The Federal Trade Commission (FTC) issued two Notices of Proposed Rulemaking (NPRMs) seeking comment on proposed amendments to the Gramm–Leach–Bliley Act (GLBA) Safeguards Rule and Privacy Rule. The comments are due 60 days after the NPRM is published in the Federal Register. The NPRMs accomplish two things. First, they address comments received several years ago when the FTC sought review of these rules pursuant to its periodic review of FTC rules and guides. Second, it proposes to amend both rules and seeks comments on those amendments.
In 2003 the FTC promulgated the GLBA’s Safeguards Rule, which provides general requirements and guidance for a financial institution’s information security program, without detailed descriptions of what the information security program should contain. The FTC’s Privacy Rule, originally promulgated in 2000, requires financial institutions to provide initial and annual privacy notices to their customers. Subsequently, in 2009 the FTC, along with other agencies that had authority under the GLBA, adopted a model form that financial institutions could use to provide the required initial and annual privacy disclosures.
The flexible approach of the Safeguards Rule was taken to give financial institutions the ability to shape information security programs appropriate for each entity’s specific size and operations and the Commission’s jurisdiction over small and large financial institutions. Also, it was written before the New York Department of Financial Services Cyber Regulations and before most of the FTC’s 60+ data security settlements.
A majority of the FTC recommends that the Safeguards Rule be amended to:
- Make the Rule clearer by including a definition of “financial institution” and related examples in the Safeguards Rule rather than including them by reference from the Privacy Rule.
- Expand the definition of “financial institution” to include entities that are engaged in activities that are incidental to financial activities, which would bring “finders” within the scope of the rule and would harmonize the Rule with other agencies’ rules.
- Include more-detailed requirements for the information security program, while continuing to base the program on a company’s risk assessment and ensuring its flexibility based on the institution’s size and complexity.
- Exempt smaller institutions from certain requirements.
Commissioners Phillips and Wilson wrote a dissenting statement, which is unusual given that the FTC is seeking comments on the proposal. The dissenting statement expressed concern that the proposed amendments may be premature and moved away from the flexible approach of the original rule.
As originally drafted, the Rule requires financial institutions to develop, implement, and maintain a comprehensive information security program that consists of the administrative, technical, and physical safeguards the financial institution uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information. In addition, the safeguards must be reasonably designed to ensure the security and confidentiality of customer information, protect against anticipated threats to the security or integrity of the information, and protect against unauthorized access.
In 2016 the FTC solicited comments on the Rule as part of its periodic review of its rules and guides; 28 comments were received. Most commenters agreed that there was a continuing need for the Rule, some suggested that the Rule should be more specific, and others recommended that the Rule should remain flexible. Some commenters suggested that the FTC should incorporate industry frameworks, such as the National Institute of Standards and Technology’s (NIST’s) Cybersecurity Framework or the Payment Card Industry Data Security Standard (PCI DSS), as safe harbors.
The FTC considered all the comments along with other cyber security regulatory initiatives, including the New York Department of Financial Services Cybersecurity Regulation (NY Cyber Regs) and the insurance data security model issued by the National Association of Insurance Commissioners (NAIC Model Law).
While the NPRM’s proposals are based in part on the cybersecurity regulations noted above, the proposed amendments still require that security programs be based on risk assessments. Such assessments would allow for a financial institution to develop a security program to address the specific risks and needs of the financial institution and allow the institution to respond to the changing landscape of security threats, allow for innovation in security practices, and accommodate technological changes and advances.
However, the proposed amendments include more-detailed requirements as to what should be included in a comprehensive information security program. Specifically, the proposed amendments would require financial institutions to (1) encrypt all customer data in transit and at rest, (2) implement access controls to prevent unauthorized users from accessing customer information, (3) use multifactor authentication to access customer data, and (4) designate an individual responsible for implementing, overseeing, and enforcing the security program, such as a Chief Information Security Officer. In addition, the proposed amendments would require companies to submit periodic reports to their boards of directors.
