[Federal Register Volume 88, Number 217 (Monday, November 13, 2023)]
[Rules and Regulations]
[Pages 77499-77509]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-24412]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

16 CFR Part 314

RIN 3084-AB35


Standards for Safeguarding Customer Information

AGENCY: Federal Trade Commission.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Federal Trade Commission (``FTC'' or ``Commission'') is 
issuing a final rule (``Final Rule'') to amend the Standards for 
Safeguarding Customer Information (``Safeguards Rule'' or ``Rule'') to 
require financial institutions to report to the Commission any 
notification event where unencrypted customer information involving 500 
or more consumers is acquired without authorization.

DATES: The amendments are effective May 13, 2024.

FOR FURTHER INFORMATION CONTACT: David Lincicum (202-326-2773), 
Division of Privacy and Identity Protection, Bureau of Consumer 
Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, 
Washington, DC 20580.

SUPPLEMENTARY INFORMATION:

I. Background

    Congress enacted the Gramm Leach Bliley Act (``GLBA'') in 1999.\1\ 
The GLBA provides a framework for regulating the privacy and data 
security practices of a broad range of financial institutions. Among 
other things, the GLBA requires financial institutions to provide 
customers with information about the institutions' privacy practices 
and about their opt-out rights, and to implement security safeguards 
for customer information.
---------------------------------------------------------------------------

    \1\ Public Law 106-102, 113 Stat. 1338 (1999).
---------------------------------------------------------------------------

    Subtitle A of Title V of the GLBA required the Commission and other 
Federal agencies to establish standards for financial institutions 
relating to administrative, technical, and physical safeguards for 
certain information.\2\ Pursuant to the GLBA's directive, the 
Commission promulgated the Safeguards Rule in 2002.\3\ The Safeguards 
Rule became effective on May 23, 2003.\4\
---------------------------------------------------------------------------

    \2\ See 15 U.S.C. 6801(b), 6805(b)(2).
    \3\ 67 FR 36483 (May 23, 2002).
    \4\ Id.
---------------------------------------------------------------------------

II. Regulatory Review of the Safeguards Rule

    On April 4, 2019, the Commission issued a notice of proposed 
rulemaking (``NPRM'') setting forth proposed amendments to the 
Safeguards Rule.\5\ In response, the Commission received 49 comments 
from various interested parties including industry groups, consumer 
groups, and individual consumers.\6\ On July 13, 2020, the Commission 
held a workshop concerning the proposed changes and conducted panels 
with information security experts discussing subjects related to the 
proposed amendments.\7\ The Commission received 11 comments following 
the workshop. After reviewing the initial comments to the NPRM, 
conducting the workshop, and then reviewing the comments received 
following the workshop, the Commission issued final amendments to the 
Safeguards Rule on December 9, 2021.\8\
---------------------------------------------------------------------------

    \5\ 84 FR 13158 (Apr. 4, 2019).
    \6\ The 49 relevant public comments received on or after March 
15, 2019, can be found at Regulations.gov. See FTC Seeks Comment on 
Proposed Amendments to Safeguards and Privacy Rules, 16 CFR part 
314, Project No. P145407, https://www.regulations.gov/docket/FTC-2019-0019/comments. The 11 relevant public comments relating to the 
subject matter of the July 13, 2020, workshop can be found at: 
https://www.regulations.gov/document/FTC-2020-0038-0001/comment. 
This notice cites comments using the last name of the individual 
submitter or the name of the organization, followed by the number 
based on the last two digits of the comment ID number.
    \7\ See FTC, Information Security and Financial Institutions: 
FTC Workshop to Examine Safeguards Rule Tr. (July 13, 2020), https://www.ftc.gov/system/files/documents/public_events/1567141/transcript-glb-safeguards-workshop-full.pdf.
    \8\ 86 FR 70272 (Dec. 9. 2021).
---------------------------------------------------------------------------

    In the NPRM, the Commission explained that its proposed amendments 
to the Safeguards Rule were based primarily on the cybersecurity 
regulations issued by the New York Department of Financial Services, 23 
NYCRR 500 (``Cybersecurity Regulations'').\9\ The Commission also noted 
that the Cybersecurity Regulations require covered entities to report 
security events to the superintendent of the Department of Financial 
Services.\10\ Relatedly, for many years, some other Federal agencies 
enforcing the GLBA have required financial institutions to provide 
notice to the regulator, and in some instances notice to consumers as 
well.\11\ Although the Commission did not include a similar reporting 
requirement in the NPRM, it did seek comment on whether the Safeguards 
Rule should be amended to require that financial institutions report 
security events to the Commission. Specifically, the Commission 
requested comments on whether such a requirement should be added and, 
if so, (1) the appropriate deadline for reporting security events after 
discovery, (2) whether all security events should require notification 
or whether notification should be required only under certain 
circumstances, such as a determination of a likelihood of harm to 
customers or that the event

[[Page 77500]]

affects a certain number of customers, (3) whether such reports should 
be made public, (4) whether events involving encrypted information 
should be included in the requirement, and (5) whether the requirement 
should allow law enforcement agencies to prevent or delay notification 
if notification would affect law-enforcement investigations.\12\
---------------------------------------------------------------------------

    \9\ 84 FR 13158, 13163 (Apr. 4, 2019).
    \10\ Id. at 13169.
    \11\ See Interagency Guidance on Response Programs for 
Unauthorized Access to Customer Information and Customer Notice, 70 
FR 15736, 15752 (Mar. 29, 2005) (originally issued by the Office of 
the Comptroller of the Currency; the Board of Governors of the 
Federal Reserve System; the Federal Deposit Insurance Corporation; 
and the Office of Thrift Supervision) (``At a minimum, an 
institution's response program should contain procedures for the 
following: . . . Notifying its primary Federal regulator as soon as 
possible when the institution becomes aware of an incident involving 
unauthorized access to or use of sensitive customer information, as 
defined below; . . . [and notifying] customers when warranted''), 
https://www.occ.treas.gov/news-issuances/federal-register/2005/70fr15736.pdf (emphasis in original).
    \12\ Id.
---------------------------------------------------------------------------

    The final rule, which the Commission published in the Federal 
Register on December 9, 2021, did not include a reporting 
requirement.\13\ However, on the same date, the Commission published a 
supplemental notice of proposed rulemaking (``SNPRM'') in the Federal 
Register, which proposed further amending the Safeguards Rule to 
require financial institutions to report to the Commission certain 
security events as soon as possible, and no later than 30 days after 
discovery of the event.\14\ Specifically, the Commission proposed to 
require financial institutions to notify the Commission electronically 
through a form located on the FTC's website about any security event 
that resulted or is reasonably likely to result in the misuse of 
customer information affecting at least 1,000 consumers. The Commission 
proposed that the notification include a limited set of information, 
consisting of (1) the name and contact information of the reporting 
financial institution, (2) a description of the types of information 
involved in the security event, (3) the date or the date range of the 
security event, if it can be determined, and (4) a general description 
of the security event. In response to the SNPRM, the Commission 
received 14 comments from various interested parties, including 
industry groups, consumer groups, and individual consumers.\15\
---------------------------------------------------------------------------

    \13\ 86 FR 70272 (Dec. 9. 2021).
    \14\ See 86 FR 70062, 70067 (Dec. 9, 2021).
    \15\ The 14 relevant public comments received can be found at 
Regulations.gov. See FTC Seeks Comment on Proposed Amendments to 
Safeguards and Privacy Rules, 16 CFR part 314, Project No. P145407, 
https://www.regulations.gov/docket/FTC-2021-0071/comments.
---------------------------------------------------------------------------

    After reviewing the comments, the Commission now finalizes the 
proposed amendments with minor changes.

III. Overview of Final Rule

    The Final Rule requires financial institutions to report 
notification events, defined as the unauthorized acquisition of 
unencrypted customer information, involving at least 500 customers to 
the Commission. The notice to the Commission must include: (1) the name 
and contact information of the reporting financial institution; (2) a 
description of the types of information that were involved in the 
notification event; (3) if the information is possible to determine, 
the date or date range of the notification event; (4) the number of 
consumers affected; (5) a general description of the notification 
event; and, if applicable, whether any law enforcement official has 
provided the financial institution with a written determination that 
notifying the public of the breach would impede a criminal 
investigation or cause damage to national security, and a means for the 
Federal Trade Commission to contact the law enforcement official. The 
notice must be provided electronically through a form located on the 
FTC's website, https://www.ftc.gov.

IV. Detailed Analysis

    The following section discusses the comments that the Commission 
received in response to the SNPRM.

