[Federal Register Volume 88, Number 217 (Monday, November 13, 2023)]
[Rules and Regulations]
[Pages 77499-77509]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-24412]
=======================================================================
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
16 CFR Part 314
RIN 3084-AB35
Standards for Safeguarding Customer Information
AGENCY: Federal Trade Commission.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Federal Trade Commission (``FTC'' or ``Commission'') is
issuing a final rule (``Final Rule'') to amend the Standards for
Safeguarding Customer Information (``Safeguards Rule'' or ``Rule'') to
require financial institutions to report to the Commission any
notification event where unencrypted customer information involving 500
or more consumers is acquired without authorization.
DATES: The amendments are effective May 13, 2024.
FOR FURTHER INFORMATION CONTACT: David Lincicum (202-326-2773),
Division of Privacy and Identity Protection, Bureau of Consumer
Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW,
Washington, DC 20580.
SUPPLEMENTARY INFORMATION:
I. Background
Congress enacted the Gramm Leach Bliley Act (``GLBA'') in 1999.\1\
The GLBA provides a framework for regulating the privacy and data
security practices of a broad range of financial institutions. Among
other things, the GLBA requires financial institutions to provide
customers with information about the institutions' privacy practices
and about their opt-out rights, and to implement security safeguards
for customer information.
---------------------------------------------------------------------------
\1\ Public Law 106-102, 113 Stat. 1338 (1999).
---------------------------------------------------------------------------
Subtitle A of Title V of the GLBA required the Commission and other
Federal agencies to establish standards for financial institutions
relating to administrative, technical, and physical safeguards for
certain information.\2\ Pursuant to the GLBA's directive, the
Commission promulgated the Safeguards Rule in 2002.\3\ The Safeguards
Rule became effective on May 23, 2003.\4\
---------------------------------------------------------------------------
\2\ See 15 U.S.C. 6801(b), 6805(b)(2).
\3\ 67 FR 36483 (May 23, 2002).
\4\ Id.
---------------------------------------------------------------------------
II. Regulatory Review of the Safeguards Rule
On April 4, 2019, the Commission issued a notice of proposed
rulemaking (``NPRM'') setting forth proposed amendments to the
Safeguards Rule.\5\ In response, the Commission received 49 comments
from various interested parties including industry groups, consumer
groups, and individual consumers.\6\ On July 13, 2020, the Commission
held a workshop concerning the proposed changes and conducted panels
with information security experts discussing subjects related to the
proposed amendments.\7\ The Commission received 11 comments following
the workshop. After reviewing the initial comments to the NPRM,
conducting the workshop, and then reviewing the comments received
following the workshop, the Commission issued final amendments to the
Safeguards Rule on December 9, 2021.\8\
---------------------------------------------------------------------------
\5\ 84 FR 13158 (Apr. 4, 2019).
\6\ The 49 relevant public comments received on or after March
15, 2019, can be found at Regulations.gov. See FTC Seeks Comment on
Proposed Amendments to Safeguards and Privacy Rules, 16 CFR part
314, Project No. P145407, https://www.regulations.gov/docket/FTC-2019-0019/comments. The 11 relevant public comments relating to the
subject matter of the July 13, 2020, workshop can be found at:
https://www.regulations.gov/document/FTC-2020-0038-0001/comment.
This notice cites comments using the last name of the individual
submitter or the name of the organization, followed by the number
based on the last two digits of the comment ID number.
\7\ See FTC, Information Security and Financial Institutions:
FTC Workshop to Examine Safeguards Rule Tr. (July 13, 2020), https://www.ftc.gov/system/files/documents/public_events/1567141/transcript-glb-safeguards-workshop-full.pdf.
\8\ 86 FR 70272 (Dec. 9. 2021).
---------------------------------------------------------------------------
In the NPRM, the Commission explained that its proposed amendments
to the Safeguards Rule were based primarily on the cybersecurity
regulations issued by the New York Department of Financial Services, 23
NYCRR 500 (``Cybersecurity Regulations'').\9\ The Commission also noted
that the Cybersecurity Regulations require covered entities to report
security events to the superintendent of the Department of Financial
Services.\10\ Relatedly, for many years, some other Federal agencies
enforcing the GLBA have required financial institutions to provide
notice to the regulator, and in some instances notice to consumers as
well.\11\ Although the Commission did not include a similar reporting
requirement in the NPRM, it did seek comment on whether the Safeguards
Rule should be amended to require that financial institutions report
security events to the Commission. Specifically, the Commission
requested comments on whether such a requirement should be added and,
if so, (1) the appropriate deadline for reporting security events after
discovery, (2) whether all security events should require notification
or whether notification should be required only under certain
circumstances, such as a determination of a likelihood of harm to
customers or that the event
[[Page 77500]]
affects a certain number of customers, (3) whether such reports should
be made public, (4) whether events involving encrypted information
should be included in the requirement, and (5) whether the requirement
should allow law enforcement agencies to prevent or delay notification
if notification would affect law-enforcement investigations.\12\
---------------------------------------------------------------------------
\9\ 84 FR 13158, 13163 (Apr. 4, 2019).
\10\ Id. at 13169.
\11\ See Interagency Guidance on Response Programs for
Unauthorized Access to Customer Information and Customer Notice, 70
FR 15736, 15752 (Mar. 29, 2005) (originally issued by the Office of
the Comptroller of the Currency; the Board of Governors of the
Federal Reserve System; the Federal Deposit Insurance Corporation;
and the Office of Thrift Supervision) (``At a minimum, an
institution's response program should contain procedures for the
following: . . . Notifying its primary Federal regulator as soon as
possible when the institution becomes aware of an incident involving
unauthorized access to or use of sensitive customer information, as
defined below; . . . [and notifying] customers when warranted''),
https://www.occ.treas.gov/news-issuances/federal-register/2005/70fr15736.pdf (emphasis in original).
\12\ Id.
---------------------------------------------------------------------------
The final rule, which the Commission published in the Federal
Register on December 9, 2021, did not include a reporting
requirement.\13\ However, on the same date, the Commission published a
supplemental notice of proposed rulemaking (``SNPRM'') in the Federal
Register, which proposed further amending the Safeguards Rule to
require financial institutions to report to the Commission certain
security events as soon as possible, and no later than 30 days after
discovery of the event.\14\ Specifically, the Commission proposed to
require financial institutions to notify the Commission electronically
through a form located on the FTC's website about any security event
that resulted or is reasonably likely to result in the misuse of
customer information affecting at least 1,000 consumers. The Commission
proposed that the notification include a limited set of information,
consisting of (1) the name and contact information of the reporting
financial institution, (2) a description of the types of information
involved in the security event, (3) the date or the date range of the
security event, if it can be determined, and (4) a general description
of the security event. In response to the SNPRM, the Commission
received 14 comments from various interested parties, including
industry groups, consumer groups, and individual consumers.\15\
---------------------------------------------------------------------------
\13\ 86 FR 70272 (Dec. 9. 2021).
\14\ See 86 FR 70062, 70067 (Dec. 9, 2021).
\15\ The 14 relevant public comments received can be found at
Regulations.gov. See FTC Seeks Comment on Proposed Amendments to
Safeguards and Privacy Rules, 16 CFR part 314, Project No. P145407,
https://www.regulations.gov/docket/FTC-2021-0071/comments.
---------------------------------------------------------------------------
After reviewing the comments, the Commission now finalizes the
proposed amendments with minor changes.
III. Overview of Final Rule
The Final Rule requires financial institutions to report
notification events, defined as the unauthorized acquisition of
unencrypted customer information, involving at least 500 customers to
the Commission. The notice to the Commission must include: (1) the name
and contact information of the reporting financial institution; (2) a
description of the types of information that were involved in the
notification event; (3) if the information is possible to determine,
the date or date range of the notification event; (4) the number of
consumers affected; (5) a general description of the notification
event; and, if applicable, whether any law enforcement official has
provided the financial institution with a written determination that
notifying the public of the breach would impede a criminal
investigation or cause damage to national security, and a means for the
Federal Trade Commission to contact the law enforcement official. The
notice must be provided electronically through a form located on the
FTC's website, https://www.ftc.gov.
IV. Detailed Analysis
The following section discusses the comments that the Commission
received in response to the SNPRM.
