On August 29, 2016, the Federal Trade Commission announced that it is seeking public comment on the Gramm-Leach-Bliley Act (“GLB”) Safeguards Rule. The GLB Safeguards Rule, which became effective in 2003, requires financial institutions to develop, implement and maintain a comprehensive information security program to safeguard customer information.
The FTC requests comments on several general questions pertaining to the GLB Safeguards Rule, such as:
- Is there a continued need for specific provisions of the GLB Safeguards Rule?
- What significant costs has the GLB Safeguards Rule imposed on consumers and how could it be modified to reduce those costs?
- What benefits has the GLB Safeguards Rule provided to businesses and how could it be modified to increase those benefits?
- What modifications to the GLB Safeguards Rule should there be to account for changes in technology or economic conditions?
The FTC also requests comments on several specific issues pertaining to the GLB Safeguards Rule. These include:
- Should the elements of a comprehensive information security program include a response plan in the event of a breach? If so, what should such a plan contain?
- Should the GLB Safeguards Rule be modified to include more specific and prescriptive requirements for information security programs?
- Should the GLB Safeguards Rule be modified to reference or incorporate information security standards or frameworks such as the National Institute of Standards and Technology’s Cybersecurity Framework or the Payment Card Industry Data Security Standard?
- Should the GLB Safeguards Rule include its own definitions of terms such as “financial institution”?
- Should the term “financial institution” be expanded to include “entities that are significantly engaged in activities that the Federal Reserve Board has found to be incidental to financial activities?”
- Should that definition of “financial institution” also include “activities that have been found to be closely related to banking or incidental to financial activities by regulation or order in effect after the enactment of the [GLB Safeguards Rule]?”
The FTC has invited interested parties to comment on the GLB Safeguards Rule by November 7, 2016.
View the FTC’s Federal Register notice seeking public comment on the GLB Safeguards Rule.