General Comments

    Several commenters generally supported the inclusion of a 
notification requirement in the Rule.\16\ Some of these commenters 
pointed to frequent data breaches as an indication that companies' data 
security practices are inadequate and stated that requiring companies 
to provide notice to the Commission would enable the Commission to more 
easily enforce the Rule.\17\ The Clearing House argued that the 
requirement is appropriate because it would place financial 
institutions covered by the Rule in the same position as banks, which 
are required to report data breaches to their prudential 
regulators.\18\ The Electronic Privacy Information Center (``EPIC'') 
suggested that the amendment would incentivize ``use of strong data 
security measures by financial institutions, bring additional 
accountability and transparency to the handling of security events, and 
enhance the data security and privacy of all consumers.'' \19\
---------------------------------------------------------------------------

    \16\ See Anonymous (Comment 2); Briggs (Comment 4); Clearing 
House Association L.L.C. (``Clearing House'') (Comment 11); 
Anonymous (Comment 14); Securities Industry and Financial Markets 
Association (``SIFMA'') and Bank Policy Institute (``BPI'') 
(``SIFMA/BPI'') (Comment 15) (supporting notification requirement 
for financial institutions that are not regulated by non-FTC 
financial agencies); American Council on Education (Comment 18) 
(supporting proposed notice requirement with revisions); Electronic 
Privacy Information Center (``EPIC'') (Comment 19).
    \17\ See, e.g., Anonymous (Comment 2); Briggs (Comment 4); The 
Clearing House (Comment 11) at 2 (describing breaches in the fintech 
industry).
    \18\ Clearing House (Comment 11) at 1-2.
    \19\ EPIC (Comment 19) at 2.
---------------------------------------------------------------------------

    Other commenters opposed the proposal.\20\ Many of these commenters 
argued that the proposed notification requirement would be duplicative 
of State breach notification laws and is, therefore, unnecessary.\21\ 
The Commission, however, disagrees that requiring financial 
institutions to provide notice to the Commission is redundant because 
of State breach notification laws. State breach notification laws 
provide notice to consumers and in some cases also to State regulators, 
while the notice requirement of the Final Rule requires notice to the 
Commission and is designed to ensure that the Commission receives 
notice of security breaches affecting financial institutions under the 
Commission's jurisdiction. Notice to consumers or to State regulators 
does not achieve this purpose. Receipt of these notices will enable the 
Commission to monitor for emerging data security threats affecting 
financial institutions and to facilitate prompt investigative response 
to major security breaches. CTIA argued that the Commission could 
achieve this goal by accessing and reviewing regulated entities' 
reports to consumers and State authorities under State notification 
laws.\22\ The Commission disagrees that this indirect method would be 
as efficient or effective as requiring regulated financial institutions 
to directly notify the Commission.\23\ Such an approach would be 
extremely burdensome on the Commission and would require the diversion 
of resources from enforcement to search for and collect information 
about breaches involving regulated financial institutions. Also, as 
some of the commenters noted,\24\ State laws vary in what types of 
incidents must be

[[Page 77501]]

reported and to whom.\25\ The Safeguards Rule notice requirement will 
establish a uniform reporting requirement for all regulated financial 
institutions, assisting the Commission in getting consistent 
information about notification events affecting those financial 
institutions regardless of which State's consumers are affected. This 
benefit is not offset by the cost to financial institutions because the 
burden on individual financial institutions is minimal, as the Final 
Rule does not require an extensive report and, in many instances, 
financial institutions will already be preparing notices to consumers 
and State agencies.
---------------------------------------------------------------------------

    \20\ See American Financial Services Association (``AFSA'') 
(Comment 12); Consumer Data Industry Association (``CDIA'') (Comment 
13); American Escrow Association (Comment 16); CTIA (Comment 20); 
National Automobile Dealers Association (``NADA'') (Comment 21); 
U.S. Chamber of Commerce (Comment 22).
    \21\ See, e.g., AFSA (Comment 12) at 3; CDIA (Comment 13) at 2-
3; CTIA (Comment 20) at 2-4; NADA (Comment 21) at 2-3; U.S. Chamber 
of Commerce (Comment 22) at 3.
    \22\ CTIA (Comment 20) at 6-7.
    \23\ While some States that require notification to a State 
agency make companies' breach notifications public, see, e.g., N.H. 
Dep't of Just., Off. of Attorney Gen., Security Breach 
Notifications, https://www.doj.nh.gov/consumer/security-breaches/, 
other States do not make notifications public, and as noted above, 
not all States require notice to a State government agency. Some 
non-governmental sources report breach notifications, but there is 
no guarantee that such sources are comprehensive as they depend in 
part on reporting by consumers who received a breach notification 
letter. Thus, the Commission could not obtain comprehensive data 
relating to breaches at regulated financial institutions by 
compiling reports of breaches from other sources.
    \24\ See, e.g., Clearing House (Comment 11) at 8; CDIA (Comment 
13) at 3; CTIA (Comment 20) at 4.
    \25\ See, e.g., Tex. Bus. & Com. Code 521.053(i) (requiring 
companies to notify Texas Attorney General if a breach affects at 
least 250 Texas residents); Va. Code Ann. 18.2-186.6(E) (requiring 
companies to notify Virginia Attorney General if a breach affects at 
least 1,000 Virginia residents); Fla. Stat. 501.171(3) (requiring 
businesses to notify the Florida Department of Legal Affairs if a 
breach affects at least 500 individuals in Florida).
---------------------------------------------------------------------------

    Some commenters argued that the notification requirement would not 
improve financial institutions' data security.\26\ Other commenters 
disagreed with this assertion, arguing that the notification 
requirement would further incentivize financial institutions to protect 
customer information.\27\ The Commission agrees with these commenters 
that the notification requirement will increase the efficiency and 
effectiveness of the Commission's enforcement of the Rule. As noted 
above, while State breach notification laws require notice to 
consumers, some States do not require that such notices be provided to 
State regulators as well, and not all State regulators that do receive 
such notices publish them. By requiring financial institutions to 
provide notice directly to the Commission, the Commission will not have 
to devote resources to continually search for breach notifications 
posted by other sources in order to know that a financial institution 
has experienced a breach. Without a notification, the Commission would 
have no guarantee that it has found all breaches in its searches. The 
required notices will enable the Commission to identify breaches that 
merit investigation more quickly and efficiently. Also, receiving 
notice of breaches will allow the Commission to develop better 
awareness of emerging risks to financial institutions' security. The 
Commission expects that these benefits will enable more efficient 
enforcement of the Rule, which will in turn increase financial 
institutions' incentive to comply. In addition, as discussed below, 
making the notices public will enable consumers to make more informed 
decisions about which financial institutions they choose to entrust 
with their information, providing financial institutions with an 
additional incentive to comply with the Rule.
---------------------------------------------------------------------------

    \26\ See, e.g., AFSA (Comment 12) at 1; CDIA (Comment 13) at 2-
3; American Escrow Association (Comment 16) at 2; CTIA (Comment 20) 
at 3-6; NADA (Comment 21) at 2-3; U.S. Chamber of Commerce (Comment 
22) at 2-3.
    \27\ See EPIC (Comment 19) at 2, see also Anonymous (Comment 2); 
Briggs (Comment 4).
---------------------------------------------------------------------------

    The National Automobile Dealers Association (``NADA'') argued that 
a requirement for financial institutions to report events in order to 
facilitate enforcement against them is ``unprecedented'' \28\ and 
``raises serious questions,'' including ``potential First Amendment and 
potentially even Fifth Amendment concerns.'' \29\ The Commission 
disagrees. Far from being unique, the requirement to report security 
events to law enforcement agencies that might result in enforcement 
actions against the notifying company is common. Many Federal agencies 
\30\ require regulated entities to report data breaches to them, and 
most States require that companies report breaches to State attorneys 
general or other State law enforcement and have done so for years.\31\
---------------------------------------------------------------------------

    \28\ NADA argues that banking regulations are not relevant 
examples because they are designed ``to protect depositors and to 
ensure the public interest in the safety and soundness of banks,'' 
rather than to facilitate enforcement. NADA (Comment 21) at 4-5, 
n.8. The banking regulations, however, are also designed to 
facilitate enforcement. In addition, the Safeguards Rule is also 
designed to protect customers of financial institutions and ensure 
the public interest in the safety of consumer's financial 
information.
    \29\ NADA (Comment 21) at 4-5, n. 9.
    \30\ See, e.g., Interagency Guidance on Response Programs for 
Unauthorized Access to Customer Information and Customer Notice, 70 
FR 15736, 15752 (Mar. 29, 2005) (originally issued by the Office of 
the Comptroller of the Currency, the Board of Governors of the 
Federal Reserve System, the Federal Deposit Insurance Corporation, 
and the Office of Thrift Supervision); 45 CFR 164.408 (requiring 
covered entities to report breaches affecting 500 or more 
individuals to the Secretary of Health and Human Services); 12 CFR 
53.3 (requiring banking organizations to report security events to 
the Office of the Comptroller of the Currency); 12 CFR 225.302 
(requiring Board-supervised banking organization to report certain 
breaches to the Board); 12 CFR 304.23 (requiring certain bank 
organizations to report breaches to the FDIC); see also 87 FR 16590 
(Mar. 23, 2022) (proposed rule requiring companies to report 
security incidents to the SEC).
    \31\ See, e.g., Tex. Bus. & Com. Code 521.053(i) (requiring 
companies to notify Texas Attorney General if a breach affects at 
least 250 Texas residents); Va. Code Ann. 18.2-186.6(E) (requiring 
companies to notify Virginia Attorney General if a breach affects at 
least 1,000 Virginia residents); Fla. Stat. 501.171(3) (requiring 
businesses to notify the Florida Department of Legal Affairs if a 
breach affects at least 500 individuals in Florida).
---------------------------------------------------------------------------

