More sophisticated cybersecurity threats are taking place every day; and regulatory entities are responding by forcing companies to focus on their cybersecurity plans. Their methods for doing so run the gamut from creating new notification requirements to charging companies and their executives overseeing cybersecurity with crimes. Now more than ever, it is imperative that companies stay apprised of these regulatory developments to not only remain compliant with the law, but to maintain strong and vigilant cybersecurity plans.
New Reporting Requirements for Data Breaches Under the Safeguards Rule
On October 27, 2023, the Federal Trade Commission (FTC) announced an amendment to the Gramm-Leach-Bliley Act (GLBA)'s Safeguards Rule, 16 CFR § 314, that now requires non-banking financial institutions.1 to report data breaches to the FTC directly. Under the Amended Rule, a “notification event” is a security breach involving the “acquisition of unencrypted customer information without the authorization of the individual to which the information pertains.”2
Customer information is defined as nonpublic, personally identifiable information about a customer, and the notification obligation is only triggered if the security breach affects a minimum of 500 customers. Notification is not required, however, when harm to customers is unlikely due to encryption.
The "notification event” must be reported to the FTC as soon as possible, but no later than 30 days after discovery of the event, via a form on the FTC's website. (§314.2-4). The following information must be reported:
- The name and contact information of the reporting financial institution;
- A description of the types of information involved in the notification event;
- The date or date range of the notification event; and
- A general description of the notification event.
The FTC will publish this information in a publicly available database, although publication may be delayed based on a request from law enforcement. The FTC did not add a requirement to notify affected individuals, likely because data breach notification requirements already exist at the state level.
While the Amended Rule clarifies that the trigger of a “notification event” is the discovery of unauthorized acquisition of unencrypted customer information, it now provides a rebuttable presumption that “unauthorized acquisition will [ ] include unauthorized access unless the financial institution can show that there has not been, or could not reasonably have been, unauthorized acquisition of such information.”
As a result of this new rule, non-banking financial institutions should review their security policies and incident response plans to address these notification requirements and also be aware that this information will now be publicly available.
This amendment will go into effect 180 days after its publication in the Federal Registrar, in April 2024. For more information, see the FTC's Standards for Safeguarding Customer Information Final Rule.
Security Executives Held Personally Liable for Faults in Cybersecurity
In another move that should make entities take a hard look at their cybersecurity program, the US Securities and Exchange Commission (SEC) now has its eyes on not only the companies that fail to protect their customers and data, but the executives in charge of those companies' cybersecurity programs. News Flash: An executive's failure to implement proper cybersecurity practices could lead to personal liability.
The SEC recently filed a complaint against Texas-based software company SolarWinds Corporation and its Chief Information Security Officer (CISO), Timothy G. Brown, for fraud and internal control failures. The SEC alleged that SolarWinds made disclosures in a security statement proclaiming a strong cybersecurity program, including secure development lifecycles, all-encompassing password policies, and access controls for sensitive data. Internal reviews, however, revealed a different story – one with vulnerabilities that even Brown himself admitted left inappropriate access and privilege to critical systems and data.3 Making matters worse, it was uncovered in the government's investigation that Brown and SolarWinds apparently provided incomplete disclosures of cyber-attacks. According to the complaint, both SolarWinds and its CISO not only ignored the red flags but portrayed a safe and well-protected cybersecurity environment to the public and the SEC.
This is not the first time an executive has been charged in connection with a company's failure to employ proper cybersecurity practices. In October 2022, a jury convicted the former Chief Security Officer (CSO) of Uber of obstructing FTC proceedings and failing to report a felony based on his role in the cover up of Uber's massive 2016 breach.4 The FTC began an investigation into Uber's data security practices and asked Uber to disclose significant information regarding instances of unauthorized access. Joseph Sullivan had been CSO for about one month prior to this request and reported to the FTC that Uber had taken steps to keep customer data secure. During this investigation, Uber experienced another hack that resulted in the theft of 57 million Uber user records and 600,000 driver's license numbers. Sullivan did not report it. Instead, he arranged for the payment of $100,000 in bitcoin to the hackers and made them sign non-disclosure agreements to remain silent. Subsequently, Uber's new CEO investigated the 2016 breach, discovered Sullivan's attempted coverup, and fired him. After disclosure to the FTC, Sullivan was charged, and recently found guilty of obstruction of justice and concealing a felony. He was sentenced to three years of probation in May of 2023 and ordered to pay a $50,000 fine.
These two suits highlight the need for companies and cybersecurity officers to ensure proper practices and compliance with legal, regulatory, and ethical obligations to protect company and customer information.
Footnotes
1. A non-banking financial institution provides bank-like financial services but is not legally a bank, meaning it does not hold a banking license and is not supervised by any banking regulatory agency. Examples include, but are not limited to, automobile dealerships, real estate appraisers, mortgage brokers, state-registered investment advisors (and exempt reporting advisers), and agencies that provide financial products or services
2. FTC's Standards for Safeguarding Customer Information Final Rule
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
