“Non-banking financial institutions” that are otherwise regulated by the FTC (the agency cites mortgage brokers and payday lenders as examples) must report unauthorized acquisition of unencrypted customer information under a new rule likely taking effect next year. The rule change comes via an amendment to the Gramm-Leach-Bliley Act (GLB) implementing regulations that the FTC enforces. The reporting requirement will force regulated financial institutions to disclose covered breaches to the agency within 30 days of learning about them. The rule also establishes a presumption that unauthorized access includes unauthorized access to customer information unless the entity has “reliable evidence” showing that such information was not, or could not reasonably have been, acquired.
Why It Matters
The FTC has greatly expanded its reach into privacy law in the last decade, and this is a further example of its efforts. It is not surprising, given the agency's interest in consumer privacy, that it would want to beef up GLB in connection with financial institutions and data breaches. The presumption that a breach will be deemed a violation absent “reliable evidence” is a new bar, however; most data breach notice statutes do not include such a burden of proof. Any financial institution should be careful to document its efforts to encrypt – and segregate – covered information so that if it experiences a threat event, it can show such evidence that the relevant data “could not reasonably have been” acquired.