This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
Insights Insights
| less than a minute read

Non-banking Financial Institutions Will Have to Report Data Breaches to FTC

“Non-banking financial institutions” that are otherwise regulated by the FTC (the agency cites mortgage brokers and payday lenders as examples) must report unauthorized acquisition of unencrypted customer information under a new rule likely taking effect next year. The rule change comes via an amendment to the Gramm-Leach-Bliley Act (GLB) implementing regulations that the FTC enforces. The reporting requirement will force regulated financial institutions to disclose covered breaches to the agency within 30 days of learning about them.  The rule also establishes a presumption that unauthorized access includes unauthorized access to customer information unless the entity has “reliable evidence” showing that such information was not, or could not reasonably have been, acquired.

Why It Matters

The FTC has greatly expanded its reach into privacy law in the last decade, and this is a further example of its efforts. It is not surprising, given the agency's interest in consumer privacy, that it would want to beef up GLB in connection with financial institutions and data breaches. The presumption that a breach will be deemed a violation absent “reliable evidence” is a new bar, however; most data breach notice statutes do not include such a burden of proof.  Any financial institution should be careful to document its efforts to encrypt – and segregate – covered information so that if it experiences a threat event, it can show such evidence that the relevant data “could not reasonably have been” acquired.  

You’ll want to read the revised Rule for the specifics, but the focus is on “notification events” – defined as the “acquisition of unencrypted customer information without the authorization of the individual to which the information pertains.” If a notification event “involves the information of at least 500 consumers,” the covered entity must contact the FTC “as soon as possible, and no later than 30 days after discovery of the event” using a form on the FTC’s website.


data security and privacy, hill_mitzi, insights, financial institutions