the Commission could not obtain comprehensive data relating to breaches at regulated financial institutions by compiling reports of breaches from other sources.
24 ? See, e.g., Clearing House (Comment 11) at 8; CDIA (Comment 13) at 3; CTIA (Comment 20) at 4.
25 ? See, e.g., Tex. Bus. & Com. Code 521.053(i) (requiring companies to notify Texas Attorney General if a breach affects at least 250 Texas residents); Va. Code Ann. 18.2-186.6(E) (requiring companies to notify Virginia Attorney General if a breach affects at least 1,000 Virginia residents); Fla. Stat. 501.171(3) (requiring businesses to notify the Florida Department of Legal Affairs if a breach affects at least 500 individuals in Florida).
Some commenters argued that the notification requirement would not improve financial institutions' data security. 26 Other commenters disagreed with this assertion, arguing that the notification requirement would further incentivize financial institutions to protect customer information. 27 The Commission agrees with these commenters that the notification requirement will increase the efficiency and effectiveness of the Commission's enforcement of the Rule. As noted above, while State breach notification laws require notice to consumers, some States do not require that such notices be provided to State regulators as well, and not all State regulators that do receive such notices publish them. By requiring financial institutions to provide notice directly to the Commission, the Commission will not have to devote resources to continually search for breach notifications posted by other sources in order to know that a financial institution has experienced a breach. Without a notification, the Commission would have no guarantee that it has found all breaches in its searches. The required notices will enable the Commission to identify breaches that merit investigation more quickly and efficiently. Also, receiving notice of breaches will allow the Commission to develop better awareness of emerging risks to financial institutions' security. The Commission expects that these benefits will enable more efficient enforcement of the Rule, which will in turn increase financial institutions' incentive to comply. In addition, as discussed below, making the notices public will enable consumers to make more informed decisions about which financial institutions they choose to entrust with their information, providing financial institutions with an additional incentive to comply with the Rule.
Footnotes:
26 ? See, e.g., AFSA (Comment 12) at 1; CDIA (Comment 13) at 2-3; American Escrow Association (Comment 16) at 2; CTIA (Comment 20) at 3-6; NADA (Comment 21) at 2-3; U.S. Chamber of Commerce (Comment 22) at 2-3.
27 ? See EPIC (Comment 19) at 2, see also Anonymous (Comment 2); Briggs (Comment 4).
The National Automobile Dealers Association ("NADA") argued that a requirement for financial institutions to report events in order to facilitate enforcement against them is "unprecedented"? 28 and "raises serious questions," including "potential First Amendment and potentially even Fifth Amendment concerns."? 29 The Commission disagrees. Far from being unique, the requirement to report security events to law enforcement agencies that might result in enforcement actions against the notifying company is common. Many Federal agencies? 30 require regulated entities to report data breaches to them, and most States require that companies report breaches to State attorneys general or other State law enforcement and have done so for years. 31
Footnotes:
28 ?NADA argues that banking regulations are not relevant examples because they are designed "to protect depositors and to ensure the public interest in the safety and soundness of banks," rather than to facilitate enforcement. NADA (Comment 21) at 4-5, n.8. The banking regulations, however, are also designed to facilitate enforcement. In addition, the Safeguards Rule is also designed to protect customers of financial institutions and ensure the public interest in the safety of consumer's financial information.
29 ?NADA (Comment 21) at 4-5, n. 9.
30 ? See, e.g., Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, 70 FR 15736, 15752 (Mar. 29, 2005) (originally issued by the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of Thrift Supervision); 45 CFR 164.408 (requiring covered entities to report breaches affecting 500 or more individuals to the Secretary of Health and Human Services); 12 CFR 53.3 (requiring banking organizations to report security events to the Office of the Comptroller of the Currency); 12 CFR 225.302 (requiring Board-supervised banking organization to report certain breaches to the Board); 12 CFR 304.23 (requiring certain bank organizations to report breaches to the FDIC); see also 87 FR 16590 (Mar. 23, 2022) (proposed rule requiring companies to report security incidents to the SEC).
31 ? See, e.g., Tex. Bus. & Com. Code 521.053(i) (requiring companies to notify Texas Attorney General if a breach affects at least 250 Texas residents); Va. Code Ann. 18.2-186.6(E) (requiring companies to notify Virginia Attorney General if a breach affects at least 1,000 Virginia residents); Fla. Stat. 501.171(3) (requiring businesses to notify the Florida Department of Legal Affairs if a breach affects at least 500 individuals in Florida).
NADA also argued that requiring reporting security events to assist the Commission to enforce the Safeguards Rule is inappropriate because not every breach is the result of a failure to comply with the Safeguards Rule. 32 NADA suggested that the reporting requirement should only "apply after a series of security events," because only multiple events can be "suggestive of compliance failures," while any single breach "certainly . . . is not."? 33 While the Commission acknowledges that not every notification event is necessarily the result of a failure to comply with the Safeguards Rule, it disagrees that a single breach cannot be "suggestive of compliance failures."? 34 Indeed, the fact that an institution has not experienced a breach does not necessarily mean that the institution is in compliance with the Rule's requirements. The Commission believes that taking action to correct a potential Safeguards Rule violation before additional security events can harm consumers is appropriate and desirable. The American Financial Services Association ("AFSA") contended that "the FTC should clarify what factors in a report could lead to enforcement concerns," arguing that otherwise "institutions may seek to minimize all risks associated with a report."? 35 The Commission does not believe that providing a guide to when a report could possibly lead to enforcement is either possible or desirable because the reports are unlikely to contain all of the information that the Commission would need to determine that law enforcement is appropriate or necessary. Such determinations are typically made following investigations that afford entities the opportunity to provide context and information.
Footnotes:
32 ?NADA (Comment 21) at 3-5.
33 ?NADA (Comment 21) at 4.
34 ? See, e.g., FTC v. Equifax, 1:19-cv-03297-TWT (N.D. Ga., July 22, 2019), available at https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3203-equifax-inc.