General Comments
Several commenters generally supported the inclusion of a
notification requirement in the Rule.\16\ Some of these commenters
pointed to frequent data breaches as an indication that companies' data
security practices are inadequate and stated that requiring companies
to provide notice to the Commission would enable the Commission to more
easily enforce the Rule.\17\ The Clearing House argued that the
requirement is appropriate because it would place financial
institutions covered by the Rule in the same position as banks, which
are required to report data breaches to their prudential
regulators.\18\ The Electronic Privacy Information Center (``EPIC'')
suggested that the amendment would incentivize ``use of strong data
security measures by financial institutions, bring additional
accountability and transparency to the handling of security events, and
enhance the data security and privacy of all consumers.'' \19\
---------------------------------------------------------------------------
\16\ See Anonymous (Comment 2); Briggs (Comment 4); Clearing
House Association L.L.C. (``Clearing House'') (Comment 11);
Anonymous (Comment 14); Securities Industry and Financial Markets
Association (``SIFMA'') and Bank Policy Institute (``BPI'')
(``SIFMA/BPI'') (Comment 15) (supporting notification requirement
for financial institutions that are not regulated by non-FTC
financial agencies); American Council on Education (Comment 18)
(supporting proposed notice requirement with revisions); Electronic
Privacy Information Center (``EPIC'') (Comment 19).
\17\ See, e.g., Anonymous (Comment 2); Briggs (Comment 4); The
Clearing House (Comment 11) at 2 (describing breaches in the fintech
industry).
\18\ Clearing House (Comment 11) at 1-2.
\19\ EPIC (Comment 19) at 2.
---------------------------------------------------------------------------
Other commenters opposed the proposal.\20\ Many of these commenters
argued that the proposed notification requirement would be duplicative
of State breach notification laws and is, therefore, unnecessary.\21\
The Commission, however, disagrees that requiring financial
institutions to provide notice to the Commission is redundant because
of State breach notification laws. State breach notification laws
provide notice to consumers and in some cases also to State regulators,
while the notice requirement of the Final Rule requires notice to the
Commission and is designed to ensure that the Commission receives
notice of security breaches affecting financial institutions under the
Commission's jurisdiction. Notice to consumers or to State regulators
does not achieve this purpose. Receipt of these notices will enable the
Commission to monitor for emerging data security threats affecting
financial institutions and to facilitate prompt investigative response
to major security breaches. CTIA argued that the Commission could
achieve this goal by accessing and reviewing regulated entities'
reports to consumers and State authorities under State notification
laws.\22\ The Commission disagrees that this indirect method would be
as efficient or effective as requiring regulated financial institutions
to directly notify the Commission.\23\ Such an approach would be
extremely burdensome on the Commission and would require the diversion
of resources from enforcement to search for and collect information
about breaches involving regulated financial institutions. Also, as
some of the commenters noted,\24\ State laws vary in what types of
incidents must be
[[Page 77501]]
reported and to whom.\25\ The Safeguards Rule notice requirement will
establish a uniform reporting requirement for all regulated financial
institutions, assisting the Commission in getting consistent
information about notification events affecting those financial
institutions regardless of which State's consumers are affected. This
benefit is not offset by the cost to financial institutions because the
burden on individual financial institutions is minimal, as the Final
Rule does not require an extensive report and, in many instances,
financial institutions will already be preparing notices to consumers
and State agencies.
---------------------------------------------------------------------------
\20\ See American Financial Services Association (``AFSA'')
(Comment 12); Consumer Data Industry Association (``CDIA'') (Comment
13); American Escrow Association (Comment 16); CTIA (Comment 20);
National Automobile Dealers Association (``NADA'') (Comment 21);
U.S. Chamber of Commerce (Comment 22).
\21\ See, e.g., AFSA (Comment 12) at 3; CDIA (Comment 13) at 2-
3; CTIA (Comment 20) at 2-4; NADA (Comment 21) at 2-3; U.S. Chamber
of Commerce (Comment 22) at 3.
\22\ CTIA (Comment 20) at 6-7.
\23\ While some States that require notification to a State
agency make companies' breach notifications public, see, e.g., N.H.
Dep't of Just., Off. of Attorney Gen., Security Breach
Notifications, https://www.doj.nh.gov/consumer/security-breaches/,
other States do not make notifications public, and as noted above,
not all States require notice to a State government agency. Some
non-governmental sources report breach notifications, but there is
no guarantee that such sources are comprehensive as they depend in
part on reporting by consumers who received a breach notification
letter. Thus, the Commission could not obtain comprehensive data
relating to breaches at regulated financial institutions by
compiling reports of breaches from other sources.
\24\ See, e.g., Clearing House (Comment 11) at 8; CDIA (Comment
13) at 3; CTIA (Comment 20) at 4.
\25\ See, e.g., Tex. Bus. & Com. Code 521.053(i) (requiring
companies to notify Texas Attorney General if a breach affects at
least 250 Texas residents); Va. Code Ann. 18.2-186.6(E) (requiring
companies to notify Virginia Attorney General if a breach affects at
least 1,000 Virginia residents); Fla. Stat. 501.171(3) (requiring
businesses to notify the Florida Department of Legal Affairs if a
breach affects at least 500 individuals in Florida).
---------------------------------------------------------------------------
Some commenters argued that the notification requirement would not
improve financial institutions' data security.\26\ Other commenters
disagreed with this assertion, arguing that the notification
requirement would further incentivize financial institutions to protect
customer information.\27\ The Commission agrees with these commenters
that the notification requirement will increase the efficiency and
effectiveness of the Commission's enforcement of the Rule. As noted
above, while State breach notification laws require notice to
consumers, some States do not require that such notices be provided to
State regulators as well, and not all State regulators that do receive
such notices publish them. By requiring financial institutions to
provide notice directly to the Commission, the Commission will not have
to devote resources to continually search for breach notifications
posted by other sources in order to know that a financial institution
has experienced a breach. Without a notification, the Commission would
have no guarantee that it has found all breaches in its searches. The
required notices will enable the Commission to identify breaches that
merit investigation more quickly and efficiently. Also, receiving
notice of breaches will allow the Commission to develop better
awareness of emerging risks to financial institutions' security. The
Commission expects that these benefits will enable more efficient
enforcement of the Rule, which will in turn increase financial
institutions' incentive to comply. In addition, as discussed below,
making the notices public will enable consumers to make more informed
decisions about which financial institutions they choose to entrust
with their information, providing financial institutions with an
additional incentive to comply with the Rule.
---------------------------------------------------------------------------
\26\ See, e.g., AFSA (Comment 12) at 1; CDIA (Comment 13) at 2-
3; American Escrow Association (Comment 16) at 2; CTIA (Comment 20)
at 3-6; NADA (Comment 21) at 2-3; U.S. Chamber of Commerce (Comment
22) at 2-3.
\27\ See EPIC (Comment 19) at 2, see also Anonymous (Comment 2);
Briggs (Comment 4).
---------------------------------------------------------------------------
The National Automobile Dealers Association (``NADA'') argued that
a requirement for financial institutions to report events in order to
facilitate enforcement against them is ``unprecedented'' \28\ and
``raises serious questions,'' including ``potential First Amendment and
potentially even Fifth Amendment concerns.'' \29\ The Commission
disagrees. Far from being unique, the requirement to report security
events to law enforcement agencies that might result in enforcement
actions against the notifying company is common. Many Federal agencies
\30\ require regulated entities to report data breaches to them, and
most States require that companies report breaches to State attorneys
general or other State law enforcement and have done so for years.\31\
---------------------------------------------------------------------------
\28\ NADA argues that banking regulations are not relevant
examples because they are designed ``to protect depositors and to
ensure the public interest in the safety and soundness of banks,''
rather than to facilitate enforcement. NADA (Comment 21) at 4-5,
n.8. The banking regulations, however, are also designed to
facilitate enforcement. In addition, the Safeguards Rule is also
designed to protect customers of financial institutions and ensure
the public interest in the safety of consumer's financial
information.
\29\ NADA (Comment 21) at 4-5, n. 9.
\30\ See, e.g., Interagency Guidance on Response Programs for
Unauthorized Access to Customer Information and Customer Notice, 70
FR 15736, 15752 (Mar. 29, 2005) (originally issued by the Office of
the Comptroller of the Currency, the Board of Governors of the
Federal Reserve System, the Federal Deposit Insurance Corporation,
and the Office of Thrift Supervision); 45 CFR 164.408 (requiring
covered entities to report breaches affecting 500 or more
individuals to the Secretary of Health and Human Services); 12 CFR
53.3 (requiring banking organizations to report security events to
the Office of the Comptroller of the Currency); 12 CFR 225.302
(requiring Board-supervised banking organization to report certain
breaches to the Board); 12 CFR 304.23 (requiring certain bank
organizations to report breaches to the FDIC); see also 87 FR 16590
(Mar. 23, 2022) (proposed rule requiring companies to report
security incidents to the SEC).
