The Federal Trade Commission (FTC) has approved an amendment to its Safeguards Rule that will require non-banking financial institutions to report certain data breaches (or “notification events”) to the FTC (not affected individuals).

The “Safeguards Rule,” short for “Standards for Safeguarding Customer Information,” was created to ensure that businesses maintain safeguards to protect the security of customer information. The Safeguards Rule already applied to financial institutions subject to the FTC jurisdiction and that aren’t subject to the enforcement authority of another regulator under the Gramm-Leach-Bliley Act. Under the Rule, financial institutions are defined as any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities. FTC guidance can help to better navigate that definition.   


While parts of the Safeguards Rule already apply to non-banking financial institutions such as mortgage brokers, motor vehicle dealers, accountants, tax preparation services, and payday lenders, the recent amendment expands the data breach reporting requirements to these entities.

The recent amendment presents a significant expansion of the obligation to provide notification of a “notification event,” even beyond what generally is required under potentially applicable state breach notification laws. Under the FTC’s amendment, the notification obligation applies to “customer information,” whereas most state breach notification laws apply to “personal information.” Remember definitions are important. While states have expanded their definitions of personal information over the years, the term is generally defined to include an individual’s first name (or first initial) and last name, together with one or more of the following data elements:

  • Social security number.
  • Driver’s license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.
  • Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
  • Medical information.
  • Health insurance information.
  • Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, is used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes.
  • Information or data collected through the use or operation of an automated license plate recognition system, as defined in Section 1798.90.5.
  • Genetic data.

The above definition is taken from California’s breach notification law that applies to certain businesses and is one of the most expansive. It also includes a username or email address, in combination with a password or security question and answer that would permit access to an online account. However, many other states include only a portion of these elements, often only those in the first three bullets above.

On the other hand, customer information is nonpublic, personally identifiable financial information maintained about a “customer.” For this purpose, a customer is a consumer with whom the financial institution has a continuing relationship to provide financial products or services for personal, family, or household purposes. In its final rule, the FTC describes customer information as follows:

The definition of “customer information” in the Rule does not encompass all information that a financial institution has about consumers. “Customer information” is defined as records containing “non-public personal information” about a customer. “Non-public personal information” is, in turn, defined as “personally identifiable financial information,” and excludes information that is publicly available or not “personally identifiable.” The Commission believes that security events that trigger the notification requirement—where customers’ non-public personally identifiable, unencrypted financial information has been acquired without authorization—are serious and support the need for Commission notification.

This definition is not limited to a specific set of data elements like Social Security numbers or financial account numbers. Also, while many state laws limit the definition of personal information to computerized data, FTC guidance provides that customer information includes “any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.”

Under the amendment, non-banking financial institutions must report “notification events” in which the data of at least 500 people has been acquired without authorization as soon as possible, and no later than 30 days after the discovery to the FTC. A few other points about the rule:

  • Notification events are defined as unauthorized acquisitions of customer information, while several state breach notification laws include unauthorized access to personal information.
  • As noted above, the final rule does not require notification to affected individuals. However, like many states, notably Maine, the FTC will publish information about the notification events it receives.
  • The FTC’s final rule does not include a risk of harm exception, which is a provision in state laws. Such provisions can be welcomed relief to businesses as they provide that even if there is a “breach” as defined under the law, notice is not required if, generally speaking, there is not a significant risk of harm to affected individuals.    

The breach notification requirement becomes effective 180 days after publication of the rule in the Federal Register. 

If you have questions about data breach reporting or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.

In yet another example of its focus on imposing greater data security accountability, the New York Attorney General (“NYAG”) recently announced a significant settlement with Marymount Manhattan College (“the College”).  The settlement stems from a data breach to which the College was subject in 2021.  Following an investigation, which, according to the NYAG, revealed inadequacies in the College’s data security program, the NYAG secured a commitment from the College to invest $3.5 million over the next six years to bolster that program.  Specifically, the College committed to:

  • maintaining a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats;
  • encrypting all personal information, whether stored or transmitted, between documents, databases, or elsewhere;
  • maintaining reasonable policies to perform security updates and patch management;
  • enabling multifactor authentication for users logging into the College’s networks;
  • scanning for vulnerabilities and potential weaknesses; and
  • publicly sharing the College’s plans for collecting, retaining, and deleting personal information.

