The Federal Trade Commission (“FCC”) has recently announced that it is seeking comment on proposed amendments to two existing FTC regulations that aim to protect the privacy and security of customer information collected and stored by financial institutions. Specifically, the amendments would modify the “Safeguards Rule” and “Privacy Rule” under the Gramm-Leach-Bliley Act.
The proposed amendments largely focus on establishing additional consumer data security measures that financial institutions will be required to implement. However, the amendments also seek to broaden the scope of the FTC regulations to include online marketing agencies that generate leads on behalf of those businesses that fall within the definition of “financial institutions.”
How Do I Best Ensure that My Business Complies with the Amended FTC Regulations?
Key Elements of the Proposed FTC Regulation Amendments
The proposed FTC regulation amendments would require that financial institutions: (a) encrypt all customer data that they collect, store and transmit; (b) implement access controls to prevent unauthorized individuals from accessing customer data; and (c) implement multifactor authentication prior to providing access to accounts. In addition, pursuant to the proposed amendments, financial institutions would be required to submit periodic compliance reports to their respective boards of directors.
Further, the proposed amendments would expand the definition of “financial institution” as used in both the Privacy Rule and Safeguards Rule to specifically include “finders” – marketing entities that charge a fee to connect consumers who are looking for a financial product with prospective financial services providers. This change could have a significant impact on online marketers that were not previously required to comply with the provisions of the Privacy Rule or the Safeguards Rule.
Liability Under the Privacy Rule and the Safeguards Rule
Violations of the Privacy Rule and/or Safeguards Rule may result in significant fines, penalties and other liability. Therefore, financial institutions, as well as the online and mobile marketers who perform marketing services on their behalf, should closely monitor the amendment process associated with these key FTC regulations. Upon finalization of the proposed amendments, affected business entities should consult with experienced counsel to ensure that all consumer data collection, use and sharing practices, as well as internal security protocols, are compliant with the updated Privacy Rule and Safeguards Rule, as well as other applicable laws.