Justification Request

Justification for No Material/Non-substantive Change
(in the Supplemental Documents at the Manage Documents screen)
Justification statements for the non-substantive changes.
1. Delete first paragraph (“The Safeguards Rule requires covered financial institutions to
report to the FTC security events affecting 500 or more people. Your report may be made
public. If law enforcement has requested a delay in making this report public, please
check the appropriate box below.”).
Justification: This is a de minimis change. The quoted language is duplicated
immediately below the OMB Expiration Date.
2. Move the bolded sentence (“You should receive a reply email within two business days
with instructions for the secure electronic submission of encrypted documents”) to a
stand-alone paragraph and revise as follows:
“Third party entities (such as attorneys or service providers) may submit reports on
behalf of the financial institution(s) affected by the security event. If you are a third party
submitting a single report on behalf of multiple financial institutions, you may wish to
check the box below for “Request Secure File Transfer Link” to provide that additional
information. You should receive a reply email within two business days with instructions
for the secure electronic submission of encrypted documents.”
Justification: This change is non-substantive and does not increase the burden of the
collection. Allowing an attorney or service provider to notify the FTC of a single event on
behalf of multiple financial institutions would not increase the scope or burden of
information collected, and in many cases, may dramatically reduce the burden on both
the financial institutions and the FTC. For example, if hundreds of financial institutions
were breached due to a flaw in the data security of a common service provider, it would
be more efficient for the service provider to provide the breach notification on behalf of
the hundreds of financial institutions rather than having hundreds of financial institutions
submit duplicative breach notifications. In that example, the service provider would not
be able to identify on a single breach notification form every financial institution on
whose behalf the service provider was reporting a breach, because the information would
not fit on the form. Instead, the service provider would be able to check the “Request
Secure File Transfer Link” and then provide a comprehensive submission to the FTC
through that link – e.g., a spreadsheet that identifies each financial institution on whose
behalf the service provider is reporting. In fact, even without this language in the existing
form, Service providers have provided the Commission with spreadsheets containing the
names of multiple financial institutions who have experienced a breach of customer
information, rather than the multiple financial institutions all providing individual and

duplicative breach notifications. Adding this language would formalize the availability of
that option.
3. Add a check box labeled “This is an update to an existing report” under the box labeled
“Name of Affected Financial Institution.”
Justification: This change is non-substantive and does not increase the burden of the
collection. About 30% of the time, financial institutions end up providing an update to a
previously submitted notification – e.g., because information submitted in the initial
notification turns out to be erroneous after further investigation. This change would
provide financial institutions with a method to submit updated information about the
breach without requiring them to locate and update their report themselves.
4. Below the box labeled “Contact Person at Affected Financial Institution” consolidate the
“First Name” and “Last Name” into one box labeled “First and Last Name.”
Justification: This is a de minimis change. It is more efficient to consolidate the first and
last names into one box. The contact information for a point of contact at the Affected
Financial Institution provides an efficient way for the government to reach out to the
financial institution to confirm that the breach notification is authentic.
5. Add new boxes labeled “Submitter Contact Information (if notification is submitted by a
third party)” “Company or Firm Name” “First and Last Name” “Email” and “Phone”
below the boxes labeled “Contact Person at Affected Financial Institution” “First and
Last Name” “Email” and “Phone.”
Justification: This change is non-substantive. “Submitter Contact Information” provides
a clear way for a person other than the Contact Person at the Affected Financial
Institution, such as a third-party attorney or service provider, to submit their contact
information. This change facilitates the filing of one third party breach report that would
otherwise require multiple financial institutions to file individual breach reports.
6. Add a header entitled: “Notification Event Information” above the box for “Start date of
notification event.”
Justification: This is a de minimis edit for clarity.
7. Add a checkbox for “Request Secure File Transfer Link” under the box labeled
“Summary of Notification Event.”
Justification: This change is non-substantive and does not increase the burden of the
collection. This checkbox would not increase the scope or burden of information
collected, and in many cases, may dramatically reduce the burden on both the financial
institutions and the federal government. For example, if hundreds of financial institutions
were breached due to a flaw in the data security of a common service provider, it would

be more efficient for the service provider to provide one breach notification on behalf of
the hundreds of financial institutions. In that example, the service provider would not be
able to identify on a single breach notification form every financial institution on whose
behalf the service provider was reporting a breach, because the information would not fit
on the form. Instead, the service provider would be able to check the “Request Secure
File Transfer Link” and then provide a comprehensive submission to the FTC through
that link – e.g., a spreadsheet that identifies each financial institution on whose behalf the
service provider is reporting. In fact, even without this checkbox available, service
providers have provided the Commission with spreadsheets containing the names of
multiple financial institutions who have experienced a breach of customer information,
rather than the multiple financial institutions all providing individual and duplicative
breach notifications. Adding this checkbox would formalize the availability of that
option.

Estimate for any additional burden associated with non-substantive changes.
As explained in the justifications above, we believe the non-substantive changes will only
minimally affect burden for the reporting financial institutions. For the reasons explained earlier
in items #2 and #7 above, these changes may dramatically decrease the burden in many cases.
Nevertheless, we have minimally adjusted upward our burden estimates from 5 hours per
respondent to 5.25 hours.