In its press release announcing the settlement, the NYAG made a point of highlighting some of its other recent six- and seven-figure settlements with organizations that have experienced data breaches, including organizations in the sportswear, healthcare, clothing, supermarket, and e-commerce spaces.  The NYAG also referenced the data security guidance it issued in April 2023, which we discussed here, outlining safeguards the NYAG views as high-priority, including access controls, encryption of sensitive information, service provider vetting and contracting, data mapping, and incident response planning. 

Given the NYAG’s heightened enforcement posture over the past couple of years, as well as the recent bolstering of the New York Department of Financial Service’s cybersecurity regulations, which we discussed here, organizations that process personal information relating to New York residents face increased pressure to continuously assess the adequacy of their data security programs and to make timely upgrades. 

Our Privacy, Data & Cybersecurity group will continue to track these developments.   

As Cybersecurity Awareness Month wraps up, it’s worth mentioning that employee security awareness training is an ongoing process. Employee error remains a significant contributing factor in data breaches. According to  the 2022 Verizon Data Breach Report, “74% of all breaches include the human element… error, privilege misuse, use of stolen credentials or social engineering.” While regular phishing simulations may help reduce the risk of clicking on a phishing email, security awareness training should also cover topics such as password management, safe Internet use, data retention and disposal, working remotely, and mobile device security. While not technically security-related, training employees on the proper use of the organization’s systems, devices, and workplace tools may help minimize inadvertent misuse that can create a vulnerability.

To close out Cybersecurity Awareness Month, here are a few tips for the workplace:

  1. Spreadsheets.

Employees have been trained to password protect spreadsheets containing sensitive information before emailing or forwarding. However, spreadsheets that appear to contain non-sensitive information can be deceptive since sensitive data can reside on untitled tabs or be hidden by filters. In a recent data breach, the publication of a spreadsheet containing non-sensitive statistics resulted in an unauthorized disclosure of personally identifiable information included on a separate tab containing sensitive source data. Training employees on how to properly use and review a spreadsheet, requiring a second set of eyes to review the spreadsheet before sending, or sending a .pdf of the spreadsheet may help minimize the risk of an unauthorized disclosure.

  1. Passwords.

Compromised credentials are a growing cause of cybersecurity incidents including business email compromises. Practicing strong password management is essential to protecting an organization’s sensitive information. At a minimum, employee passwords should be changed frequently on a predetermined schedule, not shared with co-workers, and not reused, recycled, or used across accounts. While password security seems obvious, security training awareness should include reminders about password best practices. In addition, passwords should consist of at least 13 characters including upper and lower case letters, characters, and numbers. According to Hive Systems, a 10-character password consisting of numbers, upper and lower case letters can be cracked in 22 minutes using CHATGPT hardware.

  1. Collaborative tools and communications platforms.

The use of collaboration tools in the workplace continues to grow. They also present risk. Organizations should consider providing employees with a whitelist of approved tools and implementing policies for permitted use as well as prohibited activities such as sharing passwords or sending sensitive data. Employee training can include proper use of authorized tools, creating secure accounts, and recognizing privacy risks.

  1. Email retention.

Retaining personally identifiable information for longer than needed creates a greater risk of unauthorized access or disclosure in the event of a cyberattack or business email compromise. This includes email accounts. A threat actor accessing an email account to commit wire transfer fraud will likely gain access to the contents of the account, including any sensitive information, in the process of doing so. In the absence of an email retention policy, email accounts can accumulate a significant amount of data and unauthorized access to sensitive data may constitute a reportable data breach. Organizations should ensure data retention and disposal policies and procedures address email accounts. Emails containing sensitive information should be promptly moved from the user’s email account to a secure location and important emails or records should be archived consistent with the organization’s data retention and disposal policy and schedule. Any email retention policy should be drafted to consider applicable law and potential litigation hold requirements. Employee training on email retention practices can help minimize the risk of a reportable data breach.

