The Federal Trade Commission is seeking comment on proposed amendments to the Safeguards Rule and the Privacy Rule under the Gramm-Leach-Bliley Act, two rules that protect the privacy and security of customer information held by financial institutions. The proposed changes would bring the rules in line with changes implemented by Congress through the Dodd-Frank Act in 2010 and the FAST Act in 2015, which modified the annual privacy notice requirement under the GLBA.

The Safeguards Rule requires a financial institution to develop, implement, and maintain a comprehensive information security program. The Privacy Rule requires a financial institution to inform customers about its information-sharing practices and allow customers to opt out of having their information shared with certain third parties.

Safeguards Rule: The FTC's new Safeguards Rule review follows from an earlier public comment period in 2016. The FTC is now proposing changes to add more detailed requirements for what must be included in the information security program mandated by the Rule.

The proposal generally would require financial institutions to: (1) encrypt all customer data; (2) implement access controls to prevent unauthorized users from accessing customer information; and (3) use multifactor authentication to access customer data. In addition, the proposal would require companies to submit periodic reports to their boards of directors and clarify the Safeguards Rule's scope in the regulation itself.

Privacy Rule: The Dodd-Frank Act transferred the majority of the FTC's rulemaking authority for the Privacy Rule to the Consumer Financial Protection Bureau, leaving the FTC with rulemaking authority only over certain motor vehicle dealers. To address these statutory changes, the FTC is proposing to remove from its Privacy Rule examples of financial institutions that do not apply to motor vehicle dealers. In addition, the revised Rule would clarify when motor vehicle dealers must provide annual privacy notices to reflect provisions included in the FAST Act.

For both the Privacy Rule and the Safeguards Rule, the FTC is proposing to expand the definition of "financial institution" to specifically include "finders," bringing the FTC's rules in line with other agencies' interpretations of the GLBA. "Finders" are those who charge a fee to connect consumers who are looking for a loan to a lender.

While the FTC unanimously agreed to publish the notice for comment on the changes to the Privacy Rule, the notice for comment on the changes to the Safeguards Rule only passed 3-2. The dissenting Commissioners argued that the proposed changes attempt to address issues that might not be widespread among covered entities; lack adequate support; and are overly prescriptive, replacing covered entities' informed decision-making with the FTC's own judgment. The dissenting Commissioners also argued that the FTC should have waited for Congress to complete is deliberations on potential privacy and data security legislation.

Comments must be received within 60 days after the proposed amendments are published in the Federal Register.

© 2018, LLC. Republished with permission. All rights reserved.