35 ?AFSA (Comment 12) at 1.
[top] In addition, the Commission notes that requiring a financial institution to report an event is not suggesting that every notification event is the result of a violation of the Rule and will result in an enforcement action or even investigation. Rather, the reporting requirement will provide the Commission with valuable information about security threats to financial institutions and assist in the determination of whether any individual event should be investigated further. This will improve the Commission's ability to respond to data breaches and may enable the Commission to issue business and
Other commenters argued that the reporting requirement would be unduly burdensome. 36 Some of these commenters suggested that because the Rule's requirement may differ from State notification laws' requirements, complying with the Rule will be burdensome. 37 Other commenters disagreed, noting that the information required is limited to basic information about the company and the notification event. 38 The Commission agrees with these commenters. The information required to be reported is minimal and is very similar to the information required by many State notification laws. 39 The company will have this information as the result of even a basic investigation of the security event, an investigation that would be required in any event to comply with the Rule and basic security practices. The fact that some State laws may be triggered under different circumstances and may require different information does not render this simple report burdensome.
Footnotes:
36 ?CDIA (Comment 13) at 2-3; SIFMA/BPI (Comment 15) at 8; ETA (Comment 17) at 2-3; CTIA (Comment 20) at 3-6; NADA (Comment 21) at 2-3; U.S. Chamber of Commerce (Comment 22).
37 ?CDIA (Comment 13) at 2-3; CTIA (Comment 20) at 6; NADA (Comment 21) at 2-3.
38 ?American Escrow Association (Comment 16) at 2; ACE (Comment 18) at 2, 7-8; EPIC (Comment 19) at 6-7.
39 ? See, e.g., Ala. Code 8-38-5(d); Ariz. Rev. Stat. 18-552(E); Cal. Civ. Code 1798.82(d); Fla. Stat. 501.171(3)(b); Mich. Comp. Laws 445.72(6); Mo. Rev. Stat. 407.1500(2)(4); N.H. Rev. Stat. Ann. 359-C:20(IV); N.Y. U.C.C. Law 899-AA(7); and Or. Rev. Stat. 646A.604(5).
In addition to addressing the proposed amendment in general, commenters also addressed specific elements of the proposed amendments. These comments are addressed in the following detailed discussion.
Triggering Event
The Commission adopts proposed §?314.4(j) as originally proposed, with minor changes. Proposed paragraph (j) would have required financial institutions that become aware of a security event to promptly determine the likelihood that customer information has been or will be misused. Under the provision as originally proposed, financial institutions would have been required to make a report to the Commission upon determining that, among other conditions, "misuse of customer information ha[d] occurred or . . . [was] reasonably likely [to occur]." However, upon consideration of the comments, Commission is clarifying the triggering language by adding a new paragraph (m) in §?314.2, which defines the term "notification event" as the "acquisition of . . . [unencrypted customer] information without the authorization of the individual to which the information pertains." Section 314.2(m) further clarifies that: (1) "[c]ustomer information is considered unencrypted . . . if the encryption key was accessed by an unauthorized person;" and (2) "[u]nauthorized acquisition will be presumed to include unauthorized access to unencrypted customer information unless you have reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information."
Several commenters addressed whether becoming aware of a security event is an appropriate trigger for the notification process. In a joint comment, the Securities Industry and Financial Markets Association ("SIFMA") and the Bank Policy Institute ("BPI") argued that the notification process should not begin when a financial institution becomes aware of an event, but instead begin when the financial institution "determines" a security event has occurred. SIFMA and BPI suggested that "determination" takes place sometime after "discovery," and that financial institutions should have 30 days to notify the Commission after making this determination rather than after discovery. SIFMA and BPI argued that "determination" "connotes a higher standard of certainty than `discovery,'?" and would include determining whether any further requirements for notice, such as number of consumers affected, had been met. The Commission disagrees that 30 days after discovery of a notification event is insufficient time to determine whether the event meets the requirements for notification and to prepare the notice. The Commission expects that companies will be able to decide quickly whether a notification event has occurred by determining whether unencrypted customer information has been acquired and, if so, how many consumers are affected, so there will not be a significant difference between "determination" and "discovery."? 40 In addition, the notification to the Commission requires minimal details and will not take significant time to prepare and, as discussed above, many States require reports containing similar information, so the financial institutions will need to prepare such a report in any event.
Footnotes:
40 ?As discussed below, the Final Rule no longer requires the financial institution to determine whether misuse had occurred or was likely.
Other commenters argued the term "security event" is too broad a term to act as a trigger for the notification process, stating that the term encompasses types of incidents that pose little risk of consumer harm and for which notification is unnecessary. 41 Some commenters felt notification should be required only when harm to consumers has occurred or is likely to occur, rather than when "misuse" has occurred or is reasonably likely. 42 Some commenters argued a trigger that requires consumer harm would be more in accord with State notification laws. 43 Similarly, several commenters argued the notification requirement should exclude security events that involve only encrypted customer information, because there is little chance of consumer harm in such cases. 44 Others argued requiring financial institutions to report breaches that do not involve possible harm to consumers would be unduly burdensome on financial institutions and would produce an overwhelming number of reports to the Commission. 45 Conversely, EPIC argued notice should be required for all security events regardless of whether misuse had occurred or was likely. 46 EPIC argued that removing the analysis of whether misuse was likely would lower the burden of determining whether a report should be made and would prevent attempts by financial institutions to avoid reporting to the Commission. 47
Footnotes:
41 ? See, e.g., SIFMA/BPI (Comment 15) at 8-9; CTIA (Comment 20) at 11-12; NADA (Comment 21) at 2-3.
42 ? See CDIA (Comment 13) at 4-5; SIFMA/BPI (Comment 15) at 9-10; American Escrow Association (Comment 16) at 2-3; ETA (Comment 17) at 2; CTIA (Comment 20) at 11-14.