    NADA also argued that requiring reporting security events to assist 
the Commission to enforce the Safeguards Rule is inappropriate because 
not every breach is the result of a failure to comply with the 
Safeguards Rule.\32\ NADA suggested that the reporting requirement 
should only ``apply after a series of security events,'' because only 
multiple events can be ``suggestive of compliance failures,'' while any 
single breach ``certainly . . . is not.'' \33\ While the Commission 
acknowledges that not every notification event is necessarily the 
result of a failure to comply with the Safeguards Rule, it disagrees 
that a single breach cannot be ``suggestive of compliance failures.'' 
\34\ Indeed, the fact that an institution has not experienced a breach 
does not necessarily mean that the institution is in compliance with 
the Rule's requirements. The Commission believes that taking action to 
correct a potential Safeguards Rule violation before additional 
security events can harm consumers is appropriate and desirable. The 
American Financial Services Association (``AFSA'') contended that ``the 
FTC should clarify what factors in a report could lead to enforcement 
concerns,'' arguing that otherwise ``institutions may seek to minimize 
all risks associated with a report.'' \35\ The Commission does not 
believe that providing a guide to when a report could possibly lead to 
enforcement is either possible or desirable because the reports are 
unlikely to contain all of the information that the Commission would 
need to determine that law enforcement is appropriate or necessary. 
Such determinations are typically made following investigations that 
afford entities the opportunity to provide context and information.
---------------------------------------------------------------------------

    \32\ NADA (Comment 21) at 3-5.
    \33\ NADA (Comment 21) at 4.
    \34\ See, e.g., FTC v. Equifax, 1:19-cv-03297-TWT (N.D. Ga., 
July 22, 2019), available at https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3203-equifax-inc.
    \35\ AFSA (Comment 12) at 1.
---------------------------------------------------------------------------

    In addition, the Commission notes that requiring a financial 
institution to report an event is not suggesting that every 
notification event is the result of a violation of the Rule and will 
result in an enforcement action or even investigation. Rather, the 
reporting requirement will provide the Commission with valuable 
information about security threats to financial institutions and assist 
in the determination of whether any individual event should be 
investigated further. This will improve the Commission's ability to 
respond to data breaches and may enable the Commission to issue 
business and

[[Page 77502]]

consumer education about emerging threats.
    Other commenters argued that the reporting requirement would be 
unduly burdensome.\36\ Some of these commenters suggested that because 
the Rule's requirement may differ from State notification laws' 
requirements, complying with the Rule will be burdensome.\37\ Other 
commenters disagreed, noting that the information required is limited 
to basic information about the company and the notification event.\38\ 
The Commission agrees with these commenters. The information required 
to be reported is minimal and is very similar to the information 
required by many State notification laws.\39\ The company will have 
this information as the result of even a basic investigation of the 
security event, an investigation that would be required in any event to 
comply with the Rule and basic security practices. The fact that some 
State laws may be triggered under different circumstances and may 
require different information does not render this simple report 
burdensome.
---------------------------------------------------------------------------

    \36\ CDIA (Comment 13) at 2-3; SIFMA/BPI (Comment 15) at 8; ETA 
(Comment 17) at 2-3; CTIA (Comment 20) at 3-6; NADA (Comment 21) at 
2-3; U.S. Chamber of Commerce (Comment 22).
    \37\ CDIA (Comment 13) at 2-3; CTIA (Comment 20) at 6; NADA 
(Comment 21) at 2-3.
    \38\ American Escrow Association (Comment 16) at 2; ACE (Comment 
18) at 2, 7-8; EPIC (Comment 19) at 6-7.
    \39\ See, e.g., Ala. Code 8-38-5(d); Ariz. Rev. Stat. 18-552(E); 
Cal. Civ. Code 1798.82(d); Fla. Stat. 501.171(3)(b); Mich. Comp. 
Laws 445.72(6); Mo. Rev. Stat. 407.1500(2)(4); N.H. Rev. Stat. Ann. 
359-C:20(IV); N.Y. U.C.C. Law 899-AA(7); and Or. Rev. Stat. 
646A.604(5).
---------------------------------------------------------------------------

    In addition to addressing the proposed amendment in general, 
commenters also addressed specific elements of the proposed amendments. 
These comments are addressed in the following detailed discussion.

Triggering Event

    The Commission adopts proposed Sec.  314.4(j) as originally 
proposed, with minor changes. Proposed paragraph (j) would have 
required financial institutions that become aware of a security event 
to promptly determine the likelihood that customer information has been 
or will be misused. Under the provision as originally proposed, 
financial institutions would have been required to make a report to the 
Commission upon determining that, among other conditions, ``misuse of 
customer information ha[d] occurred or . . . [was] reasonably likely 
[to occur].'' However, upon consideration of the comments, Commission 
is clarifying the triggering language by adding a new paragraph (m) in 
Sec.  314.2, which defines the term ``notification event'' as the 
``acquisition of . . . [unencrypted customer] information without the 
authorization of the individual to which the information pertains.'' 
Section 314.2(m) further clarifies that: (1) ``[c]ustomer information 
is considered unencrypted . . . if the encryption key was accessed by 
an unauthorized person;'' and (2) ``[u]nauthorized acquisition will be 
presumed to include unauthorized access to unencrypted customer 
information unless you have reliable evidence showing that there has 
not been, or could not reasonably have been, unauthorized acquisition 
of such information.''
    Several commenters addressed whether becoming aware of a security 
event is an appropriate trigger for the notification process. In a 
joint comment, the Securities Industry and Financial Markets 
Association (``SIFMA'') and the Bank Policy Institute (``BPI'') argued 
that the notification process should not begin when a financial 
institution becomes aware of an event, but instead begin when the 
financial institution ``determines'' a security event has occurred. 
SIFMA and BPI suggested that ``determination'' takes place sometime 
after ``discovery,'' and that financial institutions should have 30 
days to notify the Commission after making this determination rather 
than after discovery. SIFMA and BPI argued that ``determination'' 
``connotes a higher standard of certainty than `discovery,' '' and 
would include determining whether any further requirements for notice, 
such as number of consumers affected, had been met. The Commission 
disagrees that 30 days after discovery of a notification event is 
insufficient time to determine whether the event meets the requirements 
for notification and to prepare the notice. The Commission expects that 
companies will be able to decide quickly whether a notification event 
has occurred by determining whether unencrypted customer information 
has been acquired and, if so, how many consumers are affected, so there 
will not be a significant difference between ``determination'' and 
``discovery.'' \40\ In addition, the notification to the Commission 
requires minimal details and will not take significant time to prepare 
and, as discussed above, many States require reports containing similar 
information, so the financial institutions will need to prepare such a 
report in any event.
---------------------------------------------------------------------------

    \40\ As discussed below, the Final Rule no longer requires the 
financial institution to determine whether misuse had occurred or 
was likely.
---------------------------------------------------------------------------

    Other commenters argued the term ``security event'' is too broad a 
term to act as a trigger for the notification process, stating that the 
term encompasses types of incidents that pose little risk of consumer 
harm and for which notification is unnecessary.\41\ Some commenters 
felt notification should be required only when harm to consumers has 
occurred or is likely to occur, rather than when ``misuse'' has 
occurred or is reasonably likely.\42\ Some commenters argued a trigger 
that requires consumer harm would be more in accord with State 
notification laws.\43\ Similarly, several commenters argued the 
notification requirement should exclude security events that involve 
only encrypted customer information, because there is little chance of 
consumer harm in such cases.\44\ Others argued requiring financial 
institutions to report breaches that do not involve possible harm to 
consumers would be unduly burdensome on financial institutions and 
would produce an overwhelming number of reports to the Commission.\45\ 
Conversely, EPIC argued notice should be required for all security 
events regardless of whether misuse had occurred or was likely.\46\ 
EPIC argued that removing the analysis of whether misuse was likely 
would lower the burden of determining whether a report should be made 
and would prevent attempts by financial institutions to avoid reporting 
to the Commission.\47\
---------------------------------------------------------------------------