\31\ See, e.g., Tex. Bus. & Com. Code 521.053(i) (requiring
companies to notify Texas Attorney General if a breach affects at
least 250 Texas residents); Va. Code Ann. 18.2-186.6(E) (requiring
companies to notify Virginia Attorney General if a breach affects at
least 1,000 Virginia residents); Fla. Stat. 501.171(3) (requiring
businesses to notify the Florida Department of Legal Affairs if a
breach affects at least 500 individuals in Florida).
---------------------------------------------------------------------------
NADA also argued that requiring reporting security events to assist
the Commission to enforce the Safeguards Rule is inappropriate because
not every breach is the result of a failure to comply with the
Safeguards Rule.\32\ NADA suggested that the reporting requirement
should only ``apply after a series of security events,'' because only
multiple events can be ``suggestive of compliance failures,'' while any
single breach ``certainly . . . is not.'' \33\ While the Commission
acknowledges that not every notification event is necessarily the
result of a failure to comply with the Safeguards Rule, it disagrees
that a single breach cannot be ``suggestive of compliance failures.''
\34\ Indeed, the fact that an institution has not experienced a breach
does not necessarily mean that the institution is in compliance with
the Rule's requirements. The Commission believes that taking action to
correct a potential Safeguards Rule violation before additional
security events can harm consumers is appropriate and desirable. The
American Financial Services Association (``AFSA'') contended that ``the
FTC should clarify what factors in a report could lead to enforcement
concerns,'' arguing that otherwise ``institutions may seek to minimize
all risks associated with a report.'' \35\ The Commission does not
believe that providing a guide to when a report could possibly lead to
enforcement is either possible or desirable because the reports are
unlikely to contain all of the information that the Commission would
need to determine that law enforcement is appropriate or necessary.
Such determinations are typically made following investigations that
afford entities the opportunity to provide context and information.
---------------------------------------------------------------------------
\32\ NADA (Comment 21) at 3-5.
\33\ NADA (Comment 21) at 4.
\34\ See, e.g., FTC v. Equifax, 1:19-cv-03297-TWT (N.D. Ga.,
July 22, 2019), available at https://www.ftc.gov/legal-library/browse/cases-proceedings/172-3203-equifax-inc.
\35\ AFSA (Comment 12) at 1.
---------------------------------------------------------------------------
In addition, the Commission notes that requiring a financial
institution to report an event is not suggesting that every
notification event is the result of a violation of the Rule and will
result in an enforcement action or even investigation. Rather, the
reporting requirement will provide the Commission with valuable
information about security threats to financial institutions and assist
in the determination of whether any individual event should be
investigated further. This will improve the Commission's ability to
respond to data breaches and may enable the Commission to issue
business and
[[Page 77502]]
consumer education about emerging threats.
Other commenters argued that the reporting requirement would be
unduly burdensome.\36\ Some of these commenters suggested that because
the Rule's requirement may differ from State notification laws'
requirements, complying with the Rule will be burdensome.\37\ Other
commenters disagreed, noting that the information required is limited
to basic information about the company and the notification event.\38\
The Commission agrees with these commenters. The information required
to be reported is minimal and is very similar to the information
required by many State notification laws.\39\ The company will have
this information as the result of even a basic investigation of the
security event, an investigation that would be required in any event to
comply with the Rule and basic security practices. The fact that some
State laws may be triggered under different circumstances and may
require different information does not render this simple report
burdensome.
---------------------------------------------------------------------------
\36\ CDIA (Comment 13) at 2-3; SIFMA/BPI (Comment 15) at 8; ETA
(Comment 17) at 2-3; CTIA (Comment 20) at 3-6; NADA (Comment 21) at
2-3; U.S. Chamber of Commerce (Comment 22).
\37\ CDIA (Comment 13) at 2-3; CTIA (Comment 20) at 6; NADA
(Comment 21) at 2-3.
\38\ American Escrow Association (Comment 16) at 2; ACE (Comment
18) at 2, 7-8; EPIC (Comment 19) at 6-7.
\39\ See, e.g., Ala. Code 8-38-5(d); Ariz. Rev. Stat. 18-552(E);
Cal. Civ. Code 1798.82(d); Fla. Stat. 501.171(3)(b); Mich. Comp.
Laws 445.72(6); Mo. Rev. Stat. 407.1500(2)(4); N.H. Rev. Stat. Ann.
359-C:20(IV); N.Y. U.C.C. Law 899-AA(7); and Or. Rev. Stat.
646A.604(5).
---------------------------------------------------------------------------
In addition to addressing the proposed amendment in general,
commenters also addressed specific elements of the proposed amendments.
These comments are addressed in the following detailed discussion.
Triggering Event
The Commission adopts proposed Sec. 314.4(j) as originally
proposed, with minor changes. Proposed paragraph (j) would have
required financial institutions that become aware of a security event
to promptly determine the likelihood that customer information has been
or will be misused. Under the provision as originally proposed,
financial institutions would have been required to make a report to the
Commission upon determining that, among other conditions, ``misuse of
customer information ha[d] occurred or . . . [was] reasonably likely
[to occur].'' However, upon consideration of the comments, Commission
is clarifying the triggering language by adding a new paragraph (m) in
Sec. 314.2, which defines the term ``notification event'' as the
``acquisition of . . . [unencrypted customer] information without the
authorization of the individual to which the information pertains.''
Section 314.2(m) further clarifies that: (1) ``[c]ustomer information
is considered unencrypted . . . if the encryption key was accessed by
an unauthorized person;'' and (2) ``[u]nauthorized acquisition will be
presumed to include unauthorized access to unencrypted customer
information unless you have reliable evidence showing that there has
not been, or could not reasonably have been, unauthorized acquisition
of such information.''
Several commenters addressed whether becoming aware of a security
event is an appropriate trigger for the notification process. In a
joint comment, the Securities Industry and Financial Markets
Association (``SIFMA'') and the Bank Policy Institute (``BPI'') argued
that the notification process should not begin when a financial
institution becomes aware of an event, but instead begin when the
financial institution ``determines'' a security event has occurred.
SIFMA and BPI suggested that ``determination'' takes place sometime
after ``discovery,'' and that financial institutions should have 30
days to notify the Commission after making this determination rather
than after discovery. SIFMA and BPI argued that ``determination''
``connotes a higher standard of certainty than `discovery,' '' and
would include determining whether any further requirements for notice,
such as number of consumers affected, had been met. The Commission
disagrees that 30 days after discovery of a notification event is
insufficient time to determine whether the event meets the requirements
for notification and to prepare the notice. The Commission expects that
companies will be able to decide quickly whether a notification event
has occurred by determining whether unencrypted customer information
has been acquired and, if so, how many consumers are affected, so there
will not be a significant difference between ``determination'' and
``discovery.'' \40\ In addition, the notification to the Commission
requires minimal details and will not take significant time to prepare
and, as discussed above, many States require reports containing similar
information, so the financial institutions will need to prepare such a
report in any event.
---------------------------------------------------------------------------
\40\ As discussed below, the Final Rule no longer requires the
financial institution to determine whether misuse had occurred or
was likely.
---------------------------------------------------------------------------
Other commenters argued the term ``security event'' is too broad a
term to act as a trigger for the notification process, stating that the
term encompasses types of incidents that pose little risk of consumer
harm and for which notification is unnecessary.\41\ Some commenters
felt notification should be required only when harm to consumers has
occurred or is likely to occur, rather than when ``misuse'' has
occurred or is reasonably likely.\42\ Some commenters argued a trigger
that requires consumer harm would be more in accord with State
notification laws.\43\ Similarly, several commenters argued the
notification requirement should exclude security events that involve
only encrypted customer information, because there is little chance of
consumer harm in such cases.\44\ Others argued requiring financial
institutions to report breaches that do not involve possible harm to
consumers would be unduly burdensome on financial institutions and
would produce an overwhelming number of reports to the Commission.\45\
Conversely, EPIC argued notice should be required for all security
events regardless of whether misuse had occurred or was likely.\46\
EPIC argued that removing the analysis of whether misuse was likely
would lower the burden of determining whether a report should be made
and would prevent attempts by financial institutions to avoid reporting
to the Commission.\47\
---------------------------------------------------------------------------
\41\ See, e.g., SIFMA/BPI (Comment 15) at 8-9; CTIA (Comment 20)
at 11-12; NADA (Comment 21) at 2-3.
