16 CFR §314.2 — Definitions (FTC GLBA Safeguards Rule)
16 CFR §314.2 defines the operational terms of the FTC Safeguards Rule — including customer information, multi-factor authentication, notification event, security event, and service provider.
Verbatim regulatory text
Verbatim provisions from 16 CFR §314.2 — Definitions (FTC GLBA Safeguards Rule) — each quote is a verified substring of the regulator-published source snapshot, not retyped. Quoted for reference; this is not legal advice. The operational layer (P&P updates, prompts) lives in the regulation update kits.
16 CFR §314.2(d) — Customer information definition
(d) Customer information means any record containing nonpublic personal information about a customer of a financial institution , whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.
16 CFR §314.2(k) — Multi-factor authentication definition
(k) Multi-factor authentication means authentication through verification of at least two of the following types of authentication factors:
16 CFR §314.2(m) — Notification event definition
(m) Notification event means acquisition of unencrypted customer information without the authorization of the individual to which the information pertains. Customer information is considered unencrypted for this purpose if the encryption key was accessed by an unauthorized person. Unauthorized acquisition will be presumed to include unauthorized access to unencrypted customer information unless you have reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information.
16 CFR §314.2(q) — Security event definition
(q) Security event means an event resulting in unauthorized access to, or disruption or misuse of, an information system, information stored on such information system, or customer information held in physical form.
16 CFR §314.2(r) — Service provider definition
(r) Service provider means any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a financial institution that is subject to this part.
16 CFR §314.2(k) — Multi-factor authentication definition — enumerated items (chapeau recall fix)
(1) Knowledge factors, such as a password; (2) Possession factors, such as a token; or (3) Inherence factors, such as biometric characteristics.