    \41\ See, e.g., SIFMA/BPI (Comment 15) at 8-9; CTIA (Comment 20) 
at 11-12; NADA (Comment 21) at 2-3.
    \42\ See CDIA (Comment 13) at 4-5; SIFMA/BPI (Comment 15) at 9-
10; American Escrow Association (Comment 16) at 2-3; ETA (Comment 
17) at 2; CTIA (Comment 20) at 11-14.
    \43\ See, e.g., CDIA (Comment 13) at 4-5.
    \44\ AFSA (Comment 12) at 2; CDIA (Comment 13) at 6; SIFMA/BPI 
(Comment 15) at 9; ACE (Comment 18); CTIA (Comment 20) at 12; NADA 
(Comment 21) at 3; U.S. Chamber of Commerce (Comment 22) at 4.
    \45\ SIFMA/BPI (Comment 15) at 9; ETA (Comment 17) at 2; CTIA 
(Comment 20) at 11.
    \46\ EPIC (Comment 19) at 4.
    \47\ Id.
---------------------------------------------------------------------------

    The Commission agrees with EPIC that the trigger for notification 
requires clarification. The meaning of the term ``misuse'' in the 
proposed rule was ambiguous. It was not clear if acquisition of 
customer information alone constituted misuse, or if other forms of 
misuse, such as alteration of data, would fall within the notification 
requirement. Given this ambiguity, financial institutions would have 
had difficulty evaluating the likelihood of misuse of customer 
information that has been acquired without authorization. At the same 
time, the ambiguity could have

[[Page 77503]]

been used as an opportunity to circumvent the reporting requirement. 
Specifically, because the proposed rule required the financial 
institution to assess the likelihood of misuse, it would have allowed 
financial institutions to underestimate the likelihood of misuse, and, 
thereby, the need to report the security event.
    Accordingly, the Final Rule requires notification where customer 
information has been acquired, rather than when misuse is considered 
likely. Specifically, the Commission is adding a new Sec.  314.2(m) 
that defines the term ``[n]otification event'' to mean the acquisition 
of unencrypted customer information without the authorization of the 
individual to which the information pertains. Section 314.2(m) also 
provides that unauthorized access of information will be presumed to 
result in unauthorized acquisition unless the financial institution can 
show that there has not been, or could not reasonably have been, 
unauthorized acquisition of such information. This rebuttable 
presumption is consistent with the Health Breach Notification Rule. See 
16 CFR 318.2(a) (``Unauthorized acquisition will be presumed to include 
unauthorized access to unsecured PHR [personal health record] 
identifiable health information unless the vendor of personal health 
records, PHR related entity, or third party service provider that 
experienced the breach has reliable evidence showing that there has not 
been, or could not reasonably have been, unauthorized acquisition of 
such information.'').\48\ Here, too, the presumption is ``intended to 
address the difficulty of determining whether access to data (i.e., the 
opportunity to view the data) did or did not lead to acquisition (i.e., 
the actual viewing or reading of the data).'' \49\
---------------------------------------------------------------------------

    \48\ See also 74 FR 42962, 42966 (Aug. 25, 2009). Examples of 
this rebuttable presumption cited in that rulemaking, and equally 
relevant here, included a circumstance where ``an unauthorized 
employee inadvertently accesses an individual's PHR and logs off 
without reading, using, or disclosing anything. If the unauthorized 
employee read the data and/or shared it, however, he or she 
`acquired' the information, thus triggering the notification 
obligation in the rule.'' Another example related to a lost laptop: 
``If an entity's employee loses a laptop in a public place, the 
information would be accessible to unauthorized persons, giving rise 
to a presumption that unauthorized acquisition has occurred. The 
entity can rebut this presumption by showing, for example, that the 
laptop was recovered, and that forensic analysis revealed that files 
were never opened, altered, transferred, or otherwise compromised.'' 
Id. at 42966.
    \49\ Id.
---------------------------------------------------------------------------

    The Commission also agrees notification should not be required when 
harm to consumers is rendered extremely unlikely because the customer 
information is encrypted. Accordingly, the Final Rule does not require 
notification if the customer information acquired is encrypted, so long 
as the encryption key was not accessed by an unauthorized person. See 
Sec.  314.2(m). By requiring notice relating to unauthorized 
acquisition only of unencrypted customer information, this change 
brings the Rule into accord with most State breach notification laws. 
If customer information was encrypted but the encryption key was also 
accessed without authorization, then the customer information will be 
considered to be unencrypted. Someone who has both the encrypted 
information and the encryption key can easily decrypt the 
information.\50\
---------------------------------------------------------------------------

    \50\ See, e.g., Ala. Code 8-38-2(6)(b)(2); Alaska Stat. 
45.48.090(7); Colo. Rev. Stat. 6-1-716 (2)(a.4); 815 Ill. Comp. 
Stat. 530/5 (``Personal Information'' definition); NY Gen. Bus. Law 
899-aa(b); Tex. Bus. & Com. Code 521.053(a).
---------------------------------------------------------------------------

    In summary, the Final Rule requires notification if the financial 
institution discovers that unencrypted customer information has been 
acquired without authorization. See Sec.  314.2(m). Unlike under the 
proposed rule, notification is not conditioned on the assessment of 
likelihood of misuse. The Commission believes that determining whether 
acquisition has occurred simplifies the requirement and will enable 
financial institutions to more speedily determine whether a 
notification event has occurred. In addition, the Commission believes 
this change will reduce the number of notifications by excluding events 
where encrypted information was acquired, while ensuring it receives 
notice of events that are more likely to result in harm. As noted 
earlier, the Rule also includes a rebuttable presumption stating that 
when there is unauthorized access to data, unauthorized acquisition 
will be presumed unless the entity that experienced the breach ``has 
reliable evidence showing that there has not been, or could not 
reasonably have been, unauthorized acquisition of such information.'' 
See Sec.  314.2(m).
    Some commenters argued the notification requirement should trigger 
only when especially ``sensitive'' information is involved.\51\ These 
commenters argue that requiring notification when any kind of customer 
information is involved would result in notifications when there is no 
risk of harm to consumers.\52\ The Commission disagrees with this 
contention. The definition of ``customer information'' in the Rule does 
not encompass all information that a financial institution has about 
consumers. ``Customer information'' is defined as records containing 
``non-public personal information'' about a customer.\53\ ``Non-public 
personal information'' is, in turn, defined as ``personally 
identifiable financial information,'' and excludes information that is 
publicly available or not ``personally identifiable.'' \54\ The 
Commission believes security events that trigger the notification 
requirement--where customers' non-public personally identifiable, 
unencrypted financial information has been acquired without 
authorization--are serious and support the need for Commission 
notification.
---------------------------------------------------------------------------

    \51\ AFSA (Comment 12) at 2; CDIA (Comment 13) at 5-6; ETA 
(Comment 17) at 2; CTIA (Comment 20) at 11-12.
    \52\ AFSA (Comment 12) at 2; CDIA (Comment 13) at 5-6; ETA 
(Comment 17) at 2; CTIA (Comment 20) at 11-12.
    \53\ 16 CFR 314.2(d).
    \54\ 16 CFR 314.2(l).
---------------------------------------------------------------------------

    In the SNPRM, the Commission asked whether, rather than having a 
stand-alone reporting requirement, the Rule should require reporting 
only when another State or Federal statute, rule, or regulation 
requires a financial institution to provide notice of a security event 
or similar event to a governmental entity. Some commenters supported 
this suggestion, arguing that such a requirement would reduce 
duplicative notice and consumer confusion.\55\ Other commenters opposed 
it, arguing that because of the varied nature of State notification 
laws, this would produce inconsistent reporting to the Commission.\56\ 
The Commission agrees that a stand-alone requirement will help ensure 
the Commission receives consistent information regarding security 
events.
---------------------------------------------------------------------------

    \55\ CTIA (Comment 20) at 9-10; NADA (Comment 21) at 7.
    \56\ Clearing House (Comment 11) at 9; ACE (Comment 18) at 7; 
EPIC (Comment 19) at 6-7.
---------------------------------------------------------------------------

Determination of Scope of Security Event

    After a financial institution becomes aware of a security event, 
the proposed rule would have required it to determine whether at least 
1,000 consumers have been affected or reasonably may be affected and, 
if so, to notify the Commission.
    A number of commenters expressed views pertaining to the minimum 
threshold for the number of affected customers. Some commenters agreed 
that notification of security events should not be required if the 
number of consumers that could be affected fell below the proposed 
threshold (1,000

[[Page 77504]]

consumers).\57\ The Clearing House, however, suggested that 
notification should be required in all cases, regardless of the number 
of consumers potentially affected.\58\
---------------------------------------------------------------------------