\42\ See CDIA (Comment 13) at 4-5; SIFMA/BPI (Comment 15) at 9-
10; American Escrow Association (Comment 16) at 2-3; ETA (Comment
17) at 2; CTIA (Comment 20) at 11-14.
\43\ See, e.g., CDIA (Comment 13) at 4-5.
\44\ AFSA (Comment 12) at 2; CDIA (Comment 13) at 6; SIFMA/BPI
(Comment 15) at 9; ACE (Comment 18); CTIA (Comment 20) at 12; NADA
(Comment 21) at 3; U.S. Chamber of Commerce (Comment 22) at 4.
\45\ SIFMA/BPI (Comment 15) at 9; ETA (Comment 17) at 2; CTIA
(Comment 20) at 11.
\46\ EPIC (Comment 19) at 4.
\47\ Id.
---------------------------------------------------------------------------
The Commission agrees with EPIC that the trigger for notification
requires clarification. The meaning of the term ``misuse'' in the
proposed rule was ambiguous. It was not clear if acquisition of
customer information alone constituted misuse, or if other forms of
misuse, such as alteration of data, would fall within the notification
requirement. Given this ambiguity, financial institutions would have
had difficulty evaluating the likelihood of misuse of customer
information that has been acquired without authorization. At the same
time, the ambiguity could have
[[Page 77503]]
been used as an opportunity to circumvent the reporting requirement.
Specifically, because the proposed rule required the financial
institution to assess the likelihood of misuse, it would have allowed
financial institutions to underestimate the likelihood of misuse, and,
thereby, the need to report the security event.
Accordingly, the Final Rule requires notification where customer
information has been acquired, rather than when misuse is considered
likely. Specifically, the Commission is adding a new Sec. 314.2(m)
that defines the term ``[n]otification event'' to mean the acquisition
of unencrypted customer information without the authorization of the
individual to which the information pertains. Section 314.2(m) also
provides that unauthorized access of information will be presumed to
result in unauthorized acquisition unless the financial institution can
show that there has not been, or could not reasonably have been,
unauthorized acquisition of such information. This rebuttable
presumption is consistent with the Health Breach Notification Rule. See
16 CFR 318.2(a) (``Unauthorized acquisition will be presumed to include
unauthorized access to unsecured PHR [personal health record]
identifiable health information unless the vendor of personal health
records, PHR related entity, or third party service provider that
experienced the breach has reliable evidence showing that there has not
been, or could not reasonably have been, unauthorized acquisition of
such information.'').\48\ Here, too, the presumption is ``intended to
address the difficulty of determining whether access to data (i.e., the
opportunity to view the data) did or did not lead to acquisition (i.e.,
the actual viewing or reading of the data).'' \49\
---------------------------------------------------------------------------
\48\ See also 74 FR 42962, 42966 (Aug. 25, 2009). Examples of
this rebuttable presumption cited in that rulemaking, and equally
relevant here, included a circumstance where ``an unauthorized
employee inadvertently accesses an individual's PHR and logs off
without reading, using, or disclosing anything. If the unauthorized
employee read the data and/or shared it, however, he or she
`acquired' the information, thus triggering the notification
obligation in the rule.'' Another example related to a lost laptop:
``If an entity's employee loses a laptop in a public place, the
information would be accessible to unauthorized persons, giving rise
to a presumption that unauthorized acquisition has occurred. The
entity can rebut this presumption by showing, for example, that the
laptop was recovered, and that forensic analysis revealed that files
were never opened, altered, transferred, or otherwise compromised.''
Id. at 42966.
\49\ Id.
---------------------------------------------------------------------------
The Commission also agrees notification should not be required when
harm to consumers is rendered extremely unlikely because the customer
information is encrypted. Accordingly, the Final Rule does not require
notification if the customer information acquired is encrypted, so long
as the encryption key was not accessed by an unauthorized person. See
Sec. 314.2(m). By requiring notice relating to unauthorized
acquisition only of unencrypted customer information, this change
brings the Rule into accord with most State breach notification laws.
If customer information was encrypted but the encryption key was also
accessed without authorization, then the customer information will be
considered to be unencrypted. Someone who has both the encrypted
information and the encryption key can easily decrypt the
information.\50\
---------------------------------------------------------------------------
\50\ See, e.g., Ala. Code 8-38-2(6)(b)(2); Alaska Stat.
45.48.090(7); Colo. Rev. Stat. 6-1-716 (2)(a.4); 815 Ill. Comp.
Stat. 530/5 (``Personal Information'' definition); NY Gen. Bus. Law
899-aa(b); Tex. Bus. & Com. Code 521.053(a).
---------------------------------------------------------------------------
In summary, the Final Rule requires notification if the financial
institution discovers that unencrypted customer information has been
acquired without authorization. See Sec. 314.2(m). Unlike under the
proposed rule, notification is not conditioned on the assessment of
likelihood of misuse. The Commission believes that determining whether
acquisition has occurred simplifies the requirement and will enable
financial institutions to more speedily determine whether a
notification event has occurred. In addition, the Commission believes
this change will reduce the number of notifications by excluding events
where encrypted information was acquired, while ensuring it receives
notice of events that are more likely to result in harm. As noted
earlier, the Rule also includes a rebuttable presumption stating that
when there is unauthorized access to data, unauthorized acquisition
will be presumed unless the entity that experienced the breach ``has
reliable evidence showing that there has not been, or could not
reasonably have been, unauthorized acquisition of such information.''
See Sec. 314.2(m).
Some commenters argued the notification requirement should trigger
only when especially ``sensitive'' information is involved.\51\ These
commenters argue that requiring notification when any kind of customer
information is involved would result in notifications when there is no
risk of harm to consumers.\52\ The Commission disagrees with this
contention. The definition of ``customer information'' in the Rule does
not encompass all information that a financial institution has about
consumers. ``Customer information'' is defined as records containing
``non-public personal information'' about a customer.\53\ ``Non-public
personal information'' is, in turn, defined as ``personally
identifiable financial information,'' and excludes information that is
publicly available or not ``personally identifiable.'' \54\ The
Commission believes security events that trigger the notification
requirement--where customers' non-public personally identifiable,
unencrypted financial information has been acquired without
authorization--are serious and support the need for Commission
notification.
---------------------------------------------------------------------------
\51\ AFSA (Comment 12) at 2; CDIA (Comment 13) at 5-6; ETA
(Comment 17) at 2; CTIA (Comment 20) at 11-12.
\52\ AFSA (Comment 12) at 2; CDIA (Comment 13) at 5-6; ETA
(Comment 17) at 2; CTIA (Comment 20) at 11-12.
\53\ 16 CFR 314.2(d).
\54\ 16 CFR 314.2(l).
---------------------------------------------------------------------------
In the SNPRM, the Commission asked whether, rather than having a
stand-alone reporting requirement, the Rule should require reporting
only when another State or Federal statute, rule, or regulation
requires a financial institution to provide notice of a security event
or similar event to a governmental entity. Some commenters supported
this suggestion, arguing that such a requirement would reduce
duplicative notice and consumer confusion.\55\ Other commenters opposed
it, arguing that because of the varied nature of State notification
laws, this would produce inconsistent reporting to the Commission.\56\
The Commission agrees that a stand-alone requirement will help ensure
the Commission receives consistent information regarding security
events.
---------------------------------------------------------------------------
\55\ CTIA (Comment 20) at 9-10; NADA (Comment 21) at 7.
\56\ Clearing House (Comment 11) at 9; ACE (Comment 18) at 7;
EPIC (Comment 19) at 6-7.
---------------------------------------------------------------------------
Determination of Scope of Security Event
After a financial institution becomes aware of a security event,
the proposed rule would have required it to determine whether at least
1,000 consumers have been affected or reasonably may be affected and,
if so, to notify the Commission.
