Safeguards Snafu? The Anomalous New Provision in the FTC’s Gramm-Leach Bliley Safeguards Rule
Last week, the FTC announced that it had finalized its rulemaking to add data breach notification provisions to the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule. As expected, the new provisions require non-bank financial institutions to provide notice to the FTC of data incidents meeting certain thresholds and detail the trigger for, and content and timing of, the notice. The FTC’s proposal elicited only 49 comments, perhaps because most stakeholders thought that the new requirements were inevitable and would be fairly routine. After all, the federal banking agencies have long required data breach notification under GLBA, every state in the country has a data breach law, and the Commission was only proposing that notice be given to the FTC, not to consumers.