On November 21, 2016, the comment period closed on the Federal Trade Commission's (FTC) request for public feedback on the Standards for Safeguarding Consumer Information Rule (Safeguards Rule). The FTC is considering amending its Financial Institutions Data Security Rule, which requires financial institutions to have mechanisms in place to secure customer information.
The FTC's solicitation for comments is part of its ongoing regulatory review and is driven, in part, by new developments in digital mobile technology, as well as, economic and industry changes in financial technology. The potential amendment may also be spurred by increased challenges from other regulators to be the primary privacy and data security federal regulator, particularly on the heels of the Consumer Financial Protection Bureau's (CFPB) data security enforcement actions in 2016.
The FTC sought feedback on general and specific issues, including whether the definition of financial institution should be broadened to include institutions which engage in activities that are “incidental” or “complementary” to financial activities. Unlike other agencies, the FTC restricted its understanding of the term “financial activities” to activities that are truly financial in nature. Since the Safeguards Rule applies to the handling of customer information, the potential expansion of this definition could affect thousands of companies that act as vendors or other third-party providers, whose activities are “incidental” or “complementary” to financial activities, but who may otherwise handle customer information as part of their services.
The enlargement of the definition of financial institution covered under the Safeguards Rule could affect an entire industry of companies that provide services to financial service entities. While the definition of financial institution may increase the scope of entities regulated under the Safeguards Rule, it may lack clarity as to what is an “incidental” or “complementary” activity. Without further definitions of “incidental” or “complementary”, or related guidance, companies will need to look at how other agencies who previously adopted those terms have defined such activity.
Among the various questions posed by the FTC, the Commission also solicited “evidence of the prevalence of any unfair acts or practices that any proposed modification would address.” Given the CFPB's recent decisions against online financial companies such as Dwolla and Lendup focusing on unfair, deceptive and abusive acts, the FTC's potential amendments appear to focus, in part, on clarifying what constitutes an unfair act and reducing those activities to statutory guidance.
By clarifying what constitutes unfair in the Safeguards Rule, the FTC may indeed clarify both the scope and types of activities at issue. This focus may allow financial institutions to have more comfort as they seek innovative and technologically savvy ways to increase their customer's experience. At the same time, these clarifications, as espoused below by entities not in favor of changes to the Safeguards Rule, may actually stifle the flexibility that financial institutions have under the current regulatory scheme.
Rule Changes Discouraged.
Not surprisingly, not everyone is in agreement on whether the FTC should amend the Safeguards Rule. In an open letter to the Secretary of the FTC, the Securities Industry and Financial Markets Association (SIFMA) responded to the FTC's request for comments. SIFMA stated that while it had historically supported regulatory efforts designed to safeguard customer information, and it supported the FTC's efforts to ensure the security of customer information, protect the integrity of such records and prevent the unauthorized used thereof, SIFMA believed that the current Safeguards Rule accomplished those purposes. SIFMA clearly espoused to the FTC that the proposed modifications were unnecessary.
SIFMA's position is based on several factors:
(1) A Separate Information Security Response Plan in the Event of a Breach Is Unnecessary
SIFMA agrees that breach monitoring is essential in the financial industry, however, SIFMA does not believe a breach monitoring program must exist in a separate information security program. In other words, companies should be free to decide under which corporate umbrella and department their breach monitoring program best fits. Because organizational structures differ, companies may house their breach monitoring program in various departments, including Legal, Information Technology, or Compliance. SIFMA argues that requiring companies to move or duplicate these breach monitoring programs would be financially and operationally burdensome. SIFMA also addresses the overlapping state breach requirements under which the industry already operates. While there is a possibility of redundancy as addressed by SIFMA, this argument tends to fall flat, as many industries, including the financial services industry sector are already subject to dual, and often redundant, federal and state regulatory schemes.
(2) The Safeguards Rule Should Not Be Modified to Reference Other Security Standards
Here, SIFMA argues that any changes to the Safeguards Rule to include specific and prescriptive requirements for information security plans would eliminate a company's ability to implement flexible and risk-based safeguards. SIFMA also argues that specific requirements would harm smaller companies, who would be unduly burdened by the requirements, as well as large companies who would have to expend resources that could be better used for other regulatory compliance efforts.
