FTC Publishes Final Breach Reporting Requirements Under the Safeguards Rule

On November 13, the Federal Trade Commission (FTC) released final breach reporting requirements under the new Safeguards Rule. The requirements state that entities must report notification events involving customer information of at least five hundred consumers to the FTC. The requirements take effect on May 13, 2024.

Background

The FTC finalized revisions to the Safeguards Rule in December 2021. At that time, the Commission also issued a supplemental notice of proposed rulemaking (SNPRM) regarding whether the Commission should adopt a provision under the rule requiring entities to provide notice to the FTC around certain security events. The SNPRM struck a relatively reasonable balance between meeting the FTC's need as a regulator and minimizing the reporting burden on the regulated community, including higher education institutions.^{Footnote 1}

EDUCAUSE submitted comments on the proposal in partnership with the American Council on Education (ACE) and several other groups. Our comments sought to provide several main points of feedback from the higher education perspective, particularly around several questions the FTC raised in the SNPRM. Below is a summary of those points.^{Footnote 2}

• Whether security event reports should be made publicly available. EDUCAUSE found the FTC's preference in the SNPRM for making reports publicly available to be counterproductive, and we noted in our comments that doing so would likely cause undue concern among institutional stakeholders. We explained that while the proposed reports would be helpful for the FTC in determining where it may need to focus compliance assistance efforts, the reports would lack sufficient context to provide meaningful information for students, parents, and others. Should the FTC choose to publicly disclose the reports, we urged the Commission to consider delaying doing so for at least a year to afford entities sufficient time to conduct a full remediation before an event is made public on a federal government website.
• Whether the reporting requirement should exclude events involving encrypted information. EDUCAUSE recommended that the FTC clearly state that entities are not required to report events involving encrypted information if no reasonable basis exists for thinking that the encryption is compromised.
• Whether an entity should be allowed to delay FTC reporting requirements if a law enforcement agency requests that it refrain from information sharing unless or until the authorities in question approve such reporting. EDUCAUSE noted that the Commission should allow an entity to adhere to the wishes of law enforcement agencies and delay reporting at their request, adding that the FTC could allow an entity to inform the FTC of such a request.

The Final Requirements

The final reporting requirements largely mirror the substance of the SNPRM in terms of what an institution would need to report to the FTC and how it would need to transmit that information. An entity must report any "notification event" involving customer information (as defined by the Safeguards Rule) of at least five hundred consumers to the FTC via a web form on the FTC website and specifically include: (1) the name of the institution and its contact information; (2) a description of the types of information involved; (3) the date or date range of the breach, if possible; (4) the number of customers affected; (5) a general description of the event; and, (6) if applicable, whether a law enforcement official has notified the institution in writing that making information about the event public would impede "a criminal investigation or cause damage to national security." (In cases where law enforcement has provided such notification, the affected entity must include information on how the FTC can contact the official.)

The final requirement from the FTC would make security reports publicly available on its website as they are received, despite the recommendation we put forward in our SNPRM comments to avoid public disclosure. The FTC also declined to adopt our recommendation to allow entities to delay any disclosure to give them time to address the incident via remediation before it is shared with the public.

EDUCAUSE members should note that under the final requirement, a "notification event" is defined as the "acquisition of unencrypted customer information without the authorization of the individual to which the information pertains." Furthermore, the FTC notes that "customer information is considered unencrypted for this purpose if the encryption key was accessed by an unauthorized person." The FTC agreed with our comments regarding encrypted data, stating that "notification should not be required when harm to consumers is rendered extremely unlikely because the customer information is encrypted." In that vein, the requirement explicitly states that notification is not required "if the customer information acquired is encrypted, so long as the encryption key was not accessed by an unauthorized person."

With these points in mind, Safeguards Rule compliance should largely mitigate an entity triggering the reporting requirement, given that the regulation requires encryption of customer information while at rest or in transit. And while the FTC declined to heed our call to refrain from making notification event reports public, the Policy team believes that because of the acknowledgment in the final requirement that encrypted data with an uncompromised key will remain outside the scope of reporting, the volume of reports is unlikely to be high enough to make public posting problematic. That said, institutions must begin following the Safeguards Rule reporting requirements starting May 13, 2024.

EDUCAUSE will keep members apprised of any subsequent developments in the Safeguards Rule compliance space.

Notes

1. Federal Trade Commission, "Standards for Safeguarding Customer Information," 16 CFR 314, Federal Register 86, no. 234 (December 9, 2021): 70272–70314; Federal Trade Commission, "Standards for Safeguarding Customer Information," 16 CFR 314, Federal Register 86, no. 234 (December 9, 2021): 70062–70067; Jarret Cummings, "Higher Ed Responds to Proposed Safeguards Rule Reporting Requirement," EDUCAUSE Review, March 3, 2022. Jump back to footnote 1 in the text.↩
2. Jarret Cummings, "Higher Ed Responds to Proposed Safeguards Rule Reporting Requirement," EDUCAUSE Review, March 3, 2022. Jump back to footnote 2 in the text.↩

---

Kathryn Branson is a Partner with Ulman Public Policy.