The FTC today announced a request for public comment on the Standards for Safeguarding Consumer Information Rule (the Safeguards Rule). The FTC promulgated the Safeguards Rule in 2002, implementing Title V of the Gramm-Leach-Bliley Act (GLBA), which required federal agencies to establish standards for the administrative, technical, and physical safeguards employed by financial institutions for certain information. In addition to general requests for comment, the FTC requested that five specific issues be addressed, which we have outlined below. Comments are due by November 7, 2016.

The Safeguards Rule

The FTC’s Safeguards Rule applies to the treatment of “customer information” by “financial institutions.” The FTC now seeks comment on the scope of the Rule; particularly the definition of “financial institution.” The Safeguards Rule currently only applies to those financial institutions over which the FTC has jurisdiction—not all financial institutions—for example, banks, credit unions, thrifts, investment advisers, broker-dealers, and insurance companies (for much of their activities). For purposes of the Safeguards Rule, a financial institution is “any institution the business of which is engaging in financial activities as described in section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. § 1843(k)).” Any institution that is “significantly engaged” in financial activities would qualify as a financial institution. Unlike other agencies, the FTC restricted its understanding of the term “financial activities” to those activities that are truly financial in nature, and excluded activities that were incidental or complementary to financial activities. The FTC Request for Comment seeks comment on whether to amend the Rule to include “incidental” activities or activities that were determined to be financial in nature after 1999 (when the GLBA was enacted) or incidental to those activities.

In addition, the Safeguards Rule only applies to “customer information,” which is a narrower category of information than some might expect. Customer information refers to all nonpublic personal information about a financial institution’s customers. However, “customers” are only those consumers (individuals who obtain or have obtained a financial product or service from the financial institution) with a continuing relationship with a financial institution that provides a financial product or service to be used primarily for personal, family, or household purposes. The FTC is not specifically seeking comment on the definition of customer information.

The Safeguards Rule requires that financial institutions develop, implement, and maintain a comprehensive information security program, which consists of administrative, technical, and physical safeguards regarding the access, collection, distribution, processing, protection, storing, use, transmission of, disposal of, or other handling of customer information. The Rule requires that the safeguards be appropriate given the size and complexity of the financial institution, the nature and scope of its activities, and the sensitivity of the customer information. In developing, implementing, and maintaining its information security program, a financial institution must identify reasonably foreseeable risks to the security, confidentiality, and integrity of customer information that could result in the compromise of such information. The financial institution must regularly monitor, evaluate, and adjust its program in light of ongoing risk assessments. And, financial institutions must take reasonable steps to select service providers capable of maintaining appropriate safeguards.

Request for Comment

In addition to general issues for comment, including whether there is a continuing need for the Rule, the FTC has published a list of five specific issues on which they request comment:

  1. Should the elements of an information security program include a response plan in the event of a breach that affects the security, integrity, or confidentiality of customer information? Why or why not? If so, what should such a plan contain?
  2. Should the Rule be modified to include more specific and prescriptive requirements for information security plans? Why or why not? If so, what requirements should be included and what sources should they be drawn from?
  3. Should the Rule be modified to reference or incorporate any other information security standards or frameworks, such as the National Institute of Standards and Technology’s Cybersecurity Framework or the Payment Card Industry Data Security Standards? If so, which standards should be incorporated or referenced and how should they by referenced or incorporated by the Rule?
  4. For the purpose of clarity, should the Rule be modified to include its own definitions of terms, such as “financial institution”, rather than incorporating the definitions found in the Privacy Rule?
  5. The current Safeguards Rule incorporates the Privacy Rule’s definition of “financial institutions” as entities that are significantly engaged in financial activities, including activities found to be closely related to banking by regulation or order in effect at the time of enactment of the G-L-B Act. Should the Safeguards Rule’s definition of “financial institution” be modified to also include entities that are significantly engaged in activities that the Federal Reserve Board has found to be incidental to financial activities? Should it also include activities that have been found to be closely related to banking or incidental to financial activities by regulation or order in effect after the enactment of the G-L-B Act? If so, should all such activities be included in the modified definition? What evidence supports such a modification?

Comments may be filed online at https://ftcpublic.commentworks.com/ftc/safeguardsrulenprm by following the instructions on the web-based form. Instructions on the offline submission of comments may be found here. Comments are due by November 7, 2016.