Regular employee training – cybersecurity and threat awareness, data protection principles, and proper use of company tools and devices – continues to be one of the best defenses and helps make Cybersecurity Awareness Month every month.

If you have questions about developing cybersecurity policies and procedures or training, reach out to a member of the Jackson Lewis Privacy, Data, and Cybersecurity Team.

Small businesses may be discouraged from investing in preventive cybersecurity measures due to the expense involved and the mistaken belief that only larger companies are the target of cybercrimes. But that is not the case. The FBI’s Internet Crime Report indicated the cost of cybercrimes against small businesses reached $2.4 billion in 2021, indicating that small businesses are squarely in the crosshairs of criminal cyber gangs.

In addition to the risk to the business itself, small businesses may be vendors of larger corporations. In many instances, the underlying business agreements may require that these vendors (small businesses) implement and maintain reasonable cybersecurity controls. Depending on the terms of the agreement, the vendor may also be obligated to indemnify the larger corporation for any data security incident that impacts the corporation’s data. For a small business, these costs could be crippling.

One important component of any cybersecurity program to help small businesses avoid cyberattacks is implementing appropriate policies and procedures that address cybersecurity, including employee training.

Some of the policies that businesses should consider include:

  • Policies to address the use of company devices on unsecured internet.
  • Requiring multifactor authentication (MFA) for remote connections and email.
  • Prohibitions against disabling or disregarding anti-virus and malware programs.
  • Instructions on proper handling of sensitive information such as client data and/or personally identifiable information (PII).

Small businesses should also require strong passwords and train employees to recognize phishing emails.

For other best practices to avoid cyberattacks, the Small Business Administration has a short guide.

If you have questions about developing cybersecurity policies and procedures, reach out to a member of the Privacy, Data, and Cybersecurity Team.

Many HIPAA covered entities and business associates struggle with developing and implementing a sanctions policy. What should it say, is zero-tolerance required, do we have to impose discipline in every case, etc. These are examples of frequent and thorny questions that arise in connection with the development and implementation of these policies. But they are important questions to answer, especially considering the federal Office for Civil Rights (OCR) position concerning these policies.

The healthcare industry continues to sit at or near the top of lists of industries affected by data breaches, whether caused by cyber criminals or self-inflicted wounds. These data breaches can take many forms – ransomware, social engineering, snooping, misdirected patient data, responding to patient complaints, tracking technologies, etc. as observed by the Office for Civil Rights – with human error behind many of them. In its October 2023 Newsletter, the OCR points to sanctions policies as an “important tool” for supporting accountability and improving cybersecurity and data protection.

In August 2022, the Department of Health and Human Services’ (HHS) Health Sector Cybersecurity Coordination Center (HC3) released a threat brief. The brief explores various tactics employed by hackers to infiltrate healthcare information systems and recommended several measures to combat social engineering, including holding “every department accountable for security.” This means having and implementing sanctions policies.

HIPAA expressly requires sanctions policies. Written sanction policies are required under both the HIPAA Privacy and Security Rules:

  • The Privacy Rule requires covered entities to “have and apply appropriate sanctions against members of its workforce who fail to comply with the privacy policies and procedures of the covered entity or the requirements of [the Privacy Rule] or [the Breach Notification Rule].” 45 CFR 164.530(e)(1).
  • The Security Rule requires covered entities and business associates to: “[a]pply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate.” 45 CFR 164.308(a)(1)(ii)(C).

The OCR notes that sanction policies can play a pivotal role in fostering a culture of HIPAA compliance and enhancing cybersecurity. The knowledge that noncompliance comes with negative consequences acts as a powerful deterrent. Educating employees about the organization’s sanction policy reinforces their understanding of compliance obligations and the repercussions of noncompliance.

Yes, but what should they say? Fortunately, the HIPAA rules and the OCR’s interpretation of those rules have consistently permitted flexibility in sanctions policies due to the diverse nature of healthcare organizations. However, while this flexibility means no specific penalties or methodologies are required, there appears to be an expectation that some sanction would be imposed in many cases involving a data breach.