43 ? See, e.g., CDIA (Comment 13) at 4-5.
44 ?AFSA (Comment 12) at 2; CDIA (Comment 13) at 6; SIFMA/BPI (Comment 15) at 9; ACE (Comment 18); CTIA (Comment 20) at 12; NADA (Comment 21) at 3; U.S. Chamber of Commerce (Comment 22) at 4.
45 ?SIFMA/BPI (Comment 15) at 9; ETA (Comment 17) at 2; CTIA (Comment 20) at 11.
46 ?EPIC (Comment 19) at 4.
47 ? Id.
[top] The Commission agrees with EPIC that the trigger for notification requires clarification. The meaning of the term "misuse" in the proposed rule was ambiguous. It was not clear if acquisition of customer information alone constituted misuse, or if other forms of misuse, such as alteration of data, would fall within the notification requirement. Given this ambiguity, financial institutions would have had difficulty evaluating the likelihood of misuse of customer information that has been acquired without authorization. At the same time, the ambiguity could have
Accordingly, the Final Rule requires notification where customer information has been acquired, rather than when misuse is considered likely. Specifically, the Commission is adding a new §?314.2(m) that defines the term "[n]otification event" to mean the acquisition of unencrypted customer information without the authorization of the individual to which the information pertains. Section 314.2(m) also provides that unauthorized access of information will be presumed to result in unauthorized acquisition unless the financial institution can show that there has not been, or could not reasonably have been, unauthorized acquisition of such information. This rebuttable presumption is consistent with the Health Breach Notification Rule. See 16 CFR 318.2(a) ("Unauthorized acquisition will be presumed to include unauthorized access to unsecured PHR [personal health record] identifiable health information unless the vendor of personal health records, PHR related entity, or third party service provider that experienced the breach has reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information."). 48 Here, too, the presumption is "intended to address the difficulty of determining whether access to data ( i.e., the opportunity to view the data) did or did not lead to acquisition ( i.e., the actual viewing or reading of the data)."? 49
Footnotes:
48 ? See also 74 FR 42962, 42966 (Aug. 25, 2009). Examples of this rebuttable presumption cited in that rulemaking, and equally relevant here, included a circumstance where "an unauthorized employee inadvertently accesses an individual's PHR and logs off without reading, using, or disclosing anything. If the unauthorized employee read the data and/or shared it, however, he or she `acquired' the information, thus triggering the notification obligation in the rule." Another example related to a lost laptop: "If an entity's employee loses a laptop in a public place, the information would be accessible to unauthorized persons, giving rise to a presumption that unauthorized acquisition has occurred. The entity can rebut this presumption by showing, for example, that the laptop was recovered, and that forensic analysis revealed that files were never opened, altered, transferred, or otherwise compromised." Id. at 42966.
49 ? Id.
The Commission also agrees notification should not be required when harm to consumers is rendered extremely unlikely because the customer information is encrypted. Accordingly, the Final Rule does not require notification if the customer information acquired is encrypted, so long as the encryption key was not accessed by an unauthorized person. See §?314.2(m). By requiring notice relating to unauthorized acquisition only of unencrypted customer information, this change brings the Rule into accord with most State breach notification laws. If customer information was encrypted but the encryption key was also accessed without authorization, then the customer information will be considered to be unencrypted. Someone who has both the encrypted information and the encryption key can easily decrypt the information. 50
Footnotes:
50 ? See, e.g., Ala. Code 8-38-2(6)(b)(2); Alaska Stat. 45.48.090(7); Colo. Rev. Stat. 6-1-716 (2)(a.4); 815 Ill. Comp. Stat. 530/5 ("Personal Information" definition); NY Gen. Bus. Law 899-aa(b); Tex. Bus. & Com. Code 521.053(a).
In summary, the Final Rule requires notification if the financial institution discovers that unencrypted customer information has been acquired without authorization. See §?314.2(m). Unlike under the proposed rule, notification is not conditioned on the assessment of likelihood of misuse. The Commission believes that determining whether acquisition has occurred simplifies the requirement and will enable financial institutions to more speedily determine whether a notification event has occurred. In addition, the Commission believes this change will reduce the number of notifications by excluding events where encrypted information was acquired, while ensuring it receives notice of events that are more likely to result in harm. As noted earlier, the Rule also includes a rebuttable presumption stating that when there is unauthorized access to data, unauthorized acquisition will be presumed unless the entity that experienced the breach "has reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information." See §?314.2(m).
Some commenters argued the notification requirement should trigger only when especially "sensitive" information is involved. 51 These commenters argue that requiring notification when any kind of customer information is involved would result in notifications when there is no risk of harm to consumers. 52 The Commission disagrees with this contention. The definition of "customer information" in the Rule does not encompass all information that a financial institution has about consumers. "Customer information" is defined as records containing "non-public personal information" about a customer. 53 "Non-public personal information" is, in turn, defined as "personally identifiable financial information," and excludes information that is publicly available or not "personally identifiable."? 54 The Commission believes security events that trigger the notification requirement-where customers' non-public personally identifiable, unencrypted financial information has been acquired without authorization-are serious and support the need for Commission notification.
Footnotes:
51 ?AFSA (Comment 12) at 2; CDIA (Comment 13) at 5-6; ETA (Comment 17) at 2; CTIA (Comment 20) at 11-12.
52 ?AFSA (Comment 12) at 2; CDIA (Comment 13) at 5-6; ETA (Comment 17) at 2; CTIA (Comment 20) at 11-12.
53 ?16 CFR 314.2(d).
54 ?16 CFR 314.2(l).
In the SNPRM, the Commission asked whether, rather than having a stand-alone reporting requirement, the Rule should require reporting only when another State or Federal statute, rule, or regulation requires a financial institution to provide notice of a security event or similar event to a governmental entity. Some commenters supported this suggestion, arguing that such a requirement would reduce duplicative notice and consumer confusion. 55 Other commenters opposed it, arguing that because of the varied nature of State notification laws, this would produce inconsistent reporting to the Commission. 56 The Commission agrees that a stand-alone requirement will help ensure the Commission receives consistent information regarding security events.