A number of commenters expressed views pertaining to the minimum
threshold for the number of affected customers. Some commenters agreed
that notification of security events should not be required if the
number of consumers that could be affected fell below the proposed
threshold (1,000
[[Page 77504]]
consumers).\57\ The Clearing House, however, suggested that
notification should be required in all cases, regardless of the number
of consumers potentially affected.\58\
---------------------------------------------------------------------------
\57\ CDIA (Comment 13) (suggesting a requirement of notification
when a security event affects at least 1,000 consumers and may cause
substantial harm); American Escrow Association (Comment 16) at 2
(supporting 1,000 consumer requirement while suggesting other
changes to the notice requirement); ACE (Comment 17) at 2 (stating
that requiring notice when 1,000 consumers are affected would be
appropriate, if notices were required only when there was a risk of
substantial harm); EPIC (Comment 19) at 4 (suggesting that notice be
required whenever an event involves the information of at least
1,000 consumers regardless of the likelihood of misuse).
\58\ Clearing House (Comment 11) at 4-5 (suggesting a
requirement for notice for any security event involving sensitive
customer information, regardless of the number of consumers
potentially affected by the event).
---------------------------------------------------------------------------
AFSA suggested there should be a higher threshold of affected
consumers before notice is required.\59\ AFSA argued that the thousand
consumer threshold was too low because of ``the large number of
financial institutions with many more customers.'' \60\ The Commission
disagrees that the fact that some financial institutions hold the
information of millions of consumers suggests a higher threshold is
appropriate. The Clearing House, conversely, argues the Rule should
require that the Commission receive notice whenever any consumer is
affected, because otherwise consumers whose information was involved in
smaller breaches would have no notice of the breach and would be
``without the benefit of important notices'' if financial institutions
were not required to report breaches affecting fewer consumers.\61\ The
Commission does not agree that setting a minimum threshold of consumers
affected before requiring notification would leave consumers involved
in smaller breaches without notice, as consumers will typically receive
direct notification under State breach notification laws, regardless of
whether notice to the Commission is required. In determining the proper
threshold, the Commission notes that numerous State laws require
notification of breaches either with no minimum threshold, or with a
threshold of 250 or 500 people. The Commission's own Health Breach
Notification Rule, and the Health Insurance Portability and
Accountability Act (HIPAA) Breach Notification Rule,\62\ also require
notification of breaches involving 500 or more people. The Commission
concludes that a lower threshold than in the proposed rule is
appropriate. Accordingly, the Commission is adopting a minimum
threshold of 500 consumers, rather than the minimum threshold of 1,000
consumers that was in proposed Sec. 314.4(j). The Commission believes
a security event that involves the acquisition of unencrypted customer
information involving at least 500 consumers is significant enough to
warrant notification of the Commission, regardless of the size of the
financial institution.
---------------------------------------------------------------------------
\59\ AFSA (Comment 12) at 2; see also Anonymous (Comment 2)
(arguing that threshold should be proportional to the size of the
financial information).
\60\ Id.
\61\ Clearing House (Comment 11) at 5. While the Rule requires
direct notice of breaches only to the Commission, consumers affected
by smaller breaches could learn of those breaches when the
Commission makes the notices public. Also, the Rule does not limit
State consumer notification laws that require direct notification of
consumers.
\62\ 45 CFR 164.400 through 164.414.
---------------------------------------------------------------------------
Time To Report
The proposed Rule would have required Commission notification
within 30 days from discovery of the notification event. Some
commenters that addressed this deadline agreed that this would provide
financial institutions sufficient time to make the required
determinations and to notify the Commission.\63\ Other commenters
argued that financial institutions should be given significantly less
time to notify the Commission.\64\ Other commenters argued that
financial institutions should be given more time to notify the
Commission.\65\ The Commission believes that a 30-day deadline properly
balances the need for prompt notification with the need to allow
financial institutions to investigate a security event, determine
whether the information was acquired without authorization and how many
consumers were affected, and learn enough about the event to make the
notification to the Commission meaningful. Accordingly, finalized Sec.
314.2(j)(1) retains the 30-day deadline from the SNPRM.
---------------------------------------------------------------------------
\63\ See, e.g., CDIA (Comment 13) at 7; ACE (Comment 18) at 8;
U.S. Chamber of Commerce (Comment 22) at 4.
\64\ Anonymous (Comment 2) (suggesting a two-week deadline);
Clearing House (Comment 11) at 6 (recommending a 36-hour deadline).
\65\ See SIFMA/BPI (Comment 15) at 8 (arguing that 30 days
should not begin until financial information has determined that
security event meets notification requirements); CTIA (Comment 20)
at 14 (same).
---------------------------------------------------------------------------
Some commenters argued that financial institutions should be
permitted to delay or withhold notification of a security event to the
Commission at the request of a law-enforcement agency or if
notification would interfere with a law enforcement investigation.\66\
Alternatively, EPIC suggested the Commission should not allow companies
to delay reporting in cases of a law enforcement investigation, but
should instead delay publication of the notice in cases where
publication would interfere with an investigation.\67\ The Commission
agrees that, while notifications to the Commission should not be made
public if law enforcement has requested a delay, there is no reason to
delay notice to the Commission itself on that basis. This conclusion is
consistent with the approach taken by the Securities and Exchange
Commission and by other Federal financial regulators in rulemakings
that require notice of cyber incidents to a regulator, as opposed to
notice directly to consumers.\68\ Accordingly, Sec. 314.4(j)(1)(vi) of
the Final Rule provides that a financial institution's notice must (1)
indicate whether any law enforcement official has provided the
institution with a written determination that public disclosure of the
breach would impede a criminal investigation or cause damage to
national security, and (2) provide a means for the Commission to
contact the law enforcement official. In order that notice to the
public is not delayed indefinitely, the provision also provides that a
law enforcement official may request an initial delay of up to 30 days
following the date when the disclosure is filed with the Commission.
The delay may be extended for an additional period of up to 60 days if
the law enforcement official seeks such an extension in writing.
Additional delay may be permitted only if the Commission staff
determines that public disclosure of a notification event continues to
impede a criminal
[[Page 77505]]
investigation or cause damage to national security.
---------------------------------------------------------------------------
\66\ See SIFMA/BPI (Comment 15) at 10; ACE (Comment 18) at 4-5;
CTIA (Comment 20) at 15; U.S. Chamber of Commerce (Comment 22) at 5.
\67\ EPIC (Comment 19) at 5-6.
\68\ See Securities and Exchange Commission, Cybersecurity Risk
Management, Strategy, Governance, and Incident Disclosure, 88 FR
51896, 51898 (Aug. 8, 2023) (allowing delay of required disclosure
of material cybersecurity incidents if the United States Attorney
General determines that immediate disclosure would pose a
substantial risk to national security or public safety and notifies
the Commission of such determination in writing); Office of the
Comptroller of the Currency, Federal Reserve System, Federal Deposit
Insurance Corporation, Computer-Security Incident Notification
Requirements for Banking Organizations and Their Bank Service
Providers, 86 FR 66424 (Nov. 23, 2021) (adopting regulations that
require banking organizations to notify their primary Federal
Regulator of any ``computer security incident'' that rises to the
level of a ``notification incident,'' as soon as possible and no
longer than 36 hours after the banking organization determines that
a notification incident has occurred).
---------------------------------------------------------------------------
The proposed Sec. 314.4(j) did not address when a security event
should be treated as discovered. The Commission believes adding such a
provision will clarify the rule and prevent confusion. Accordingly,
under the Final Rule, a notification event shall be treated as
discovered as of the first day on which such event is known. Financial
institutions will be deemed to have knowledge of a notification event
if the event is known to any person, other than the person committing
the breach, who is the financial institution's employee, officer, or
other agent. Therefore, in instances where an employee, officer, or
other agent of the financial institution accesses customer information
without authorization, a financial institution will be deemed to have
knowledge of a notification event if the event is known to another
employee, officer, or other agent of the financial institution.
Contents of Notice
The proposed Rule required that a notice be made electronically on
a form on the FTC's website,\69\ and that such notice must include the
following information: (1) the name and contact information of the
reporting financial institution; (2) a description of the types of
information that were involved in the notification event; (3) if the
information is possible to determine, the date or date range of the
notification event; and (4) a general description of the notification
event.
---------------------------------------------------------------------------
\69\ SIFMA/BPI argued that financial institutions should be
allowed to notify the Commission by phone because that ``could
foster confidentiality.'' SIFMA/BPI (Comment 15) at 7. Similarly,
the U.S. Chamber of Commerce suggested that financial institutions
should be allowed to notify the Commission by alternative means,
such as mail, ``where covered entities may lack access to the
internet.'' U.S. Chamber of Commerce (Comment 22) at 4. The
Commission believes that notification should be limited to the form
on the Commission's website, as this will ensure that all
notifications are received and recorded in the same way. The
Commission believes that it is not likely that a financial
institution that has suffered a notification event will not be able
to access the internet for the entirety of the 30-day reporting
window.