(3) The Safeguards Rule Should Not Be Modified to Reference or Incorporate Any Other Security Standards
The FTC has requested comment on whether the Safeguards Rule should be modified to incorporate other information security standards such as the National Institute of Standards and Technology's Cybersecurity Framework or the Payment Card Industry Data Security Standards. The FTC is considering incorporating these national frameworks to provide consistent and global guidance across industries. However, SIFMA argues that these modifications are unnecessary because the types of industries to which this guidance apply are separate and distinct. Further, there is no evidence that cybersecurity issues overlap to the extent that would justify incorporating other industry guidelines into the Safeguards Rule.
(4) The Safeguards Rule's Definitions Should Remain Unchanged
SIFMA argues that the existing definitions and “reasonableness” standard are flexible enough to encompass all companies to the extent they are involved in financial services. According to SIFMA, creating new or modifying existing definitions would eliminate the Safeguards Rule's ability to provide flexible and adaptable oversight in the financial services sector.
Mounting Concerns About Personal Data.
In an opposite publication in support of changes to the Safeguards Rule, the Electronic Privacy Information Center (EPIC), a public interest research center in Washington, D.C., submitted 11 pages of comments to urge the FTC to (1) expand the scope of the Safeguards Rule to include all organizations and companies that collect consumer data; (2) clarify that compliance with the Safeguards Rule Guidance is mandatory; and (3) establish a data minimization requirement for organizations that are subject to the Safeguards Rule.
EPIC's comments are based, in large part, on the mounting amounts of personal data being collected, increases in identity theft and financial fraud, and the rise in high profile security breaches. According to EPIC, these issues, coupled with the privacy concerns of many Americans, create a need and obligation to standardize and promulgate laws that adequately protect consumers. EPIC also recommends legislation that strengthens safeguards for consumer information and promotes data minimization practices.
EPIC urges the FTC to utilize its authority under the Safeguards Rule to protect consumer information by strengthening data minimization requirements, modifying the Safeguards Rule to reflect industry trends, addressing the holding of personal information across a variety of industries, clarifying its compliance requirements, and clearly defining the fines and penalties associated with non-compliance with the Safeguards Rule.
In support of change, EPIC advocates mandating and enforcing compliance with the Safeguards Rule as to all entities that handle customer information. EPIC believes that the current standard of “appropriate” security according to a company's size and associated use of sensitive data is insufficient. Instead, every financial institution should be required to take basic and standardized steps to ensure that customer data is protected. As a result, EPIC requests that the FTC clarify that the standard practices published in the April 2006 guidelines implementing the Safeguards Rule are legally binding and mandatory. EPIC further advocates that the Safeguards Rule should apply to all organizations that perform “incidental” financial services including, but not limited to, educational institutions and commercial businesses that process information about students or consumers.
EPIC also requests that the FTC apply the Safeguards Rule to all “consumer” information maintained by financial institutions rather than limiting protections to customers with a continuing relationship with the entity. EPIC holds that “companies such as data brokers and advertising networks collect massive amounts of sensitive information on American consumers without ever establishing a ‘customer relationship’ with those consumers. Consumers should not be left defenseless simply because these companies collect their information without their knowledge or consent.”
The comment period has now ended. The FTC must take these comments under consideration, weigh the positives and negatives of changes to the Safeguards Rule, and evaluate the potential for increased regulation, increased business costs and reduced innovation in the financial services sector, at a time when FinTech and other digital financial services are in demand by customers. Nevertheless, given the fast-changing legal landscape in data privacy, it is likely we will see at least a handful of changes to some or all of the areas solicited for comment. Now we wait to see what exactly those changes will be.
Reproduced with permission from ©2017 The Bureau of National Affairs, Inc. (800-372-1033) www.bna.com. This article was first published on Bloomberg BNA on January 30, 2017. (login required)