    \57\ CDIA (Comment 13) (suggesting a requirement of notification 
when a security event affects at least 1,000 consumers and may cause 
substantial harm); American Escrow Association (Comment 16) at 2 
(supporting 1,000 consumer requirement while suggesting other 
changes to the notice requirement); ACE (Comment 17) at 2 (stating 
that requiring notice when 1,000 consumers are affected would be 
appropriate, if notices were required only when there was a risk of 
substantial harm); EPIC (Comment 19) at 4 (suggesting that notice be 
required whenever an event involves the information of at least 
1,000 consumers regardless of the likelihood of misuse).
    \58\ Clearing House (Comment 11) at 4-5 (suggesting a 
requirement for notice for any security event involving sensitive 
customer information, regardless of the number of consumers 
potentially affected by the event).
---------------------------------------------------------------------------

    AFSA suggested there should be a higher threshold of affected 
consumers before notice is required.\59\ AFSA argued that the thousand 
consumer threshold was too low because of ``the large number of 
financial institutions with many more customers.'' \60\ The Commission 
disagrees that the fact that some financial institutions hold the 
information of millions of consumers suggests a higher threshold is 
appropriate. The Clearing House, conversely, argues the Rule should 
require that the Commission receive notice whenever any consumer is 
affected, because otherwise consumers whose information was involved in 
smaller breaches would have no notice of the breach and would be 
``without the benefit of important notices'' if financial institutions 
were not required to report breaches affecting fewer consumers.\61\ The 
Commission does not agree that setting a minimum threshold of consumers 
affected before requiring notification would leave consumers involved 
in smaller breaches without notice, as consumers will typically receive 
direct notification under State breach notification laws, regardless of 
whether notice to the Commission is required. In determining the proper 
threshold, the Commission notes that numerous State laws require 
notification of breaches either with no minimum threshold, or with a 
threshold of 250 or 500 people. The Commission's own Health Breach 
Notification Rule, and the Health Insurance Portability and 
Accountability Act (HIPAA) Breach Notification Rule,\62\ also require 
notification of breaches involving 500 or more people. The Commission 
concludes that a lower threshold than in the proposed rule is 
appropriate. Accordingly, the Commission is adopting a minimum 
threshold of 500 consumers, rather than the minimum threshold of 1,000 
consumers that was in proposed Sec.  314.4(j). The Commission believes 
a security event that involves the acquisition of unencrypted customer 
information involving at least 500 consumers is significant enough to 
warrant notification of the Commission, regardless of the size of the 
financial institution.
---------------------------------------------------------------------------

    \59\ AFSA (Comment 12) at 2; see also Anonymous (Comment 2) 
(arguing that threshold should be proportional to the size of the 
financial information).
    \60\ Id.
    \61\ Clearing House (Comment 11) at 5. While the Rule requires 
direct notice of breaches only to the Commission, consumers affected 
by smaller breaches could learn of those breaches when the 
Commission makes the notices public. Also, the Rule does not limit 
State consumer notification laws that require direct notification of 
consumers.
    \62\ 45 CFR 164.400 through 164.414.
---------------------------------------------------------------------------

Time To Report

    The proposed Rule would have required Commission notification 
within 30 days from discovery of the notification event. Some 
commenters that addressed this deadline agreed that this would provide 
financial institutions sufficient time to make the required 
determinations and to notify the Commission.\63\ Other commenters 
argued that financial institutions should be given significantly less 
time to notify the Commission.\64\ Other commenters argued that 
financial institutions should be given more time to notify the 
Commission.\65\ The Commission believes that a 30-day deadline properly 
balances the need for prompt notification with the need to allow 
financial institutions to investigate a security event, determine 
whether the information was acquired without authorization and how many 
consumers were affected, and learn enough about the event to make the 
notification to the Commission meaningful. Accordingly, finalized Sec.  
314.2(j)(1) retains the 30-day deadline from the SNPRM.
---------------------------------------------------------------------------

    \63\ See, e.g., CDIA (Comment 13) at 7; ACE (Comment 18) at 8; 
U.S. Chamber of Commerce (Comment 22) at 4.
    \64\ Anonymous (Comment 2) (suggesting a two-week deadline); 
Clearing House (Comment 11) at 6 (recommending a 36-hour deadline).
    \65\ See SIFMA/BPI (Comment 15) at 8 (arguing that 30 days 
should not begin until financial information has determined that 
security event meets notification requirements); CTIA (Comment 20) 
at 14 (same).
---------------------------------------------------------------------------

    Some commenters argued that financial institutions should be 
permitted to delay or withhold notification of a security event to the 
Commission at the request of a law-enforcement agency or if 
notification would interfere with a law enforcement investigation.\66\ 
Alternatively, EPIC suggested the Commission should not allow companies 
to delay reporting in cases of a law enforcement investigation, but 
should instead delay publication of the notice in cases where 
publication would interfere with an investigation.\67\ The Commission 
agrees that, while notifications to the Commission should not be made 
public if law enforcement has requested a delay, there is no reason to 
delay notice to the Commission itself on that basis. This conclusion is 
consistent with the approach taken by the Securities and Exchange 
Commission and by other Federal financial regulators in rulemakings 
that require notice of cyber incidents to a regulator, as opposed to 
notice directly to consumers.\68\ Accordingly, Sec.  314.4(j)(1)(vi) of 
the Final Rule provides that a financial institution's notice must (1) 
indicate whether any law enforcement official has provided the 
institution with a written determination that public disclosure of the 
breach would impede a criminal investigation or cause damage to 
national security, and (2) provide a means for the Commission to 
contact the law enforcement official. In order that notice to the 
public is not delayed indefinitely, the provision also provides that a 
law enforcement official may request an initial delay of up to 30 days 
following the date when the disclosure is filed with the Commission. 
The delay may be extended for an additional period of up to 60 days if 
the law enforcement official seeks such an extension in writing. 
Additional delay may be permitted only if the Commission staff 
determines that public disclosure of a notification event continues to 
impede a criminal

[[Page 77505]]

investigation or cause damage to national security.
---------------------------------------------------------------------------

    \66\ See SIFMA/BPI (Comment 15) at 10; ACE (Comment 18) at 4-5; 
CTIA (Comment 20) at 15; U.S. Chamber of Commerce (Comment 22) at 5.
    \67\ EPIC (Comment 19) at 5-6.
    \68\ See Securities and Exchange Commission, Cybersecurity Risk 
Management, Strategy, Governance, and Incident Disclosure, 88 FR 
51896, 51898 (Aug. 8, 2023) (allowing delay of required disclosure 
of material cybersecurity incidents if the United States Attorney 
General determines that immediate disclosure would pose a 
substantial risk to national security or public safety and notifies 
the Commission of such determination in writing); Office of the 
Comptroller of the Currency, Federal Reserve System, Federal Deposit 
Insurance Corporation, Computer-Security Incident Notification 
Requirements for Banking Organizations and Their Bank Service 
Providers, 86 FR 66424 (Nov. 23, 2021) (adopting regulations that 
require banking organizations to notify their primary Federal 
Regulator of any ``computer security incident'' that rises to the 
level of a ``notification incident,'' as soon as possible and no 
longer than 36 hours after the banking organization determines that 
a notification incident has occurred).
---------------------------------------------------------------------------

    The proposed Sec.  314.4(j) did not address when a security event 
should be treated as discovered. The Commission believes adding such a 
provision will clarify the rule and prevent confusion. Accordingly, 
under the Final Rule, a notification event shall be treated as 
discovered as of the first day on which such event is known. Financial 
institutions will be deemed to have knowledge of a notification event 
if the event is known to any person, other than the person committing 
the breach, who is the financial institution's employee, officer, or 
other agent. Therefore, in instances where an employee, officer, or 
other agent of the financial institution accesses customer information 
without authorization, a financial institution will be deemed to have 
knowledge of a notification event if the event is known to another 
employee, officer, or other agent of the financial institution.