Footnotes:
55 ?CTIA (Comment 20) at 9-10; NADA (Comment 21) at 7.
56 ?Clearing House (Comment 11) at 9; ACE (Comment 18) at 7; EPIC (Comment 19) at 6-7.
Determination of Scope of Security Event
After a financial institution becomes aware of a security event, the proposed rule would have required it to determine whether at least 1,000 consumers have been affected or reasonably may be affected and, if so, to notify the Commission.
[top] A number of commenters expressed views pertaining to the minimum threshold for the number of affected customers. Some commenters agreed that notification of security events should not be required if the number of consumers that could be affected fell below the proposed threshold (1,000
Footnotes:
57 ?CDIA (Comment 13) (suggesting a requirement of notification when a security event affects at least 1,000 consumers and may cause substantial harm); American Escrow Association (Comment 16) at 2 (supporting 1,000 consumer requirement while suggesting other changes to the notice requirement); ACE (Comment 17) at 2 (stating that requiring notice when 1,000 consumers are affected would be appropriate, if notices were required only when there was a risk of substantial harm); EPIC (Comment 19) at 4 (suggesting that notice be required whenever an event involves the information of at least 1,000 consumers regardless of the likelihood of misuse).
58 ?Clearing House (Comment 11) at 4-5 (suggesting a requirement for notice for any security event involving sensitive customer information, regardless of the number of consumers potentially affected by the event).
AFSA suggested there should be a higher threshold of affected consumers before notice is required. 59 AFSA argued that the thousand consumer threshold was too low because of "the large number of financial institutions with many more customers."? 60 The Commission disagrees that the fact that some financial institutions hold the information of millions of consumers suggests a higher threshold is appropriate. The Clearing House, conversely, argues the Rule should require that the Commission receive notice whenever any consumer is affected, because otherwise consumers whose information was involved in smaller breaches would have no notice of the breach and would be "without the benefit of important notices" if financial institutions were not required to report breaches affecting fewer consumers. 61 The Commission does not agree that setting a minimum threshold of consumers affected before requiring notification would leave consumers involved in smaller breaches without notice, as consumers will typically receive direct notification under State breach notification laws, regardless of whether notice to the Commission is required. In determining the proper threshold, the Commission notes that numerous State laws require notification of breaches either with no minimum threshold, or with a threshold of 250 or 500 people. The Commission's own Health Breach Notification Rule, and the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule, 62 also require notification of breaches involving 500 or more people. The Commission concludes that a lower threshold than in the proposed rule is appropriate. Accordingly, the Commission is adopting a minimum threshold of 500 consumers, rather than the minimum threshold of 1,000 consumers that was in proposed §?314.4(j). The Commission believes a security event that involves the acquisition of unencrypted customer information involving at least 500 consumers is significant enough to warrant notification of the Commission, regardless of the size of the financial institution.
Footnotes:
59 ?AFSA (Comment 12) at 2; see also Anonymous (Comment 2) (arguing that threshold should be proportional to the size of the financial information).
60 ? Id.
61 ?Clearing House (Comment 11) at 5. While the Rule requires direct notice of breaches only to the Commission, consumers affected by smaller breaches could learn of those breaches when the Commission makes the notices public. Also, the Rule does not limit State consumer notification laws that require direct notification of consumers.
62 ?45 CFR 164.400 through 164.414.
Time To Report
The proposed Rule would have required Commission notification within 30 days from discovery of the notification event. Some commenters that addressed this deadline agreed that this would provide financial institutions sufficient time to make the required determinations and to notify the Commission. 63 Other commenters argued that financial institutions should be given significantly less time to notify the Commission. 64 Other commenters argued that financial institutions should be given more time to notify the Commission. 65 The Commission believes that a 30-day deadline properly balances the need for prompt notification with the need to allow financial institutions to investigate a security event, determine whether the information was acquired without authorization and how many consumers were affected, and learn enough about the event to make the notification to the Commission meaningful. Accordingly, finalized §?314.2(j)(1) retains the 30-day deadline from the SNPRM.
Footnotes:
63 ? See, e.g., CDIA (Comment 13) at 7; ACE (Comment 18) at 8; U.S. Chamber of Commerce (Comment 22) at 4.
64 ?Anonymous (Comment 2) (suggesting a two-week deadline); Clearing House (Comment 11) at 6 (recommending a 36-hour deadline).
65 ? See SIFMA/BPI (Comment 15) at 8 (arguing that 30 days should not begin until financial information has determined that security event meets notification requirements); CTIA (Comment 20) at 14 (same).
[top] Some commenters argued that financial institutions should be permitted to delay or withhold notification of a security event to the Commission at the request of a law-enforcement agency or if notification would interfere with a law enforcement investigation. 66 Alternatively, EPIC suggested the Commission should not allow companies to delay reporting in cases of a law enforcement investigation, but should instead delay publication of the notice in cases where publication would interfere with an investigation. 67 The Commission agrees that, while notifications to the Commission should not be made public if law enforcement has requested a delay, there is no reason to delay notice to the Commission itself on that basis. This conclusion is consistent with the approach taken by the Securities and Exchange Commission and by other Federal financial regulators in rulemakings that require notice of cyber incidents to a regulator, as opposed to notice directly to consumers. 68 Accordingly, §?314.4(j)(1)(vi) of the Final Rule provides that a financial institution's notice must (1) indicate whether any law enforcement official has provided the institution with a written determination that public disclosure of the breach would impede a criminal investigation or cause damage to national security, and (2) provide a means for the Commission to contact the law enforcement official. In order that notice to the public is not delayed indefinitely, the provision also provides that a law enforcement official may request an initial delay of up to 30 days following the date when the disclosure is filed with the Commission. The delay may be extended for an additional period of up to 60 days if the law enforcement official seeks such an extension in writing. Additional delay may be permitted only if the Commission staff determines that public disclosure of a notification event continues to impede a criminal
Footnotes:
66 ? See SIFMA/BPI (Comment 15) at 10; ACE (Comment 18) at 4-5; CTIA (Comment 20) at 15; U.S. Chamber of Commerce (Comment 22) at 5.