The OCR reminds the healthcare community that some of its enforcement actions have been based on violations of HIPAA’s sanction policy requirement. In one case, the OCR settled with an allergy center for $125,000 and a corrective action plan. The settlement was based on allegations that a doctor improperly discussed a patient’s PHI with a reporter, and that the allergy center…

“failed to take any disciplinary action against the doctor or take any corrective action following the impermissible disclosure to the media”

When putting together a sanctions policy, there is no one-size-fits-all approach. Indeed, covered entities and business associates may structure their sanction policies in the manner most suitable to their organization. However, the OCR offers the following items to consider when drafting or updating the policy:

  • Documenting or implementing sanction policies through a formal process.
  • Requiring workforce members to acknowledge that policy violations may result in sanctions.
  • Detailed documentation of the sanction process, including personnel involved, procedural steps, timeframes, reasons for sanctions, and investigation outcomes.
  • Tailoring sanctions to the nature and severity of the violation.
  • Adapting sanctions based on factors such as intent, severity, and patterns of improper use or disclosure.
  • Offering a range of sanctions, from warnings to termination.
  • Providing examples of potential policy violations.

By considering these elements, regulated entities can craft well-documented sanction policies that communicate expectations clearly, deter misconduct, and promote compliance. But, as noted above, it is not enough to have a sanctions policy, it must be implemented. Implementation means, among other things:

  • Delegating the process of imposing sanction appropriately, which may mean involving the Human Resources, Compliance, and/or the Legal departments.
  • Ensuring that the sanctions policy is administered consistently.
  • Documenting the sanctions process.
  • Retaining records of the sanctions process for six years under the HIPAA retention rule.

Sanction policies are not just a compliance requirement; they are a valuable tool for healthcare organizations to establish clear compliance obligations, hold workforce members accountable, and maintain the privacy and security of PHI. In an era marked by heightened cybersecurity threats, it is essential that regulated entities prioritize sanction policies to ensure HIPAA compliance. By doing so, they can create a culture of accountability, understanding, and transparency, ultimately safeguarding sensitive health information from potential breaches and threats.

On September 11, 2023, Delaware’s Governor signed House Bill 154 which enacts the state’s comprehensive consumer data privacy statute. Delaware joins  CaliforniaColoradoConnecticutIndianaIowaMontanaOregon, TennesseeTexasUtah, and Virginia in enacting a comprehensive consumer privacy law. 

The law will take effect on January 1, 2025.

To whom does the law apply?

The statute applies to persons who conduct business in the state or persons who produce products or services that are targeted to residents of the state and who during the prior calendar year did any of the following:

  • Controlled or processed the personal data of 35,000 consumers or more, excluding personal data controlled or processed for the purpose of completing a payment transaction.
  • Controlled or processed personal data of 10,000 consumers or more and derived more than 20 percent of their gross revenue from the sale of personal data.

Hereafter, covered businesses are referred to as controllers.

However, the statute does not apply to the following entities:

  • Any regulatory, administrative, advisory, executive, legislative, or similar body of Delaware.
  • Any financial institution subject to Title V of the Gamm Leach Bliley Act.
  • Any non-profit organization dedicated exclusively to preventing and addressing insurance crime.

Who is protected by the law?

The law protects consumers which is defined under the law as an individual who is a resident of Delaware but does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor whose communications or transaction with the controller occur solely within the context of the individual’s role with the entity.

What data is protected by the law?

The law protects personal data which means any information that is linked or reasonably linkable to an identified or identifiable individual and does not include de-identified data or publicly available information.

The statute does not apply to certain health data including protected health information under the Health Insurance Portability and Accountability Act (HIPAA).

What are the rights of consumers?

Under the statute, consumers have the following rights:

  • To confirm whether a controller is processing the consumer’s personal data.
  • To access personal data processed by a controller.
  • To correct inaccuracies in the consumer’s personal data.
  • To delete personal data provided by or obtained about the consumer.
  • To obtain a copy of the consumer’s personal data processed by the controller.
  • To obtain a list of the categories of third parties to which the controller has disclosed the consumer’s personal data.
  • To opt out of the processing of the personal data for purposes of targeted advertising and profiling.