Contents of Notice

    The proposed Rule required that a notice be made electronically on 
a form on the FTC's website,\69\ and that such notice must include the 
following information: (1) the name and contact information of the 
reporting financial institution; (2) a description of the types of 
information that were involved in the notification event; (3) if the 
information is possible to determine, the date or date range of the 
notification event; and (4) a general description of the notification 
event.
---------------------------------------------------------------------------

    \69\ SIFMA/BPI argued that financial institutions should be 
allowed to notify the Commission by phone because that ``could 
foster confidentiality.'' SIFMA/BPI (Comment 15) at 7. Similarly, 
the U.S. Chamber of Commerce suggested that financial institutions 
should be allowed to notify the Commission by alternative means, 
such as mail, ``where covered entities may lack access to the 
internet.'' U.S. Chamber of Commerce (Comment 22) at 4. The 
Commission believes that notification should be limited to the form 
on the Commission's website, as this will ensure that all 
notifications are received and recorded in the same way. The 
Commission believes that it is not likely that a financial 
institution that has suffered a notification event will not be able 
to access the internet for the entirety of the 30-day reporting 
window.
---------------------------------------------------------------------------

    Several commenters supported these elements as an appropriate level 
of detail.\70\ However, NADA was opposed to the requirement that the 
report include a description of the security event,\71\ while EPIC 
suggested the Rule should require a more detailed description of the 
security event.\72\ EPIC argued that financial institutions should also 
be required to provide a comprehensive description of the types of 
information involved in the security event and a comprehensive 
description of the security event, because ``it is critical that 
financial institutions provide a sufficiently detailed account of each 
security event to enable the FTC and affected consumers to assess 
whether and how personal information is at risk.'' \73\ The Commission 
believes that, with the exception noted below, the proposed elements 
generally provide sufficient information to the Commission and the 
public without imposing undue burdens on reporting financial 
institutions. If the Commission determines more information is needed, 
it will obtain that information from the financial institution. The 
Commission believes, however, that knowing the number of consumers 
affected or potentially affected by the notification event would allow 
it to better evaluate the impact of a particular event. Providing this 
information, which financial institutions will typically determine in 
the course of responding to a breach, will not significantly add to the 
burden to financial institutions. Accordingly, the Final Rule retains 
the proposed elements, while adding a requirement to provide the number 
of consumers affected or potentially affected by the notification 
event.\74\
---------------------------------------------------------------------------

    \70\ See AFSA (Comment 12) at 2; ACE (Comment 18) at 2; U.S. 
Chamber of Commerce (Comment 22) at 4.
    \71\ NADA (Comment 21) at 6.
    \72\ EPIC (Comment 19) at 3.
    \73\ Id.
    \74\ As noted above, if applicable, financial institutions would 
also inform the Commission whether any law enforcement official has 
provided a written determination that notifying the public of the 
breach would impede a criminal investigation or cause damage to 
national security, and a means for the FTC to contact the law 
enforcement official.
---------------------------------------------------------------------------

Publication of Notices

    The SNPRM requested public comment on whether submitted reports 
should be made public. Several commenters argued that making the 
reports public would benefit consumers by helping them to make informed 
decisions about which financial institutions to entrust with their 
financial information or to determine whether they might have been 
affected by a security event.\75\ Other commenters argued the reports 
should be confidential and not shared with the public.\76\ Some 
commenters argued that making the reports public could encourage 
further cybersecurity attacks on affected financial institutions by 
making potential attackers aware of vulnerabilities that have not been 
remedied by the time the notice is made public.\77\ NADA argued that 
the description of the event in particular should not be made public, 
suggesting the description provided no benefit to consumers and would 
not improve data security.\78\ The Commission disagrees that making the 
reports public will increase risk to financial institutions' data 
security. As discussed above, most financial institutions are already 
subject to State breach notification laws, many of which require 
notification to a State agency that then makes the notification public. 
In addition, the general nature of the information required to be 
included in the report is unlikely to provide potential attackers any 
advantage in comprising the financial institution's security.
---------------------------------------------------------------------------

    \75\ Briggs (Comment 4); Clearing House (Comment 11) at 10; EPIC 
(Comment 19) at 5-6.
    \76\ AFSA (Comment 12) at 2-3; CDIA (Comment 13) at 7; SIFMA/BPI 
(Comment 15) at 5-7; ACE (Comment 18) at 5-7; CTIA (Comment 20) at 
15-16; NADA (Comment 21) at 5-6; U.S. Chamber of Commerce (Comment 
22) at 5.
    \77\ SIFMA/BPI (Comment 15) at 7; ACE (Comment 18) at 5-7; CTIA 
(Comment 20) at 15-16; NADA (Comment 21) at 6.
    \78\ NADA (Comment 21) at 6.
---------------------------------------------------------------------------

    Other commenters argued that publication of the notices could 
create undue media coverage and that the information would be too 
general to assist consumers in making informed decisions.\79\ 
Similarly, CDIA argued that because State law requires direct consumer 
notification to those affected by the breach, making the information 
public to all consumers would cause ``consumer confusion and angst 
about whether the consumer's information has been compromised.'' \80\ 
CTIA also argued that financial institutions that have suffered a 
security event should not be subject to the punishment of ``name and 
shame.'' \81\ SIFMA and BPI suggested that making the reports public 
would limit the information financial institutions are willing to share 
in the reports in order to avoid public revelation of the details of 
the breach.\82\
---------------------------------------------------------------------------

    \79\ AFSA (Comment 12) at 2-3; NADA (Comment 21) at 5.
    \80\ CDIA (Comment 13) at 7; see also SIFMA/BPI (Comment 15) at 
6 (suggesting that publication of the reports could cause confusion 
for consumers and investors); ACE (Comment 18) at 5-7.
    \81\ CTIA (Comment 20) at 16.
    \82\ SIFMA/BPI (Comment 15) at 6.
---------------------------------------------------------------------------

    As discussed above, the Commission acknowledges not all security 
events at financial institutions are the result of a failure to comply 
with the Safeguards Rule. Nevertheless, the Commission believes 
providing more information to consumers about these events will both 
benefit consumers and incentivize companies to better protect that 
information. The Commission is not persuaded that attention given to 
breaches is ``undue'' or otherwise inappropriate, as suggested by some 
commenters. Apart from providing

[[Page 77506]]

actionable information for individuals who are directly affected, 
reporting provides a broader value to the general public to consider 
proactive measures, such as implementing a credit freeze, prioritizing 
methods to secure their own data, and determining where to do business. 
The Commission does not believe a confidential reporting system is 
needed in order to incentivize more comprehensive reporting by 
financial institutions. The general level of detail required to be 
reported under Sec.  314.4(j)(1) will not compromise a financial 
institution's security posture going forward--the report requires only 
the most general information and cannot provide a meaningful roadmap 
for attackers. Accordingly, the Commission intends to enter 
notification event reports into a publicly available database.
    The SNPRM also asked for comment on whether the Commission should 
require financial institutions that suffer a security event to directly 
notify affected consumers, as well as the Commission. Some commenters 
were in favor of requiring consumer notification, at least when 
notification of the Commission was required.\83\ Most commenters who 
addressed the issue, however, opposed such a requirement, pointing to 
the existing regime of State consumer notification laws and arguing 
that a separate FTC notification requirement would be duplicative and 
unduly burdensome.\84\ The Commission agrees that, because all States 
have some form of consumer notification requirement, a direct consumer 
notification requirement in the Safeguards Rule would be largely 
duplicative of those State laws. Therefore, the Commission has not 
included such a requirement in the Final Rule.
---------------------------------------------------------------------------

    \83\ Clearing House (Comment 11) at 8-9; EPIC (Comment 19); see 
also Anonymous (Comment 14) (stating that if there is a data breach, 
consumers ``need to know what happened to their information.''
    \84\ See AFSA (Comment 12) at 3; CDIA (Comment 13) at 8; SIFMA/
BPI (Comment 15) at 10; CTIA (Comment 20) at 16-17; NADA (Comment 
21) at 7; see also American Council on Education (Comment 18) at 8 
(stating that the Commission should engage with covered financial 
institutions about existing notification requirements before 
establishing a consumer notification requirement).
---------------------------------------------------------------------------

    Finally, the Commission is revising Sec.  314.4(c) to correct a 
typographical error. As originally promulgated, that section required a 
financial institution to ``[d]esign and implement safeguards to control 
the risks you identity through risk assessment. . . .'' Actually, a 
financial institution must ``[d]esign and implement safeguards to 
control the risks you identify through risk assessment. . . .'' In the 
Final Rule, this error is corrected.
Section 314.5: Effective Date
    The proposed rule revised Sec.  314.5 so that the reporting 
requirement in Sec.  314.4(j) would not go into effect until six months 
after the publication of a final rule. As proposed, finalized Sec.  
314.5 provides that Sec.  314.4(j) will become effective on May 13, 
2024.