67 ?EPIC (Comment 19) at 5-6.
68 ? See Securities and Exchange Commission, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, 88 FR 51896, 51898 (Aug. 8, 2023) (allowing delay of required disclosure of material cybersecurity incidents if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing); Office of the Comptroller of the Currency, Federal Reserve System, Federal Deposit Insurance Corporation, Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, 86 FR 66424 (Nov. 23, 2021) (adopting regulations that require banking organizations to notify their primary Federal Regulator of any "computer security incident" that rises to the level of a "notification incident," as soon as possible and no longer than 36 hours after the banking organization determines that a notification incident has occurred).
The proposed §?314.4(j) did not address when a security event should be treated as discovered. The Commission believes adding such a provision will clarify the rule and prevent confusion. Accordingly, under the Final Rule, a notification event shall be treated as discovered as of the first day on which such event is known. Financial institutions will be deemed to have knowledge of a notification event if the event is known to any person, other than the person committing the breach, who is the financial institution's employee, officer, or other agent. Therefore, in instances where an employee, officer, or other agent of the financial institution accesses customer information without authorization, a financial institution will be deemed to have knowledge of a notification event if the event is known to another employee, officer, or other agent of the financial institution.
Contents of Notice
The proposed Rule required that a notice be made electronically on a form on the FTC's website, 69 and that such notice must include the following information: (1) the name and contact information of the reporting financial institution; (2) a description of the types of information that were involved in the notification event; (3) if the information is possible to determine, the date or date range of the notification event; and (4) a general description of the notification event.
Footnotes:
69 ?SIFMA/BPI argued that financial institutions should be allowed to notify the Commission by phone because that "could foster confidentiality." SIFMA/BPI (Comment 15) at 7. Similarly, the U.S. Chamber of Commerce suggested that financial institutions should be allowed to notify the Commission by alternative means, such as mail, "where covered entities may lack access to the internet." U.S. Chamber of Commerce (Comment 22) at 4. The Commission believes that notification should be limited to the form on the Commission's website, as this will ensure that all notifications are received and recorded in the same way. The Commission believes that it is not likely that a financial institution that has suffered a notification event will not be able to access the internet for the entirety of the 30-day reporting window.
Several commenters supported these elements as an appropriate level of detail. 70 However, NADA was opposed to the requirement that the report include a description of the security event, 71 while EPIC suggested the Rule should require a more detailed description of the security event. 72 EPIC argued that financial institutions should also be required to provide a comprehensive description of the types of information involved in the security event and a comprehensive description of the security event, because "it is critical that financial institutions provide a sufficiently detailed account of each security event to enable the FTC and affected consumers to assess whether and how personal information is at risk."? 73 The Commission believes that, with the exception noted below, the proposed elements generally provide sufficient information to the Commission and the public without imposing undue burdens on reporting financial institutions. If the Commission determines more information is needed, it will obtain that information from the financial institution. The Commission believes, however, that knowing the number of consumers affected or potentially affected by the notification event would allow it to better evaluate the impact of a particular event. Providing this information, which financial institutions will typically determine in the course of responding to a breach, will not significantly add to the burden to financial institutions. Accordingly, the Final Rule retains the proposed elements, while adding a requirement to provide the number of consumers affected or potentially affected by the notification event. 74
Footnotes:
70 ? See AFSA (Comment 12) at 2; ACE (Comment 18) at 2; U.S. Chamber of Commerce (Comment 22) at 4.
71 ?NADA (Comment 21) at 6.
72 ?EPIC (Comment 19) at 3.
73 ? Id.
74 ?As noted above, if applicable, financial institutions would also inform the Commission whether any law enforcement official has provided a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security, and a means for the FTC to contact the law enforcement official.
Publication of Notices
The SNPRM requested public comment on whether submitted reports should be made public. Several commenters argued that making the reports public would benefit consumers by helping them to make informed decisions about which financial institutions to entrust with their financial information or to determine whether they might have been affected by a security event. 75 Other commenters argued the reports should be confidential and not shared with the public. 76 Some commenters argued that making the reports public could encourage further cybersecurity attacks on affected financial institutions by making potential attackers aware of vulnerabilities that have not been remedied by the time the notice is made public. 77 NADA argued that the description of the event in particular should not be made public, suggesting the description provided no benefit to consumers and would not improve data security. 78 The Commission disagrees that making the reports public will increase risk to financial institutions' data security. As discussed above, most financial institutions are already subject to State breach notification laws, many of which require notification to a State agency that then makes the notification public. In addition, the general nature of the information required to be included in the report is unlikely to provide potential attackers any advantage in comprising the financial institution's security.
Footnotes:
75 ?Briggs (Comment 4); Clearing House (Comment 11) at 10; EPIC (Comment 19) at 5-6.
76 ?AFSA (Comment 12) at 2-3; CDIA (Comment 13) at 7; SIFMA/BPI (Comment 15) at 5-7; ACE (Comment 18) at 5-7; CTIA (Comment 20) at 15-16; NADA (Comment 21) at 5-6; U.S. Chamber of Commerce (Comment 22) at 5.
77 ?SIFMA/BPI (Comment 15) at 7; ACE (Comment 18) at 5-7; CTIA (Comment 20) at 15-16; NADA (Comment 21) at 6.
78 ?NADA (Comment 21) at 6.
