As a Security Advisor for CampusGuard, I’ve discovered that many in the compliance community are unaware of a new requirement of the Gramm-Leach-Bliley Act (GLBA) that was quietly launched in the fall of 2023. The GLBA now requires non-bank financial organizations—including higher education institutions—to report most data breaches to the Federal Trade Commission.
Because of this, most CampusGuard customers (and other institutions of higher learning) may need to update their security policies and processes, including their incident response plans, vendor contracts, and internal audit processes to comply with the new requirements.
Background
On November 13, 2023, the FTC published an amendment to the GLBA’s Safeguards Rule that added a data breach reporting requirement. Included in the amendment is a new definition, 314.2(m), and a new subsection, 314.4(j). The changes went into effect on May 13, 2024.
The Notification Event
The rule adds a new term to the GLBA: Notification Event. A notification event is really a data breach, further defined as the acquisition of unencrypted customer information without the authorization of the person to whom said information pertains.
Customer information, even if it is encrypted, is considered “unencrypted” by the rule if an unauthorized party obtains it in clear text form, or if the encryption/decryption key has been accessed by an unauthorized person.
However, theft of encrypted data without the encryption/decryption key is not considered a notification event (because, for all practical purposes, it is unreadable).
The Reporting Requirement
A covered institution must, upon learning of a notification event that involves the information of at least 500 consumers, notify the Federal Trade Commission as soon as possible (and no later than 30 days after discovery of the event) using the electronic form located on the FTC website.
For GLBA purposes, an organization is considered to know of the event as of the first day on which such event becomes known to any person (other than the person committing the breach) who is an employee, officer, or agent of the organization.
What Must Be Reported
The required report to the FTC must contain the following:
- The name and contact information of the reporting financial institution;
- A description of the types of information that were involved in the notification event;
- The date or date range of the notification event, if it can be determined;
- The number of consumers affected or potentially affected by the notification event;
- A general description of the notification event; and
- Whether any law enforcement official has provided the institution with a written determination that notifying the public of the breach would impede a criminal investigation or cause damage to national security, and a means for the Federal Trade Commission to contact the law enforcement official.
Reporting Countdown
Remember, the 30-day reporting countdown starts when the event first becomes known to anyone in your organization (other than the attacker).
If you have any questions about the new reporting rule and how it affects you, please contact CampusGuard for assistance. We are your trusted partner in helping you achieve GLBA compliance.
Additional Resources
- Federal Register, U.S. Government: Standards for Safeguarding Customer Information
- Federal Trade Commission (FTC): Gramm-Leach-Bliley Act
- FTC: Safeguards Rule notification requirement now in effect
- CampusGuard: Avoid These 8 Common GLBA Violations
- CampusGuard: How to Prepare for a GLBA Audit
- CampusGuard: GLBA Safeguards Rule: Penetration Testing Requirements
To access more GLBA videos, visit our GLBA playlist on YouTube.