What obligations do businesses have?

Generally, a covered controller shall respond to a consumer exercising their rights under the statute without undue delay but not later than 45 days after receipt of the request. The controller may extend the response person by 45 additional days when reasonably necessary based upon the complexity and number of requests and other factors.

Information provided to a consumer in response to a request shall be provided free of charge, once per consumer during any 12-month period.

If the controller declines to take action in response to a consumer request they must inform the consumer without undue delay, but not later than 45 days after receipt of the request.

Moreover, controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purpose for which the data is processed.

Controllers must also establish and maintain reasonable administrative, technical, and physical data security practices to protect personal data.

Further, controllers must provide reasonably accessible, clear, and meaningful privacy notices that include the following:

  • The categories of personal data processed by the controller.
  • The purposes for processing the personal data.
  • How consumers may exercise their rights under the statute.
  • The categories of personal data that the controller shares personal data.
  • An active electronic mail address or the online mechanism that the consumer may use to contact the controller.

Processors of data also have enumerated obligations under the statute.

How is the law enforced?

Delaware’s Department of Justice has enforcement authority over the statute and may investigate and prosecute violations.

There is no private right of action under the statute.

If you have questions about Delaware’s privacy law or related issues please reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.

Cyber incidents are on the rise with no signs of slowing down, particularly in the healthcare industry. To combat this trend, on September 27, 2023, the U.S. Food and Drug Administration (FDA) released guidance on cybersecurity in medical devices for quality system considerations and on premarket submissions. The guidance is intended to replace the FDA’s 2014 Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.

In the introduction to the guidance, the FDA acknowledged the increase in integration of wireless, Internet-, and network-connected capabilities in portable media and the frequent exchange of medical device-related health information, which created a need for more “robust cybersecurity controls to ensure medical device safety and effectiveness . . . .”

The guidance covers relevant cybersecurity considerations that may affect device safety and effectiveness, including but not limited to software, hardware, and firmware.

The FDA guidance recommends “designing for security” stating that when it reviews premarket submissions, it will assess a device’s cybersecurity based on a number of factors. Premarket submissions should include information that describes how security objectives are addressed and integrated into the device’s design. The guidance emphasizes that cybersecurity is part of device safety and the quality system requirements found under federal regulations, which may be relevant at the premarket stage, postmarket stage, or both.

The guidance provides recommendations on:

  • Testing and validating connected devices against breaches that affect multiple connected devices;
  • Labeling for devices with cybersecurity risks;
  • Developing cybersecurity management plans that communicate how the manufacturer will identify and communicate postmarket vulnerabilities in accordance with federal regulations; and
  • Providing an updateability/patchability view that describes the end-to-end process permitting software updates and patches to be provided/deployed once the device is in the field.

The FDA will host a webinar to discuss its new guidance on November 2, 2023.

If you have questions on the FDA guidance or related issues, contact a member of our Privacy, Data, and Cybersecurity practice group to discuss.

There are numerous cybersecurity regulations and requirements for businesses to worry about but they may not be considering their cybersecurity regulations under privacy statutes. California was at the forefront of privacy regulations with the passage of the California Consumer Privacy Act (CCPA). Lawsuits under the CCPA began almost immediately after it was enacted in 2020. Since its enactment, there have been over 300 cases filed under the CCPA. Although enforcement of the CCPA largely lies with the California Attorney General (and is now shared with the California Privacy Protection Agency), this has not stopped plaintiffs from creatively trying to expand the statute’s private right of action which includes data breaches.  

The CCPA authorizes a private cause of action against a covered business if its failure to implement reasonable security safeguards results in a data breach affecting personal information. If successful, a plaintiff can recover statutory damages in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief and any other relief the court deems proper.

Plaintiffs’ counsel are attempting to use this requirement under the CCPA to bring class action lawsuits. In a recent case in California district court, the plaintiff brought claims under the CCPA’s reasonable security safeguards requirement for the defendant’s alleged sharing of consumer data.