Other commenters argued that publication of the notices could create undue media coverage and that the information would be too general to assist consumers in making informed decisions. 79 Similarly, CDIA argued that because State law requires direct consumer notification to those affected by the breach, making the information public to all consumers would cause "consumer confusion and angst about whether the consumer's information has been compromised."? 80 CTIA also argued that financial institutions that have suffered a security event should not be subject to the punishment of "name and shame."? 81 SIFMA and BPI suggested that making the reports public would limit the information financial institutions are willing to share in the reports in order to avoid public revelation of the details of the breach. 82
Footnotes:
79 ?AFSA (Comment 12) at 2-3; NADA (Comment 21) at 5.
80 ?CDIA (Comment 13) at 7; see also SIFMA/BPI (Comment 15) at 6 (suggesting that publication of the reports could cause confusion for consumers and investors); ACE (Comment 18) at 5-7.
81 ?CTIA (Comment 20) at 16.
82 ?SIFMA/BPI (Comment 15) at 6.
[top] As discussed above, the Commission acknowledges not all security events at financial institutions are the result of a failure to comply with the Safeguards Rule. Nevertheless, the Commission believes providing more information to consumers about these events will both benefit consumers and incentivize companies to better protect that information. The Commission is not persuaded that attention given to breaches is "undue" or otherwise inappropriate, as suggested by some commenters. Apart from providing
The SNPRM also asked for comment on whether the Commission should require financial institutions that suffer a security event to directly notify affected consumers, as well as the Commission. Some commenters were in favor of requiring consumer notification, at least when notification of the Commission was required. 83 Most commenters who addressed the issue, however, opposed such a requirement, pointing to the existing regime of State consumer notification laws and arguing that a separate FTC notification requirement would be duplicative and unduly burdensome. 84 The Commission agrees that, because all States have some form of consumer notification requirement, a direct consumer notification requirement in the Safeguards Rule would be largely duplicative of those State laws. Therefore, the Commission has not included such a requirement in the Final Rule.
Footnotes:
83 ?Clearing House (Comment 11) at 8-9; EPIC (Comment 19); see also Anonymous (Comment 14) (stating that if there is a data breach, consumers "need to know what happened to their information."
84 ? See AFSA (Comment 12) at 3; CDIA (Comment 13) at 8; SIFMA/BPI (Comment 15) at 10; CTIA (Comment 20) at 16-17; NADA (Comment 21) at 7; see also American Council on Education (Comment 18) at 8 (stating that the Commission should engage with covered financial institutions about existing notification requirements before establishing a consumer notification requirement).
Finally, the Commission is revising §?314.4(c) to correct a typographical error. As originally promulgated, that section required a financial institution to "[d]esign and implement safeguards to control the risks you identity through risk assessment. . . ." Actually, a financial institution must "[d]esign and implement safeguards to control the risks you identify through risk assessment. . . ." In the Final Rule, this error is corrected.
Section 314.5: Effective Date
The proposed rule revised §?314.5 so that the reporting requirement in §?314.4(j) would not go into effect until six months after the publication of a final rule. As proposed, finalized §?314.5 provides that §?314.4(j) will become effective on May 13, 2024.
V. Paperwork Reduction Act
The Paperwork Reduction Act ("PRA"), 44 U.S.C. 3501 et seq., requires Federal agencies to obtain Office of Management and Budget ("OMB") approval before undertaking a collection of information directed to ten or more persons. Pursuant to the regulations implementing the PRA (5 CFR 1320.8(b)(3)(vi)), an agency may not collect or sponsor the collection of information, nor may it impose an information collection requirement, unless it displays a currently valid OMB control number.
The amendment requiring financial institutions to report certain security events to the Commission discussed above constitutes a "collection of information" for purposes of the PRA. 85 As required by the PRA, the FTC submitted the proposed information collection requirement to OMB for its review at the time of the publication of the SNPRM. OMB directed the Commission to resubmit the requirement at the time the Final Rule is published. Accordingly, FTC staff has estimated the information collection burden for this requirement as set forth below.
Footnotes:
85 ?44 U.S.C. 3502(3)(A)(i).
The amendment will affect only those financial institutions that suffer a security event in which unencrypted customer information affecting at least 500 consumers is acquired without authorization. Although the SNPRM proposed a 1,000-consumer cut-off for notification, the Commission believes that the reducing the reporting threshold by 500 consumers will likely make only a small difference in the number of breaches reported. 86 Assuming that reducing the reporting threshold by 500 individuals will lead an additional 5% of financial institutions to report-a generous estimate-FTC staff estimates the reporting requirement will affect approximately 115 financial institutions each year. 87 FTC staff anticipates the burden associated with the reporting requirement will consist of the time necessary to compile the requested information and report it via the electronic form located on the Commission's website. FTC staff estimates this will require approximately five hours for affected financial institutions, for a total annual burden of approximately 575 hours (115 responses × 5 hours).
Footnotes:
86 ?According to the Identity Theft Resource Center, 108 entities in the "Banking/Credit/Financial" category suffered data breaches in 2019, which affected more than 100 million consumers. 2019 End-of-Year Data Breach Report, Identity Theft Resource Center at 2, available at https://www.idtheftcenter.org/wp-content/uploads/2020/01/01.28.2020_ITRC_2019-End-of-Year-Data-Breach-Report_FINAL_Highres-Appendix.pdf. On average, each breach would have involved more than 930,000 consumers, far over both the 500 and the 1,000 consumer thresholds.
87 ?According to the Identity Theft Resource Center, 108 entities in the "Banking/Credit/Financial" category suffered data breaches in 2019. 2019 End-of-Year Data Breach Report, Identity Theft Resource Center at 2, available at https://www.idtheftcenter.org/wp-content/uploads/2020/01/01.28.2020_ITRC_2019-End-of-Year-Data-Breach-Report_FINAL_Highres-Appendix.pdf. Although this number may exclude some entities that are covered by the Safeguards Rule but are not contained in the "Banking/Credit/Financial" category, not every security event will trigger the reporting obligations ( e.g., breaches affecting less than 500 people). Therefore, Commission staff estimated in the SNPRM that 110 institutions would have reportable events. Because of the change in the reporting threshold the Commission expects an additional 5 entities to have reporting obligations.