Accordingly, the FTC seeks data, research, case studies, or other evidence related to business efforts to comply with these existing cybersecurity regulations or state laws mirroring the Model Law as well as comments regarding preemption. Note, that GLBA does not preempt state laws so long as they are not inconsistent with federal law.
The NPRM also seeks comment on a proposal to amend the Safeguards Rule to require covered financial institutions to develop an incident response plan as part of their information security program. Specifically the FTC seeks comment about the potential costs and benefits of this proposal in addition to any data, research or other studies on this topic.
The proposed amendments do not include the recommendations regarding the NIST or PCI DSS framework as safe harbors, but rather seek additional comment on the workability of monitoring changing standards and adopting a safe harbor rule as needed.
Additionally, the NPRM seeks comment on a proposal to incorporate the definition of “financial institution” and the accompanying examples from the GLBA Privacy Rule into the Safeguards Rule. This proposal can best be viewed as regulatory clean-up.
By way of background, the Safeguards Rule and the Privacy Rule were promulgated prior to the creation of the Consumer Financial Protection Bureau (CFPB), and the definition of “financial institution” in the Privacy Rule was incorporated by reference to the Safeguards Rule. The Dodd-Frank Act transferred the majority of the Privacy Rule’s rulemaking authority to the CFPB with the exception of rulemaking authority pertaining to certain motor vehicle dealers. As a result, the FTC’s Privacy Rule now applies only to certain motor vehicle dealers, while the Safeguards Rule still applies to all financial institutions within the FTC’s general enforcement jurisdiction. Accordingly, the current definition of financial institution in the Privacy Rule is not in sync with the entities over which the FTC has jurisdiction under the Safeguards Rule.
Finally, when the FTC promulgated the Safeguards Rule, it was the only agency that declined to include companies engaged in activities that are “incidental to financial activities” within the definition of financial institution. Based on the Federal Reserve Board’s definition of “finding” as entities that bring together buyers and sellers, the NPR seeks to expand the definition of financial institution to include finders.
The FTC also is seeking comment on proposed amendments to its GLBA Privacy Rule.
As originally promulgated, the FTC’s Privacy Rule covered a broad range of non-bank financial institutions such as payday lenders, mortgage brokers, check cashers, debt collectors, and certain motor vehicle dealers. The 2010 Dodd-Frank Act transferred the GLBA’s privacy notice rulemaking authority from the prudential regulators to the CFPB, except the FTC retained rulemaking authority for certain motor vehicle dealers. The CFPB then restated the implementing regulations in Regulation P. In 2015, Congress amended the GLBA as part of the FAST Act. The amendment was called Eliminate Privacy Notice Confusion and provides an exception under which financial institutions that meet certain conditions are not required to provide annual privacy notices to consumers. In 2014 the CFPB finalized another rulemaking that allowed financial institutions to notify consumers that a privacy notice was available online, in certain circumstances.
In 2015 the FTC published a NPRM recommending a number of changes to correspond to statutory changes resulting from the Dodd-Frank Act.
The New Proposed Changes to the Privacy Rule
While the history of how we got here may be complicated, the proposed changes to the FTC’s Privacy Rule are not. The FTC recommends three types of changes to the Privacy Rule:
- Technical changes to the Rule to correspond to the reduced scope of the Privacy Rule due to Dodd-Frank Act changes, which primarily consist of removing references that do not apply to motor vehicle dealers.
- Modification to the annual privacy notice requirements to reflect the changes made to the GLBA by the Fixing America’s Surface Transportation (FAST) Act.
- Modification to the scope and definition of “financial institution” to include entities engaged in activities that are incidental to financial activities that would bring the Privacy Rule into accord with the CFPB’s Regulation P.
Commissioners Phillips and Wilson did not write separately about these proposals for the Privacy Rule.
The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.