---------------------------------------------------------------------------
Several commenters supported these elements as an appropriate level
of detail.\70\ However, NADA was opposed to the requirement that the
report include a description of the security event,\71\ while EPIC
suggested the Rule should require a more detailed description of the
security event.\72\ EPIC argued that financial institutions should also
be required to provide a comprehensive description of the types of
information involved in the security event and a comprehensive
description of the security event, because ``it is critical that
financial institutions provide a sufficiently detailed account of each
security event to enable the FTC and affected consumers to assess
whether and how personal information is at risk.'' \73\ The Commission
believes that, with the exception noted below, the proposed elements
generally provide sufficient information to the Commission and the
public without imposing undue burdens on reporting financial
institutions. If the Commission determines more information is needed,
it will obtain that information from the financial institution. The
Commission believes, however, that knowing the number of consumers
affected or potentially affected by the notification event would allow
it to better evaluate the impact of a particular event. Providing this
information, which financial institutions will typically determine in
the course of responding to a breach, will not significantly add to the
burden to financial institutions. Accordingly, the Final Rule retains
the proposed elements, while adding a requirement to provide the number
of consumers affected or potentially affected by the notification
event.\74\
---------------------------------------------------------------------------
\70\ See AFSA (Comment 12) at 2; ACE (Comment 18) at 2; U.S.
Chamber of Commerce (Comment 22) at 4.
\71\ NADA (Comment 21) at 6.
\72\ EPIC (Comment 19) at 3.
\73\ Id.
\74\ As noted above, if applicable, financial institutions would
also inform the Commission whether any law enforcement official has
provided a written determination that notifying the public of the
breach would impede a criminal investigation or cause damage to
national security, and a means for the FTC to contact the law
enforcement official.
---------------------------------------------------------------------------
Publication of Notices
The SNPRM requested public comment on whether submitted reports
should be made public. Several commenters argued that making the
reports public would benefit consumers by helping them to make informed
decisions about which financial institutions to entrust with their
financial information or to determine whether they might have been
affected by a security event.\75\ Other commenters argued the reports
should be confidential and not shared with the public.\76\ Some
commenters argued that making the reports public could encourage
further cybersecurity attacks on affected financial institutions by
making potential attackers aware of vulnerabilities that have not been
remedied by the time the notice is made public.\77\ NADA argued that
the description of the event in particular should not be made public,
suggesting the description provided no benefit to consumers and would
not improve data security.\78\ The Commission disagrees that making the
reports public will increase risk to financial institutions' data
security. As discussed above, most financial institutions are already
subject to State breach notification laws, many of which require
notification to a State agency that then makes the notification public.
In addition, the general nature of the information required to be
included in the report is unlikely to provide potential attackers any
advantage in comprising the financial institution's security.
---------------------------------------------------------------------------
\75\ Briggs (Comment 4); Clearing House (Comment 11) at 10; EPIC
(Comment 19) at 5-6.
\76\ AFSA (Comment 12) at 2-3; CDIA (Comment 13) at 7; SIFMA/BPI
(Comment 15) at 5-7; ACE (Comment 18) at 5-7; CTIA (Comment 20) at
15-16; NADA (Comment 21) at 5-6; U.S. Chamber of Commerce (Comment
22) at 5.
\77\ SIFMA/BPI (Comment 15) at 7; ACE (Comment 18) at 5-7; CTIA
(Comment 20) at 15-16; NADA (Comment 21) at 6.
\78\ NADA (Comment 21) at 6.
---------------------------------------------------------------------------
Other commenters argued that publication of the notices could
create undue media coverage and that the information would be too
general to assist consumers in making informed decisions.\79\
Similarly, CDIA argued that because State law requires direct consumer
notification to those affected by the breach, making the information
public to all consumers would cause ``consumer confusion and angst
about whether the consumer's information has been compromised.'' \80\
CTIA also argued that financial institutions that have suffered a
security event should not be subject to the punishment of ``name and
shame.'' \81\ SIFMA and BPI suggested that making the reports public
would limit the information financial institutions are willing to share
in the reports in order to avoid public revelation of the details of
the breach.\82\
---------------------------------------------------------------------------
\79\ AFSA (Comment 12) at 2-3; NADA (Comment 21) at 5.
\80\ CDIA (Comment 13) at 7; see also SIFMA/BPI (Comment 15) at
6 (suggesting that publication of the reports could cause confusion
for consumers and investors); ACE (Comment 18) at 5-7.
\81\ CTIA (Comment 20) at 16.
\82\ SIFMA/BPI (Comment 15) at 6.
---------------------------------------------------------------------------
As discussed above, the Commission acknowledges not all security
events at financial institutions are the result of a failure to comply
with the Safeguards Rule. Nevertheless, the Commission believes
providing more information to consumers about these events will both
benefit consumers and incentivize companies to better protect that
information. The Commission is not persuaded that attention given to
breaches is ``undue'' or otherwise inappropriate, as suggested by some
commenters. Apart from providing
[[Page 77506]]
actionable information for individuals who are directly affected,
reporting provides a broader value to the general public to consider
proactive measures, such as implementing a credit freeze, prioritizing
methods to secure their own data, and determining where to do business.
The Commission does not believe a confidential reporting system is
needed in order to incentivize more comprehensive reporting by
financial institutions. The general level of detail required to be
reported under Sec. 314.4(j)(1) will not compromise a financial
institution's security posture going forward--the report requires only
the most general information and cannot provide a meaningful roadmap
for attackers. Accordingly, the Commission intends to enter
notification event reports into a publicly available database.
The SNPRM also asked for comment on whether the Commission should
require financial institutions that suffer a security event to directly
notify affected consumers, as well as the Commission. Some commenters
were in favor of requiring consumer notification, at least when
notification of the Commission was required.\83\ Most commenters who
addressed the issue, however, opposed such a requirement, pointing to
the existing regime of State consumer notification laws and arguing
that a separate FTC notification requirement would be duplicative and
unduly burdensome.\84\ The Commission agrees that, because all States
have some form of consumer notification requirement, a direct consumer
notification requirement in the Safeguards Rule would be largely
duplicative of those State laws. Therefore, the Commission has not
included such a requirement in the Final Rule.
---------------------------------------------------------------------------
\83\ Clearing House (Comment 11) at 8-9; EPIC (Comment 19); see
also Anonymous (Comment 14) (stating that if there is a data breach,
consumers ``need to know what happened to their information.''
\84\ See AFSA (Comment 12) at 3; CDIA (Comment 13) at 8; SIFMA/
BPI (Comment 15) at 10; CTIA (Comment 20) at 16-17; NADA (Comment
21) at 7; see also American Council on Education (Comment 18) at 8
(stating that the Commission should engage with covered financial
institutions about existing notification requirements before
establishing a consumer notification requirement).
---------------------------------------------------------------------------
Finally, the Commission is revising Sec. 314.4(c) to correct a
typographical error. As originally promulgated, that section required a
financial institution to ``[d]esign and implement safeguards to control
the risks you identity through risk assessment. . . .'' Actually, a
financial institution must ``[d]esign and implement safeguards to
control the risks you identify through risk assessment. . . .'' In the
Final Rule, this error is corrected.
Section 314.5: Effective Date
The proposed rule revised Sec. 314.5 so that the reporting
requirement in Sec. 314.4(j) would not go into effect until six months
after the publication of a final rule. As proposed, finalized Sec.
314.5 provides that Sec. 314.4(j) will become effective on May 13,
2024.
V. Paperwork Reduction Act
The Paperwork Reduction Act (``PRA''), 44 U.S.C. 3501 et seq.,
requires Federal agencies to obtain Office of Management and Budget
(``OMB'') approval before undertaking a collection of information
directed to ten or more persons. Pursuant to the regulations
implementing the PRA (5 CFR 1320.8(b)(3)(vi)), an agency may not
collect or sponsor the collection of information, nor may it impose an
information collection requirement, unless it displays a currently
valid OMB control number.
The amendment requiring financial institutions to report certain
security events to the Commission discussed above constitutes a
``collection of information'' for purposes of the PRA.\85\ As required
by the PRA, the FTC submitted the proposed information collection
requirement to OMB for its review at the time of the publication of the
SNPRM. OMB directed the Commission to resubmit the requirement at the
time the Final Rule is published. Accordingly, FTC staff has estimated
the information collection burden for this requirement as set forth
below.