The CCPA claim was eventually dismissed in part because the court found the CCPA’s right of action is limited to the data breach context and not to the intentional sharing of data.

But this may not be the final word on the use of the CCPA cybersecurity requirements. It is likely plaintiffs’ counsel will continue to look for ways to use the reasonable security safeguards requirements to their advantage.

If you have questions about the CCPA Cybersecurity requirements or related issues, contact a Jackson Lewis attorney to discuss.

On October 8, 2023, Governor Newsom signed Assembly Bill (AB) 947. Effective January 1, 2024, the bill will revise the California Consumer Privacy Act (CCPA) definition of “sensitive personal information” to include personal information that reveals a consumer’s citizenship or immigration status.

Under the CCPA, consumers have certain rights with regard to their personal information, including enhanced notice, access, and disclosure; the right to deletion; the right to restrict the sale of information; and protection against discrimination for exercising these rights. The CCPA was amended by the California Privacy Rights Act (CPRA) which created a new category of “sensitive personal information” and provides rights with regard to this information including restricting businesses’ use of sensitive information.

Companies covered by the CCPA/CPRA should review privacy policies and procedures to ensure that immigration and citizenship are covered as sensitive information.

If you have questions about AB 947 or related issues, reach out to a member of our Privacy, Data, and Cybersecurity practice group to discuss.

This year, Indiana joined several other states to pass a comprehensive consumer privacy law, that becomes operative on January 1, 2026. Like other consumer privacy laws, Indiana’s law requires businesses to establish reasonable administrative, technical, and physical security practices to protect the confidentiality, integrity, and accessibility of personal data, which implicates cybersecurity concerns. However, the privacy law is not the only data protection/cybersecurity law in Indiana.  

Data Breach Notification for All Businesses

Indiana passed a security breach notification statute in 2006, which provides Indiana residents with the right to know about a security breach that has resulted in the exposure of their personal information.

Under the law, personal information includes social security number or an individual’s name in combination with any one or more of the following data elements: driver’s license number, account number, a state identification card number, a credit card number, a financial account number, or a debit card number in combination with any required security code.

In the event of a breach the business must notify affected consumers, consumer reporting agencies (if more than one thousand consumers are impacted) and the Attorney General’s office.

In 2022, the state modified the statute to require notification without unreasonable delay, but not more than forty-five (45) days after the discovery of the breach.

Reasonable Procedures to Secure

Under the state’s data breach notification requirements, database owners are required to maintain their own data security procedures in compliance with federal statutes. Moreover, they must implement and maintain reasonable procedures, including taking appropriate corrective action to protect and safeguard from unlawful use or disclosure of any personal information.

Cyber Incident Reporting for Public Entities

In 2021, Indiana adopted a Cyber Incident Reporting Law, to empower the Indiana Office of Technology to coordinate warning and preparation efforts to avoid and combat cybersecurity threats.

Under the law, public sector entities must report incidents such as ransomware, software vulnerability exploitations, denial of service attacks, and more within 48 hours of discovery to the Office of Technology. This law covers counties, municipalities, townships, school corporations, library districts, local housing authorities, fire protection districts, public transportation corporations, local building authorities, local hospital authorities or corporations, local airport authorities, special service districts, special taxing districts, or other separate local governmental entities.

Data Destruction

Indiana also has specific requirements for the protection of data when disposing of it. Under the statute, a person who disposes of the unencrypted, unredacted personal information of a customer without shredding, incinerating, mutilating, erasing, or otherwise rendering the information illegible or unusable commits a Class C infraction. Class C infractions carry a $500 fine. However, the offense is a Class A infraction if:

(1) the person violates this section by disposing of the unencrypted, unredacted personal information of more than one hundred (100) customers; or

(2) the person has a prior unrelated judgment for a violation of this section.

A Class A infraction can carry up to a $10,000 fine.

Further State Resources

The State of Indiana has also established a Cybersecurity Hub with resources for public and private entities, that includes practical guidance.

If you have questions about cybersecurity or related issues contact a member of our Privacy, Data, and Cybersecurity practice group.