The Commission does not believe the reporting requirement would impose any new investigative costs on financial institutions. The information about notification events required by the reporting requirement is information the Commission believes financial institutions would acquire in the normal course of responding to a notification event. In addition, in many cases, the information requested by the reporting requirement is similar to information entities are required to disclose under various States' data breach notification laws. 88 As a result, FTC staff estimates the additional costs imposed by the reporting requirement will be limited to the administrative costs of compiling the requested information and reporting it to the Commission on an electronic form located on the Commission's website.
Footnotes:
88 ? See, e.g., Cal. Civil Code 1798.82; Tex. Bus. & Com. Code 521.053; Fla. Stat. 501.171.
[top] FTC staff derives the associated labor cost by calculating the hourly wages necessary to prepare the required reports. FTC staff anticipates that required information will be compiled by information security analysts in the course of assessing and responding to a notification event, resulting in 3 hours of labor at a mean hourly wage of $57.63 (3 hours × $57.63 = $172.89). 89 FTC staff
Footnotes:
89 ?This figure is derived from the mean hourly wage for Information security analysts. See "Occupational Employment and Wages-May 2022," Bureau of Labor Statistics, U.S. Department of Labor (April 5, 2023), Table 1 ("National employment and wage data from the Occupational Employment Statistics survey by occupation, May 2023"), available at https://www.bls.gov/news.release/pdf/ocwage.pdf.
90 ?This figure is derived from the mean hourly wage for Lawyers. See "Occupational Employment and Wages-May 2019," Bureau of Labor Statistics, U.S. Department of Labor (March 31, 2020), Table 1 ("National employment and wage data from the Occupational Employment Statistics survey by occupation, May 2019"), available at https://www.bls.gov/news.release/pdf/ocwage.pdf.
The Commission is providing an online reporting form on the Commission's website to facilitate reporting of qualifying notification events. As a result, the Commission does not anticipate covered financial institutions will incur any new capital or non-labor costs in complying with the reporting requirement.
Pursuant to Section 3506(c)(2)(A) of the PRA, the FTC invited comments on: (1) whether the disclosure requirements are necessary, including whether the information will be practically useful; (2) the accuracy of our burden estimates, including whether the methodology and assumptions used are valid; (3) ways to enhance the quality, utility, and clarity of the information to be collected; and (4) ways to minimize the burden of providing the required information to the Commission. Although the Commission received several comments that argued that the required notifications would be burdensome for businesses, none addressed the accuracy of the Commission's burden estimate. 91 Other commenters argued that the reporting requirement would create little burden. 92 For the reasons discussed above, the Commission agrees with these commenters and does not believe that reporting requirement will create a significant burden for businesses.
Footnotes:
91 ?CDIA (Comment 13) at 2-3; SIFMA/BPI (Comment 15) at 8; ETA (Comment 17) at 2-3; CTIA (Comment 20) at 3-6; NADA (Comment 21) at 2-3; U.S. Chamber of Commerce (Comment 22).
92 ?American Escrow Association (Comment 16) at 2; ACE (Comment 18) at 2, 7-8; EPIC (Comment 19) at 6-7.
VI. Regulatory Flexibility Act
The Regulatory Flexibility Act ("RFA")? 93 requires that the Commission provide an Initial Regulatory Flexibility Analysis ("IRFA") with a proposed rule, and a Final Regulatory Flexibility Analysis ("FRFA") with the final rule, unless the Commission certifies that the Rule will not have a significant economic impact on a substantial number of small entities. 94 As discussed in the IRFA, the Commission does not believe this amendment to the Safeguards Rule has the threshold impact on small entities. The reporting requirement will apply to financial institutions that, in most cases, already have an obligation to disclose similar information under certain Federal and State laws and regulations and will not require additional investigation or preparation.
Footnotes:
93 ?5 U.S.C. 601-612.
94 ?5 U.S.C. 603-605.
In this document, the Commission adopts the amendments proposed in its SNPRM with only minimal modifications. In its IRFA, the Commission determined that the proposed rule would not have a significant impact on small entities because of the minimal information being requested. Although the Commission certifies under the RFA that the rule will not have a significant impact on a substantial number of small entities, and hereby provides notice of that certification to the Small Business Administration, the Commission nonetheless has determined that publishing a FRFA is appropriate to ensure that the impact of the rule is fully addressed. Therefore, the Commission has prepared the following analysis:
1. Need for and Objectives of the Final Rule
The need for and the objective of the Final Rule is to ensure the Commission is aware of notification events that could suggest a financial institution's security program does not comply with the Rule's requirements, thus facilitating Commission enforcement of the Rule. To the extent the reported information is made public, the information will also assist consumers by providing information as to notification events experienced by various financial institutions.
2. Significant Issues Raised in Public Comments in Response to the IRFA
Although the Commission received several comments that argued that the required notifications would be burdensome for businesses, 95 none argued specifically that smaller businesses in particular would be subject to special burden. Other commenters argued that the reporting requirement would create little burden. 96 One commenter specifically argued that the requirement would not create significant burden for small businesses. 97 As discussed above, the Commission does not anticipate that covered financial institutions will incur any new capital or non-labor costs in complying with the reporting requirement. Additionally, the average annual labor costs per covered financial institution are de minimis because most entities, including small entities, will only infrequently be required to file a report. Thus, the Commission does not believe that the reporting requirement will create a significant burden for financial institutions in general, including small businesses.
Footnotes:
95 ?CDIA (Comment 13) at 2-3; SIFMA/BPI (Comment 15) at 8; ETA (Comment 17) at 2-3; CTIA (Comment 20) at 3-6; NADA (Comment 21) at 2-3; U.S. Chamber of Commerce (Comment 22).
96 ?American Escrow Association (Comment 16) at 2; ACE (Comment 18) at 2, 7-8; EPIC (Comment 19) at 6-7.