---------------------------------------------------------------------------
\85\ 44 U.S.C. 3502(3)(A)(i).
---------------------------------------------------------------------------
The amendment will affect only those financial institutions that
suffer a security event in which unencrypted customer information
affecting at least 500 consumers is acquired without authorization.
Although the SNPRM proposed a 1,000-consumer cut-off for notification,
the Commission believes that the reducing the reporting threshold by
500 consumers will likely make only a small difference in the number of
breaches reported.\86\ Assuming that reducing the reporting threshold
by 500 individuals will lead an additional 5% of financial institutions
to report--a generous estimate--FTC staff estimates the reporting
requirement will affect approximately 115 financial institutions each
year.\87\ FTC staff anticipates the burden associated with the
reporting requirement will consist of the time necessary to compile the
requested information and report it via the electronic form located on
the Commission's website. FTC staff estimates this will require
approximately five hours for affected financial institutions, for a
total annual burden of approximately 575 hours (115 responses x 5
hours).
---------------------------------------------------------------------------
\86\ According to the Identity Theft Resource Center, 108
entities in the ``Banking/Credit/Financial'' category suffered data
breaches in 2019, which affected more than 100 million consumers.
2019 End-of-Year Data Breach Report, Identity Theft Resource Center
at 2, available at https://www.idtheftcenter.org/wp-content/uploads/2020/01/01.28.2020_ITRC_2019-End-of-Year-Data-Breach-Report_FINAL_Highres-Appendix.pdf. On average, each breach would
have involved more than 930,000 consumers, far over both the 500 and
the 1,000 consumer thresholds.
\87\ According to the Identity Theft Resource Center, 108
entities in the ``Banking/Credit/Financial'' category suffered data
breaches in 2019. 2019 End-of-Year Data Breach Report, Identity
Theft Resource Center at 2, available at https://www.idtheftcenter.org/wp-content/uploads/2020/01/01.28.2020_ITRC_2019-End-of-Year-Data-Breach-Report_FINAL_Highres-Appendix.pdf. Although this number may exclude some entities that
are covered by the Safeguards Rule but are not contained in the
``Banking/Credit/Financial'' category, not every security event will
trigger the reporting obligations (e.g., breaches affecting less
than 500 people). Therefore, Commission staff estimated in the SNPRM
that 110 institutions would have reportable events. Because of the
change in the reporting threshold the Commission expects an
additional 5 entities to have reporting obligations.
---------------------------------------------------------------------------
The Commission does not believe the reporting requirement would
impose any new investigative costs on financial institutions. The
information about notification events required by the reporting
requirement is information the Commission believes financial
institutions would acquire in the normal course of responding to a
notification event. In addition, in many cases, the information
requested by the reporting requirement is similar to information
entities are required to disclose under various States' data breach
notification laws.\88\ As a result, FTC staff estimates the additional
costs imposed by the reporting requirement will be limited to the
administrative costs of compiling the requested information and
reporting it to the Commission on an electronic form located on the
Commission's website.
---------------------------------------------------------------------------
\88\ See, e.g., Cal. Civil Code 1798.82; Tex. Bus. & Com. Code
521.053; Fla. Stat. 501.171.
---------------------------------------------------------------------------
FTC staff derives the associated labor cost by calculating the
hourly wages necessary to prepare the required reports. FTC staff
anticipates that required information will be compiled by information
security analysts in the course of assessing and responding to a
notification event, resulting in 3 hours of labor at a mean hourly wage
of $57.63 (3 hours x $57.63 = $172.89).\89\ FTC staff
[[Page 77507]]
also anticipates that affected financial institutions may use attorneys
to formulate and submit the required report, resulting in 2 hours of
labor at a mean hourly wage of $78.74 (2 hours x $78.74 = $157.48).\90\
Accordingly, FTC staff estimates the approximate labor cost to be $330
per report (rounded to the nearest dollar). This yields a total annual
cost burden of $37,950 (115 annual responses x $330).
---------------------------------------------------------------------------
\89\ This figure is derived from the mean hourly wage for
Information security analysts. See ``Occupational Employment and
Wages--May 2022,'' Bureau of Labor Statistics, U.S. Department of
Labor (April 5, 2023), Table 1 (``National employment and wage data
from the Occupational Employment Statistics survey by occupation,
May 2023''), available at https://www.bls.gov/news.release/pdf/ocwage.pdf.
\90\ This figure is derived from the mean hourly wage for
Lawyers. See ``Occupational Employment and Wages--May 2019,'' Bureau
of Labor Statistics, U.S. Department of Labor (March 31, 2020),
Table 1 (``National employment and wage data from the Occupational
Employment Statistics survey by occupation, May 2019''), available
at https://www.bls.gov/news.release/pdf/ocwage.pdf.
---------------------------------------------------------------------------
The Commission is providing an online reporting form on the
Commission's website to facilitate reporting of qualifying notification
events. As a result, the Commission does not anticipate covered
financial institutions will incur any new capital or non-labor costs in
complying with the reporting requirement.
Pursuant to Section 3506(c)(2)(A) of the PRA, the FTC invited
comments on: (1) whether the disclosure requirements are necessary,
including whether the information will be practically useful; (2) the
accuracy of our burden estimates, including whether the methodology and
assumptions used are valid; (3) ways to enhance the quality, utility,
and clarity of the information to be collected; and (4) ways to
minimize the burden of providing the required information to the
Commission. Although the Commission received several comments that
argued that the required notifications would be burdensome for
businesses, none addressed the accuracy of the Commission's burden
estimate.\91\ Other commenters argued that the reporting requirement
would create little burden.\92\ For the reasons discussed above, the
Commission agrees with these commenters and does not believe that
reporting requirement will create a significant burden for businesses.
---------------------------------------------------------------------------
\91\ CDIA (Comment 13) at 2-3; SIFMA/BPI (Comment 15) at 8; ETA
(Comment 17) at 2-3; CTIA (Comment 20) at 3-6; NADA (Comment 21) at
2-3; U.S. Chamber of Commerce (Comment 22).
\92\ American Escrow Association (Comment 16) at 2; ACE (Comment
18) at 2, 7-8; EPIC (Comment 19) at 6-7.
---------------------------------------------------------------------------
VI. Regulatory Flexibility Act
The Regulatory Flexibility Act (``RFA'') \93\ requires that the
Commission provide an Initial Regulatory Flexibility Analysis
(``IRFA'') with a proposed rule, and a Final Regulatory Flexibility
Analysis (``FRFA'') with the final rule, unless the Commission
certifies that the Rule will not have a significant economic impact on
a substantial number of small entities.\94\ As discussed in the IRFA,
the Commission does not believe this amendment to the Safeguards Rule
has the threshold impact on small entities. The reporting requirement
will apply to financial institutions that, in most cases, already have
an obligation to disclose similar information under certain Federal and
State laws and regulations and will not require additional
investigation or preparation.
---------------------------------------------------------------------------
\93\ 5 U.S.C. 601-612.
\94\ 5 U.S.C. 603-605.
---------------------------------------------------------------------------
In this document, the Commission adopts the amendments proposed in
its SNPRM with only minimal modifications. In its IRFA, the Commission
determined that the proposed rule would not have a significant impact
on small entities because of the minimal information being requested.
Although the Commission certifies under the RFA that the rule will not
have a significant impact on a substantial number of small entities,
and hereby provides notice of that certification to the Small Business
Administration, the Commission nonetheless has determined that
publishing a FRFA is appropriate to ensure that the impact of the rule
is fully addressed. Therefore, the Commission has prepared the
following analysis:
1. Need for and Objectives of the Final Rule
The need for and the objective of the Final Rule is to ensure the
Commission is aware of notification events that could suggest a
financial institution's security program does not comply with the
Rule's requirements, thus facilitating Commission enforcement of the
Rule. To the extent the reported information is made public, the
information will also assist consumers by providing information as to
notification events experienced by various financial institutions.
2. Significant Issues Raised in Public Comments in Response to the IRFA
Although the Commission received several comments that argued that
the required notifications would be burdensome for businesses,\95\ none
argued specifically that smaller businesses in particular would be
subject to special burden. Other commenters argued that the reporting
requirement would create little burden.\96\ One commenter specifically
argued that the requirement would not create significant burden for
small businesses.\97\ As discussed above, the Commission does not
anticipate that covered financial institutions will incur any new
capital or non-labor costs in complying with the reporting requirement.