V. Paperwork Reduction Act

    The Paperwork Reduction Act (``PRA''), 44 U.S.C. 3501 et seq., 
requires Federal agencies to obtain Office of Management and Budget 
(``OMB'') approval before undertaking a collection of information 
directed to ten or more persons. Pursuant to the regulations 
implementing the PRA (5 CFR 1320.8(b)(3)(vi)), an agency may not 
collect or sponsor the collection of information, nor may it impose an 
information collection requirement, unless it displays a currently 
valid OMB control number.
    The amendment requiring financial institutions to report certain 
security events to the Commission discussed above constitutes a 
``collection of information'' for purposes of the PRA.\85\ As required 
by the PRA, the FTC submitted the proposed information collection 
requirement to OMB for its review at the time of the publication of the 
SNPRM. OMB directed the Commission to resubmit the requirement at the 
time the Final Rule is published. Accordingly, FTC staff has estimated 
the information collection burden for this requirement as set forth 
below.
---------------------------------------------------------------------------

    \85\ 44 U.S.C. 3502(3)(A)(i).
---------------------------------------------------------------------------

    The amendment will affect only those financial institutions that 
suffer a security event in which unencrypted customer information 
affecting at least 500 consumers is acquired without authorization. 
Although the SNPRM proposed a 1,000-consumer cut-off for notification, 
the Commission believes that the reducing the reporting threshold by 
500 consumers will likely make only a small difference in the number of 
breaches reported.\86\ Assuming that reducing the reporting threshold 
by 500 individuals will lead an additional 5% of financial institutions 
to report--a generous estimate--FTC staff estimates the reporting 
requirement will affect approximately 115 financial institutions each 
year.\87\ FTC staff anticipates the burden associated with the 
reporting requirement will consist of the time necessary to compile the 
requested information and report it via the electronic form located on 
the Commission's website. FTC staff estimates this will require 
approximately five hours for affected financial institutions, for a 
total annual burden of approximately 575 hours (115 responses x 5 
hours).
---------------------------------------------------------------------------

    \86\ According to the Identity Theft Resource Center, 108 
entities in the ``Banking/Credit/Financial'' category suffered data 
breaches in 2019, which affected more than 100 million consumers. 
2019 End-of-Year Data Breach Report, Identity Theft Resource Center 
at 2, available at https://www.idtheftcenter.org/wp-content/uploads/2020/01/01.28.2020_ITRC_2019-End-of-Year-Data-Breach-Report_FINAL_Highres-Appendix.pdf. On average, each breach would 
have involved more than 930,000 consumers, far over both the 500 and 
the 1,000 consumer thresholds.
    \87\ According to the Identity Theft Resource Center, 108 
entities in the ``Banking/Credit/Financial'' category suffered data 
breaches in 2019. 2019 End-of-Year Data Breach Report, Identity 
Theft Resource Center at 2, available at https://www.idtheftcenter.org/wp-content/uploads/2020/01/01.28.2020_ITRC_2019-End-of-Year-Data-Breach-Report_FINAL_Highres-Appendix.pdf. Although this number may exclude some entities that 
are covered by the Safeguards Rule but are not contained in the 
``Banking/Credit/Financial'' category, not every security event will 
trigger the reporting obligations (e.g., breaches affecting less 
than 500 people). Therefore, Commission staff estimated in the SNPRM 
that 110 institutions would have reportable events. Because of the 
change in the reporting threshold the Commission expects an 
additional 5 entities to have reporting obligations.
---------------------------------------------------------------------------

    The Commission does not believe the reporting requirement would 
impose any new investigative costs on financial institutions. The 
information about notification events required by the reporting 
requirement is information the Commission believes financial 
institutions would acquire in the normal course of responding to a 
notification event. In addition, in many cases, the information 
requested by the reporting requirement is similar to information 
entities are required to disclose under various States' data breach 
notification laws.\88\ As a result, FTC staff estimates the additional 
costs imposed by the reporting requirement will be limited to the 
administrative costs of compiling the requested information and 
reporting it to the Commission on an electronic form located on the 
Commission's website.
---------------------------------------------------------------------------

    \88\ See, e.g., Cal. Civil Code 1798.82; Tex. Bus. & Com. Code 
521.053; Fla. Stat. 501.171.
---------------------------------------------------------------------------

    FTC staff derives the associated labor cost by calculating the 
hourly wages necessary to prepare the required reports. FTC staff 
anticipates that required information will be compiled by information 
security analysts in the course of assessing and responding to a 
notification event, resulting in 3 hours of labor at a mean hourly wage 
of $57.63 (3 hours x $57.63 = $172.89).\89\ FTC staff

[[Page 77507]]

also anticipates that affected financial institutions may use attorneys 
to formulate and submit the required report, resulting in 2 hours of 
labor at a mean hourly wage of $78.74 (2 hours x $78.74 = $157.48).\90\ 
Accordingly, FTC staff estimates the approximate labor cost to be $330 
per report (rounded to the nearest dollar). This yields a total annual 
cost burden of $37,950 (115 annual responses x $330).
---------------------------------------------------------------------------

    \89\ This figure is derived from the mean hourly wage for 
Information security analysts. See ``Occupational Employment and 
Wages--May 2022,'' Bureau of Labor Statistics, U.S. Department of 
Labor (April 5, 2023), Table 1 (``National employment and wage data 
from the Occupational Employment Statistics survey by occupation, 
May 2023''), available at https://www.bls.gov/news.release/pdf/ocwage.pdf.
    \90\ This figure is derived from the mean hourly wage for 
Lawyers. See ``Occupational Employment and Wages--May 2019,'' Bureau 
of Labor Statistics, U.S. Department of Labor (March 31, 2020), 
Table 1 (``National employment and wage data from the Occupational 
Employment Statistics survey by occupation, May 2019''), available 
at https://www.bls.gov/news.release/pdf/ocwage.pdf.
---------------------------------------------------------------------------

    The Commission is providing an online reporting form on the 
Commission's website to facilitate reporting of qualifying notification 
events. As a result, the Commission does not anticipate covered 
financial institutions will incur any new capital or non-labor costs in 
complying with the reporting requirement.
    Pursuant to Section 3506(c)(2)(A) of the PRA, the FTC invited 
comments on: (1) whether the disclosure requirements are necessary, 
including whether the information will be practically useful; (2) the 
accuracy of our burden estimates, including whether the methodology and 
assumptions used are valid; (3) ways to enhance the quality, utility, 
and clarity of the information to be collected; and (4) ways to 
minimize the burden of providing the required information to the 
Commission. Although the Commission received several comments that 
argued that the required notifications would be burdensome for 
businesses, none addressed the accuracy of the Commission's burden 
estimate.\91\ Other commenters argued that the reporting requirement 
would create little burden.\92\ For the reasons discussed above, the 
Commission agrees with these commenters and does not believe that 
reporting requirement will create a significant burden for businesses.
---------------------------------------------------------------------------

    \91\ CDIA (Comment 13) at 2-3; SIFMA/BPI (Comment 15) at 8; ETA 
(Comment 17) at 2-3; CTIA (Comment 20) at 3-6; NADA (Comment 21) at 
2-3; U.S. Chamber of Commerce (Comment 22).
    \92\ American Escrow Association (Comment 16) at 2; ACE (Comment 
18) at 2, 7-8; EPIC (Comment 19) at 6-7.
---------------------------------------------------------------------------

VI. Regulatory Flexibility Act

    The Regulatory Flexibility Act (``RFA'') \93\ requires that the 
Commission provide an Initial Regulatory Flexibility Analysis 
(``IRFA'') with a proposed rule, and a Final Regulatory Flexibility 
Analysis (``FRFA'') with the final rule, unless the Commission 
certifies that the Rule will not have a significant economic impact on 
a substantial number of small entities.\94\ As discussed in the IRFA, 
the Commission does not believe this amendment to the Safeguards Rule 
has the threshold impact on small entities. The reporting requirement 
will apply to financial institutions that, in most cases, already have 
an obligation to disclose similar information under certain Federal and 
State laws and regulations and will not require additional 
investigation or preparation.
---------------------------------------------------------------------------

    \93\ 5 U.S.C. 601-612.
    \94\ 5 U.S.C. 603-605.
---------------------------------------------------------------------------

    In this document, the Commission adopts the amendments proposed in 
its SNPRM with only minimal modifications. In its IRFA, the Commission 
determined that the proposed rule would not have a significant impact 
on small entities because of the minimal information being requested. 
Although the Commission certifies under the RFA that the rule will not 
have a significant impact on a substantial number of small entities, 
and hereby provides notice of that certification to the Small Business 
Administration, the Commission nonetheless has determined that 
publishing a FRFA is appropriate to ensure that the impact of the rule 
is fully addressed. Therefore, the Commission has prepared the 
following analysis:

1. Need for and Objectives of the Final Rule

    The need for and the objective of the Final Rule is to ensure the 
Commission is aware of notification events that could suggest a 
financial institution's security program does not comply with the 
Rule's requirements, thus facilitating Commission enforcement of the 
Rule. To the extent the reported information is made public, the 
information will also assist consumers by providing information as to 
notification events experienced by various financial institutions.