97 ?American Escrow Association (Comment 16) at 2 (stating that the reporting requirement "does not appear to be onerous as a reporting matter and we also agree with the FTC's conclusion that there would not be a significant impact on small business").
The Commission did not receive any comments filed by the Chief Counsel for Advocacy of the Small Business Administration ("SBA").
3. Description and an Estimate of the Number of Small Entities to Which the Final Rule Will Apply, or Explanation Why No Estimate Is Available
[top] As explained in the IRFA, determining a precise estimate of the number of small entities? 98 that would
Footnotes:
98 ?The U.S. Small Business Administration Table of Small Business Size Standards Matched to North American Industry Classification System Codes ("NAICS") are generally expressed in either millions of dollars or number of employees. A size standard is the largest that a business can be and still qualify as a small business for Federal Government programs. For the most part, size standards are the annual receipts or the average employment of a firm. Depending on the nature of the financial services an institution provides, the size standard varies. By way of example, mortgage and nonmortgage loan brokers (NAICS code 522310) are classified as small if their annual receipts are $15 million or less. Consumer lending institutions (NAICS code 52291) are classified as small if their annual receipts are $47 million or less. Commercial banking and savings institutions (NAICS codes 522110 and 522120) are classified as small if their assets are $850 million or less. Assets are determined by averaging the assets reported on businesses' four quarterly financial statements for the preceding year. The 2023 Table of Small Business Size Standards is available at https://www.sba.gov/document/support--table-size-standards.
99 ? See, e.g., 2023 Verizon Data Breach Investigations Report at 65, available at https://www.verizon.com/business/resources/reports/dbir/ (reporting cybersecurity incidents and confirmed data disclosures for companies with fewer than or more than 1000 employees).
4. Projected Reporting, Recordkeeping, and Other Compliance Requirements
The notification requirement imposes reporting requirements. As outlined above, the amendment will affect only those financial institutions that suffer a notification event in which unencrypted customer information affecting at least 500 consumers is acquired without authorization. If such an event occurs, the affected financial institution may expend costs to provide the Commission with the information required by the reporting requirement. As noted in the PRA analysis above, the total estimated annual cost burden for all entities subject to the reporting requirement will be approximately $37,950.
5. Description of Steps Taken To Minimize Significant Economic Impact, If Any, on Small Entities, Including Alternatives
The Commission did not propose any specific small entity exemption or other significant alternatives because the burden imposed upon small businesses is minimal. In drafting the reporting requirement, the Commission has made every effort to avoid unduly burdensome requirements for entities. The reporting requirement only mandates that affected financial institutions provide the Commission with information necessary to assist it in its regulatory and enforcement efforts. The rule minimizes burden on all covered financial institutions, including small businesses, by providing for reporting through an online form on the Commission's website. In addition, the rule requires that only notification events involving at least 500 consumers must be reported, which will reduce potential burden on small businesses that retain information on fewer consumers. Therefore, the Commission does not believe that any alternatives for small entities are required or appropriate.
VII. Other Matters
Pursuant to the Congressional Review Act (5 U.S.C. 801 et seq. ), the Office of Information and Regulatory Affairs designated this rule as not a "major rule," as defined by 5 U.S.C. 804(2).
List of Subjects in 16 CFR Part 314
Consumer protection, Computer technology, Credit, Privacy, Trade practices.
For the reasons stated above, the Federal Trade Commission amends 16 CFR part 314 as follows:
PART 314-STANDARDS FOR SAFEGUARDING CUSTOMER INFORMATION
1. The authority citation for part 314 continues to read as follows:
Authority:
15 U.S.C. 6801(b), 6805(b)(2).
2. In §?314.2:
a. Redesignate paragraphs (m) through (r) as paragraphs (n) through (s), respectively; and
b. Add a new paragraph (m). The addition reads as follows:
§?314.2 Definitions.
(m) Notification event means acquisition of unencrypted customer information without the authorization of the individual to which the information pertains. Customer information is considered unencrypted for this purpose if the encryption key was accessed by an unauthorized person. Unauthorized acquisition will be presumed to include unauthorized access to unencrypted customer information unless you have reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information.
3. In §?314.4, revise the introductory text of paragraph (c) and add paragraph (j) to read as follows:
§?314.4 Elements.
(c) Design and implement safeguards to control the risks you identify through risk assessment, including by:
(j) Notify the Federal Trade Commission about notification events in accordance with paragraphs (j)(1) and (2) of this section.
(1) Notification requirement. Upon discovery of a notification event as described in paragraph (j)(2) of this section, if the notification event involves the information of at least 500 consumers, you must notify the Federal Trade Commission as soon as possible, and no later than 30 days after discovery of the event. The notice shall be made electronically on a form to be located on the FTC's website, https://www.ftc.gov. The notice shall include the following:
(i) The name and contact information of the reporting financial institution;
(ii) A description of the types of information that were involved in the notification event;
(iii) If the information is possible to determine, the date or date range of the notification event;
(iv) The number of consumers affected or potentially affected by the notification event;
(v) A general description of the notification event; and
(vi) Whether any law enforcement official has provided you with a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security, and a means for the Federal Trade Commission to contact the law enforcement official. A law enforcement official may request an initial delay of up to 30 days following the date when notice was provided to the Federal Trade Commission. The delay may be extended for an additional period of up to 60 days if the law enforcement official seeks such an extension in writing. Additional delay may be permitted only if the Commission staff determines that public disclosure of a security event continues to impede a criminal investigation or cause damage to national security.
[top] (2) Notification event treated as discovered. A notification event shall be treated as discovered as of the first day on which such event is known to you. You shall be deemed to have knowledge
4. Revise §?314.5 to read as follows:
§?314.5 Effective date.
Section 314.4(j) is effective as of May 13, 2024.
By direction of the Commission.
April J. Tabor,
Secretary.
[FR Doc. 2023-24412 Filed 11-9-23; 8:45 am]
BILLING CODE 6750-01-P