Additionally, the average annual labor costs per covered financial
institution are de minimis because most entities, including small
entities, will only infrequently be required to file a report. Thus,
the Commission does not believe that the reporting requirement will
create a significant burden for financial institutions in general,
including small businesses.
---------------------------------------------------------------------------
\95\ CDIA (Comment 13) at 2-3; SIFMA/BPI (Comment 15) at 8; ETA
(Comment 17) at 2-3; CTIA (Comment 20) at 3-6; NADA (Comment 21) at
2-3; U.S. Chamber of Commerce (Comment 22).
\96\ American Escrow Association (Comment 16) at 2; ACE (Comment
18) at 2, 7-8; EPIC (Comment 19) at 6-7.
\97\ American Escrow Association (Comment 16) at 2 (stating that
the reporting requirement ``does not appear to be onerous as a
reporting matter and we also agree with the FTC's conclusion that
there would not be a significant impact on small business'').
---------------------------------------------------------------------------
The Commission did not receive any comments filed by the Chief
Counsel for Advocacy of the Small Business Administration (``SBA'').
3. Description and an Estimate of the Number of Small Entities to Which
the Final Rule Will Apply, or Explanation Why No Estimate Is Available
As explained in the IRFA, determining a precise estimate of the
number of small entities \98\ that would
[[Page 77508]]
have to report a notification event in a given year is not readily
feasible. No commenters addressed this issue. Both small entities and
larger ones experience security incidents involving disclosure of
consumer information.\99\ However, other factors complicate the
analysis. There are no estimates available reflecting the percentage of
financial institutions under the Commission's jurisdiction that would
be considered small entities, and small entities may be more likely to
experience notification events that fall below the notification
threshold, for example. Such factors are not reflected in industry and
economic sector data, and, therefore, it is not possible to estimate
the number of small entities covered by the Rule from such data.
Projecting from entities' past experiences of actual breaches, however,
as discussed in the section discussing the PRA, FTC staff estimates the
Rule's reporting requirement would affect approximately 115 entities
per year in the future. Accordingly, even if every financial
institution required to report in a given year were a small entity, the
reporting requirement would affect only approximately 115 such
entities. Regardless, as discussed above, these amendments will not add
any significant additional burdens on any covered small businesses.
---------------------------------------------------------------------------
\98\ The U.S. Small Business Administration Table of Small
Business Size Standards Matched to North American Industry
Classification System Codes (``NAICS'') are generally expressed in
either millions of dollars or number of employees. A size standard
is the largest that a business can be and still qualify as a small
business for Federal Government programs. For the most part, size
standards are the annual receipts or the average employment of a
firm. Depending on the nature of the financial services an
institution provides, the size standard varies. By way of example,
mortgage and nonmortgage loan brokers (NAICS code 522310) are
classified as small if their annual receipts are $15 million or
less. Consumer lending institutions (NAICS code 52291) are
classified as small if their annual receipts are $47 million or
less. Commercial banking and savings institutions (NAICS codes
522110 and 522120) are classified as small if their assets are $850
million or less. Assets are determined by averaging the assets
reported on businesses' four quarterly financial statements for the
preceding year. The 2023 Table of Small Business Size Standards is
available at https://www.sba.gov/document/support--table-size-standards.
\99\ See, e.g., 2023 Verizon Data Breach Investigations Report
at 65, available at https://www.verizon.com/business/resources/reports/dbir/ (reporting cybersecurity incidents and confirmed data
disclosures for companies with fewer than or more than 1000
employees).
---------------------------------------------------------------------------
4. Projected Reporting, Recordkeeping, and Other Compliance
Requirements
The notification requirement imposes reporting requirements. As
outlined above, the amendment will affect only those financial
institutions that suffer a notification event in which unencrypted
customer information affecting at least 500 consumers is acquired
without authorization. If such an event occurs, the affected financial
institution may expend costs to provide the Commission with the
information required by the reporting requirement. As noted in the PRA
analysis above, the total estimated annual cost burden for all entities
subject to the reporting requirement will be approximately $37,950.
5. Description of Steps Taken To Minimize Significant Economic Impact,
If Any, on Small Entities, Including Alternatives
The Commission did not propose any specific small entity exemption
or other significant alternatives because the burden imposed upon small
businesses is minimal. In drafting the reporting requirement, the
Commission has made every effort to avoid unduly burdensome
requirements for entities. The reporting requirement only mandates that
affected financial institutions provide the Commission with information
necessary to assist it in its regulatory and enforcement efforts. The
rule minimizes burden on all covered financial institutions, including
small businesses, by providing for reporting through an online form on
the Commission's website. In addition, the rule requires that only
notification events involving at least 500 consumers must be reported,
which will reduce potential burden on small businesses that retain
information on fewer consumers. Therefore, the Commission does not
believe that any alternatives for small entities are required or
appropriate.
VII. Other Matters
Pursuant to the Congressional Review Act (5 U.S.C. 801 et seq.),
the Office of Information and Regulatory Affairs designated this rule
as not a ``major rule,'' as defined by 5 U.S.C. 804(2).
List of Subjects in 16 CFR Part 314
Consumer protection, Computer technology, Credit, Privacy, Trade
practices.
For the reasons stated above, the Federal Trade Commission amends
16 CFR part 314 as follows:
PART 314--STANDARDS FOR SAFEGUARDING CUSTOMER INFORMATION
0
1. The authority citation for part 314 continues to read as follows:
Authority: 15 U.S.C. 6801(b), 6805(b)(2).
0
2. In Sec. 314.2:
0
a. Redesignate paragraphs (m) through (r) as paragraphs (n) through
(s), respectively; and
0
b. Add a new paragraph (m). The addition reads as follows:
Sec. 314.2 Definitions.
* * * * *
(m) Notification event means acquisition of unencrypted customer
information without the authorization of the individual to which the
information pertains. Customer information is considered unencrypted
for this purpose if the encryption key was accessed by an unauthorized
person. Unauthorized acquisition will be presumed to include
unauthorized access to unencrypted customer information unless you have
reliable evidence showing that there has not been, or could not
reasonably have been, unauthorized acquisition of such information.
* * * * *
0
3. In Sec. 314.4, revise the introductory text of paragraph (c) and
add paragraph (j) to read as follows:
Sec. 314.4 Elements.
* * * * *
(c) Design and implement safeguards to control the risks you
identify through risk assessment, including by:
* * * * *
(j) Notify the Federal Trade Commission about notification events
in accordance with paragraphs (j)(1) and (2) of this section.
(1) Notification requirement. Upon discovery of a notification
event as described in paragraph (j)(2) of this section, if the
notification event involves the information of at least 500 consumers,
you must notify the Federal Trade Commission as soon as possible, and
no later than 30 days after discovery of the event. The notice shall be
made electronically on a form to be located on the FTC's website,
https://www.ftc.gov. The notice shall include the following:
(i) The name and contact information of the reporting financial
institution;
(ii) A description of the types of information that were involved
in the notification event;
(iii) If the information is possible to determine, the date or date
range of the notification event;
(iv) The number of consumers affected or potentially affected by
the notification event;
(v) A general description of the notification event; and
(vi) Whether any law enforcement official has provided you with a
written determination that notifying the public of the breach would
impede a criminal investigation or cause damage to national security,
and a means for the Federal Trade Commission to contact the law
enforcement official. A law enforcement official may request an initial
delay of up to 30 days following the date when notice was provided to
the Federal Trade Commission. The delay may be extended for an
additional period of up to 60 days if the law enforcement official
seeks such an extension in writing. Additional delay may be permitted
only if the Commission staff determines that public disclosure of a
security event continues to impede a criminal investigation or cause
damage to national security.
(2) Notification event treated as discovered. A notification event
shall be treated as discovered as of the first day on which such event
is known to you. You shall be deemed to have knowledge
[[Page 77509]]
of a notification event if such event is known to any person, other
than the person committing the breach, who is your employee, officer,
or other agent.
0
4. Revise Sec. 314.5 to read as follows:
Sec. 314.5 Effective date.
Section 314.4(j) is effective as of May 13, 2024.
By direction of the Commission.
April J. Tabor,
Secretary.
[FR Doc. 2023-24412 Filed 11-9-23; 8:45 am]
BILLING CODE 6750-01-P