2. Significant Issues Raised in Public Comments in Response to the IRFA

    Although the Commission received several comments that argued that 
the required notifications would be burdensome for businesses,\95\ none 
argued specifically that smaller businesses in particular would be 
subject to special burden. Other commenters argued that the reporting 
requirement would create little burden.\96\ One commenter specifically 
argued that the requirement would not create significant burden for 
small businesses.\97\ As discussed above, the Commission does not 
anticipate that covered financial institutions will incur any new 
capital or non-labor costs in complying with the reporting requirement. 
Additionally, the average annual labor costs per covered financial 
institution are de minimis because most entities, including small 
entities, will only infrequently be required to file a report. Thus, 
the Commission does not believe that the reporting requirement will 
create a significant burden for financial institutions in general, 
including small businesses.
---------------------------------------------------------------------------

    \95\ CDIA (Comment 13) at 2-3; SIFMA/BPI (Comment 15) at 8; ETA 
(Comment 17) at 2-3; CTIA (Comment 20) at 3-6; NADA (Comment 21) at 
2-3; U.S. Chamber of Commerce (Comment 22).
    \96\ American Escrow Association (Comment 16) at 2; ACE (Comment 
18) at 2, 7-8; EPIC (Comment 19) at 6-7.
    \97\ American Escrow Association (Comment 16) at 2 (stating that 
the reporting requirement ``does not appear to be onerous as a 
reporting matter and we also agree with the FTC's conclusion that 
there would not be a significant impact on small business'').
---------------------------------------------------------------------------

    The Commission did not receive any comments filed by the Chief 
Counsel for Advocacy of the Small Business Administration (``SBA'').

3. Description and an Estimate of the Number of Small Entities to Which 
the Final Rule Will Apply, or Explanation Why No Estimate Is Available

    As explained in the IRFA, determining a precise estimate of the 
number of small entities \98\ that would

[[Page 77508]]

have to report a notification event in a given year is not readily 
feasible. No commenters addressed this issue. Both small entities and 
larger ones experience security incidents involving disclosure of 
consumer information.\99\ However, other factors complicate the 
analysis. There are no estimates available reflecting the percentage of 
financial institutions under the Commission's jurisdiction that would 
be considered small entities, and small entities may be more likely to 
experience notification events that fall below the notification 
threshold, for example. Such factors are not reflected in industry and 
economic sector data, and, therefore, it is not possible to estimate 
the number of small entities covered by the Rule from such data. 
Projecting from entities' past experiences of actual breaches, however, 
as discussed in the section discussing the PRA, FTC staff estimates the 
Rule's reporting requirement would affect approximately 115 entities 
per year in the future. Accordingly, even if every financial 
institution required to report in a given year were a small entity, the 
reporting requirement would affect only approximately 115 such 
entities. Regardless, as discussed above, these amendments will not add 
any significant additional burdens on any covered small businesses.
---------------------------------------------------------------------------

    \98\ The U.S. Small Business Administration Table of Small 
Business Size Standards Matched to North American Industry 
Classification System Codes (``NAICS'') are generally expressed in 
either millions of dollars or number of employees. A size standard 
is the largest that a business can be and still qualify as a small 
business for Federal Government programs. For the most part, size 
standards are the annual receipts or the average employment of a 
firm. Depending on the nature of the financial services an 
institution provides, the size standard varies. By way of example, 
mortgage and nonmortgage loan brokers (NAICS code 522310) are 
classified as small if their annual receipts are $15 million or 
less. Consumer lending institutions (NAICS code 52291) are 
classified as small if their annual receipts are $47 million or 
less. Commercial banking and savings institutions (NAICS codes 
522110 and 522120) are classified as small if their assets are $850 
million or less. Assets are determined by averaging the assets 
reported on businesses' four quarterly financial statements for the 
preceding year. The 2023 Table of Small Business Size Standards is 
available at https://www.sba.gov/document/support--table-size-standards.
    \99\ See, e.g., 2023 Verizon Data Breach Investigations Report 
at 65, available at https://www.verizon.com/business/resources/reports/dbir/ (reporting cybersecurity incidents and confirmed data 
disclosures for companies with fewer than or more than 1000 
employees).
---------------------------------------------------------------------------

4. Projected Reporting, Recordkeeping, and Other Compliance 
Requirements

    The notification requirement imposes reporting requirements. As 
outlined above, the amendment will affect only those financial 
institutions that suffer a notification event in which unencrypted 
customer information affecting at least 500 consumers is acquired 
without authorization. If such an event occurs, the affected financial 
institution may expend costs to provide the Commission with the 
information required by the reporting requirement. As noted in the PRA 
analysis above, the total estimated annual cost burden for all entities 
subject to the reporting requirement will be approximately $37,950.

5. Description of Steps Taken To Minimize Significant Economic Impact, 
If Any, on Small Entities, Including Alternatives

    The Commission did not propose any specific small entity exemption 
or other significant alternatives because the burden imposed upon small 
businesses is minimal. In drafting the reporting requirement, the 
Commission has made every effort to avoid unduly burdensome 
requirements for entities. The reporting requirement only mandates that 
affected financial institutions provide the Commission with information 
necessary to assist it in its regulatory and enforcement efforts. The 
rule minimizes burden on all covered financial institutions, including 
small businesses, by providing for reporting through an online form on 
the Commission's website. In addition, the rule requires that only 
notification events involving at least 500 consumers must be reported, 
which will reduce potential burden on small businesses that retain 
information on fewer consumers. Therefore, the Commission does not 
believe that any alternatives for small entities are required or 
appropriate.

VII. Other Matters

    Pursuant to the Congressional Review Act (5 U.S.C. 801 et seq.), 
the Office of Information and Regulatory Affairs designated this rule 
as not a ``major rule,'' as defined by 5 U.S.C. 804(2).

List of Subjects in 16 CFR Part 314

    Consumer protection, Computer technology, Credit, Privacy, Trade 
practices.

    For the reasons stated above, the Federal Trade Commission amends 
16 CFR part 314 as follows:

PART 314--STANDARDS FOR SAFEGUARDING CUSTOMER INFORMATION

0
1. The authority citation for part 314 continues to read as follows:

    Authority:  15 U.S.C. 6801(b), 6805(b)(2).


0
2. In Sec.  314.2:
0
a. Redesignate paragraphs (m) through (r) as paragraphs (n) through 
(s), respectively; and
0
b. Add a new paragraph (m). The addition reads as follows:


Sec.  314.2   Definitions.

* * * * *
    (m) Notification event means acquisition of unencrypted customer 
information without the authorization of the individual to which the 
information pertains. Customer information is considered unencrypted 
for this purpose if the encryption key was accessed by an unauthorized 
person. Unauthorized acquisition will be presumed to include 
unauthorized access to unencrypted customer information unless you have 
reliable evidence showing that there has not been, or could not 
reasonably have been, unauthorized acquisition of such information.
* * * * *

0
3. In Sec.  314.4, revise the introductory text of paragraph (c) and 
add paragraph (j) to read as follows:


Sec.  314.4   Elements.

* * * * *
    (c) Design and implement safeguards to control the risks you 
identify through risk assessment, including by:
* * * * *
    (j) Notify the Federal Trade Commission about notification events 
in accordance with paragraphs (j)(1) and (2) of this section.
    (1) Notification requirement. Upon discovery of a notification 
event as described in paragraph (j)(2) of this section, if the 
notification event involves the information of at least 500 consumers, 
you must notify the Federal Trade Commission as soon as possible, and 
no later than 30 days after discovery of the event. The notice shall be 
made electronically on a form to be located on the FTC's website, 
https://www.ftc.gov. The notice shall include the following:
    (i) The name and contact information of the reporting financial 
institution;
    (ii) A description of the types of information that were involved 
in the notification event;
    (iii) If the information is possible to determine, the date or date 
range of the notification event;
    (iv) The number of consumers affected or potentially affected by 
the notification event;
    (v) A general description of the notification event; and
    (vi) Whether any law enforcement official has provided you with a 
written determination that notifying the public of the breach would 
impede a criminal investigation or cause damage to national security, 
and a means for the Federal Trade Commission to contact the law 
enforcement official. A law enforcement official may request an initial 
delay of up to 30 days following the date when notice was provided to 
the Federal Trade Commission. The delay may be extended for an 
additional period of up to 60 days if the law enforcement official 
seeks such an extension in writing. Additional delay may be permitted 
only if the Commission staff determines that public disclosure of a 
security event continues to impede a criminal investigation or cause 
damage to national security.
    (2) Notification event treated as discovered. A notification event 
shall be treated as discovered as of the first day on which such event 
is known to you. You shall be deemed to have knowledge

[[Page 77509]]

of a notification event if such event is known to any person, other 
than the person committing the breach, who is your employee, officer, 
or other agent.

0
4. Revise Sec.  314.5 to read as follows:


Sec.  314.5   Effective date.

    Section 314.4(j) is effective as of May 13, 2024.

    By direction of the Commission.
April J. Tabor,
Secretary.
[FR Doc. 2023-24412 Filed 11-9-23; 8:45 am]
BILLING CODE 6750-01-P