In a major development for nonbank providers of financial products and services, the Federal Trade Commission (FTC) issued a notice of proposed rulemaking that would amend its Safeguards Rule and its Privacy Rule, each promulgated under the Gramm-Leach-Bliley Act (GLBA).

The changes, if enacted, would depart from the FTC’s historical approach that allowed covered institutions broad discretion on the details necessary to achieve compliance with the safeguards standards and instead would impose an enumerated list of specific requirements.

What happened

In 2000, the Privacy Rule took effect, mandating that financial institutions inform consumers about their information-sharing practices and allow consumers to opt out of having their information shared with certain third parties. The Safeguards Rule, which took effect in 2003, requires financial institutions to develop, implement and maintain a comprehensive information security program reasonably designed to ensure the security and confidentiality of customer information, protect against any anticipated threats or hazards to the security or integrity of the information, and protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer. The safeguards must be appropriate to the size and complexity of the financial institution and to the scope of its activities.

As part of its periodic review of rules and guidelines, the FTC requested comment in 2016 on the Safeguards Rule. In response to the review, and in an effort to keep pace with technology changes, the agency recently issued a Notice of Proposed Rulemaking (NPRM) asking for comment on proposed updates to the rule.

It is important to note that while the FTC’s safeguards rule uses the term “financial institutions,” it applies only to nonbank entities that are engaged in financial activities, such as mortgage bankers, some retailers, finance companies, collection agencies and money transmitters. Banks and other financial institutions regulated by a federal regulator are not subject to the FTC’s rule.

If enacted as proposed, the most significant change in the Safeguards Rule is that it contains more guidance on the specific components of an information security program. Thus, while the institution would still be required to develop a plan to meet the GLBA “Objectives,” several specific elements would need to be incorporated into the safeguards plan.

For example, institutions would have to establish a written incident response plan (addressing goals, outlining the internal processes for incident response, and identifying the necessary steps to remediate identified weaknesses in information systems and controls) and develop procedures for the secure disposal of customer information in any format that is no longer necessary for their business operations or other legitimate business purposes.

Financial institutions would be required to encrypt all consumer data, both at rest and in transit over external networks, implement access controls to prevent unauthorized users from accessing consumer information, and use multifactor authentication for access to consumer data.

Also, companies would be required to appoint a chief information security officer, responsible for overseeing, implementing and enforcing the information security program, as well as making periodic reports to the board of directors.

It also would add new requirements with regard to audit trails, risk assessments and oversight of service providers (mandating that financial institutions periodically assess such providers based on the information security risk they present).

To address the statutory changes, the FTC proposed a minor amendment to the Privacy Rule to reflect that its rulemaking authority extends only over certain motor vehicle dealers. Both rules would see an expansion of the existing definition of “financial institution” to include “finders,” or entities that charge a fee to connect consumers who are looking for a loan to a lender.

“We are proposing to amend our data security rules for financial institutions to better protect consumers and provide more certainty for business,” Andrew Smith, director of the FTC’s Bureau of Consumer Protection, said in a statement. “While our original groundbreaking Safeguards Rule from 2003 has served consumers well, the proposed changes are informed by the FTC’s almost 20 years of enforcement experience. It also shows that, where we have rulemaking authority, we will exercise it as necessary to keep up with marketplace trends and respond to technological developments.”

The proposed new standards are consistent with the approach taken by various state regulators, particularly the New York Department of Financial Services (DFS) in its cybersecurity regulations, to promulgate specific security requirements rather than abstract standards. Another example is California’s recently passed “Internet of Things Law” (SB 327), which requires unique default authentication for connected devices. The FTC voted unanimously to submit the NPRM for the Privacy Rule; however, two commissioners dissented on the proposal for the Safeguards Rule. Commissioners Noah Joshua Phillips and Christine S. Wilson expressed concern that the proposed changes “trade flexibility for a more prescriptive approach, potentially handicapping smaller players or newer entrants.”

As opposed to the current flexible situation, appropriate to a company’s size and complexity, the NPRM “would move us away from that approach,” according to the dissenting statement. “There are direct costs for enhanced precautions, but this record does not demonstrate that those costs will significantly reduce data security risks or significantly increase consumer benefits.”

The commissioners argued that the proposed rule changes would substitute the FTC’s judgment for a private firm’s governance decisions. To read the NPRM for the Safeguards Rule, click here.

To read the NPRM for the Privacy Rule, click here.

To read the dissenting commissioners’ statement, click here.

Why it matters

The proposed changes to the Safeguards Rule would represent a change in the FTC’s approach, and would bring it more in line with the regulatory standards to which banks are subject. As originally constructed, the FTC’s nonprescriptive rule was designed to enable financial institutions to develop plans tailored to their own size and complexity and to accommodate technological changes and changes in security threats. In connection with the proposal, the FTC believes that it is retaining its historical flexibility, but that having more specific security requirements in the rule will provide beneficial guidance to financial institutions. The FTC’s change of direction also may be an outgrowth of the decision of the U.S. Court of Appeals for the Eleventh Circuit decision in LabMD, Inc. v. Federal Trade Commission, where the federal appellate panel struck down an FTC cease-and-desist order, finding the agency’s data protection standards were too vague to hold the company liable for failing to comply with them. In any case, the FTC appears to be signaling that more specific standards, as opposed to an abstract “reasonableness” requirement, may be a preferable method to establish standards appropriate for industry today.