[Federal Register Volume 65, Number 174 (Thursday, September 7, 2000)]
[Proposed Rules]
[Pages 54186-54189]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 00-22945]
=======================================================================
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
16 CFR Part 313
Privacy of Customer Financial Information--Security
AGENCY: Federal Trade Commission.
ACTION: Advance notice of proposed rulemaking and request for comment.
-----------------------------------------------------------------------
SUMMARY: In this document, the Federal Trade Commission (the
``Commission'' or ``FTC'') requests comment on developing the
administrative, technical, and physical information Safeguards Rule
that the Commission is required to establish pursuant to section 501(b)
of the Gramm-Leach-Bliley Act (the ``G-L-B Act'' or ``Act'') for the
financial institutions under its jurisdiction, as set forth in section
505(a)(7). After reviewing the comments received in response to this
document and request for comment, the Commission will issue a notice of
proposed rulemaking.
DATES: Comments must be received on or before October 10, 2000.
ADDRESSES: Written comments should be addressed to: Secretary, Federal
Trade Commission, Room H-159, 600 Pennsylvania Avenue, NW., Washington,
DC 20580. The Commission requests that commenters submit the original
plus five copies, if feasible. Comments should also be submitted, if
possible, in electronic form, on either a 5\1/4\ or 3\1/2\ inch
computer disk, with a disk label stating the name of the commenter and
the name version of the word processing program used to create the
document. (Programs based on DOS or Windows are preferred. Files from
other operating systems should be submitted in ASCII format.)
Alternatively, the Commission will accept comments submitted to the
following e-mail address: [email protected]. Those commenters
submitting comments by e-mail are advised to confirm receipt by
consulting the postings on the Commission's website at www.ftc.gov. In
addition, commenters submitting comments by e-mail are requested to
indicate whether they are also providing their comments in other
formats. Individual members of the public filing comments need not
submit multiple copies or comments in electronic form. All submissions
should be captioned ``Gramm-Leach-Bliley Act Privacy Safeguards Rule,
16 CFR Part 313-Comment.''
FOR FURTHER INFORMATION CONTACT: Laura Berger, Attorney, Division of
Financial Practices, Federal Trade Commission, Washington, DC 20580,
202-326-3224.
SUPPLEMENTARY INFORMATION
Section A. Background
On November 12, 1999, President Clinton signed the G-L-B Act (Pub.
L. 106-102) into law. Subtitle A of Title V of the Act, captioned
Disclosure of Nonpublic Personal Information, limits the instances in
which a financial institution may disclose nonpublic personal
information about a consumer to nonaffiliated third parties, and
requires a financial institution to disclose to all of its customers
the institution's privacy policies and practices with respect to
information sharing with both affiliates and nonaffiliated third
parties. Title V also requires the Commission to establish by rule
appropriate standards for the financial institutions subject to its
jurisdiction relating to administrative, technical, and physical
safeguards (hereinafter ``Safeguards Rule'') to insure the security and
confidentiality of customer records and information, to protect against
any anticipated threats or hazards to the security or integrity of such
records, and to protect against unauthorized access to or use of such
records or information which could result in substantial harm or
inconvenience to any customer.
On May 12, 2000, the Commission issued a final rule implementing
the requirements of Subtitle A that relate to the disclosure of
nonpublic personal information about a consumer to nonaffiliated third
parties and the disclosure to all customers of the institution's
privacy policies and practices with respect to information sharing with
both affiliates and nonaffiliated third parties (hereinafter ``Privacy
Rule'').\1\ As required by section 504 of Subtitle A, the Commission
worked with other federal government agencies and authorities
(hereinafter ``the agencies'') \2\ to ensure that the Privacy Rule was
consistent and comparable with the regulations prescribed by the
agencies. The Privacy Rule will take effect on November 13, 2000, and
full compliance is required on or before July 1, 2001.
---------------------------------------------------------------------------
\1\ The rule was published in the Federal Register at 65 FR
33646 (May 24, 2000).
\2\ The Office of the Comptroller of the Currency (``OCC''); the
Board of Governors of the Federal Reserve System (``Board''); the
Federal Deposit Insurance Corporation (``FDIC''); the Office of
Thrift Supervision (``OTS''); the National Credit Union
Administration (``NCUA''); the Secretary of the Treasury
(``Treasury''); and the Securities and Exchange Commission
(``SEC''). Section 504 required these agencies to prescribe, within
six months of the Act's date of enactment (by May 12, 2000), ``such
regulations as may be necessary to carry out the purposes of
[Subtitle A] with respect to financial institutions subject to their
jurisdiction under section 505.''
---------------------------------------------------------------------------
The Act does not require the Commission (or other agencies) to
coordinate in developing a Safeguards Rule, and permits the agencies,
with the exception of the SEC and the Commission, to develop their
safeguards standards by issuing guidelines.
[[Page 54187]]
On June 26, 2000, the OCC, Board, OTC, and FDIC published a joint
Federal Register notice containing proposed Guidelines establishing
standards for safeguarding customer information (hereinafter ``proposed
Interagency Guidelines''), but requested comment as to whether a rule
would be preferable to guidelines. 65 FR 39,471 (June 26, 2000). As
proposed, the Interagency Guidelines will appear as an appendix to each
Agency's Standards for Safety and Soundness. The NCUA published a
Federal Register notice containing proposed safeguards guidelines on
June 14, 2000. 65 FR 37,302. The NCUA's guidelines, as proposed, will
be issued as an amendment to the NCUA's existing regulation governing
security programs in federally-insured credit unions. As with the
Privacy Rule, Treasury will not be issuing a separate rule. On June 22,
2000, the SEC adopted a final safeguards rule as part of its Privacy of
Consumer Financial Information Final rule. See www.sec.gov/rules/final34-42974.htm.
The SEC's safeguards rule restates the objectives of section
501(b), and passes along to financial institutions the requirement to
develop policies and procedures that are ``reasonably designed'' to
meet these goals.
Prior to issuing a proposed Safeguards Rule, the Commission seeks
public comment on the following questions concerning the scope and
potential requirements of such a rule. In formulating a proposed rule,
the Commission will consider the costs and benefits of the proposed
rule's requirements.
Section B. Questions as to Scope of the Commission's Safeguards
Rule
In order to develop the Safeguards Rule the Commission is required
to implement, the Commission seeks comment on several issues relevant
to the proper scope of the rule.
1. Range of Information Subject to the Safeguards Rule
The Commission requests comment on the range of information that
should be subject to the Safeguards Rule. The privacy provisions of
Subtitle A of Title V of the Act require that financial institutions
provide certain notices of their privacy policies to individuals, but
vary these requirements according to whether the individual is a
``customer'' or a ``consumer'' of the financial institution. Section
502 (a) & (b) (consumers); Section 503 (customers). Respecting
consumers, the G-L-B Act generally prohibits a financial institution
from disclosing nonpublic personal information about a consumer to a
nonaffiliated third party without first notifying the consumer and
providing an opportunity to opt out of the disclosure. Section 502 (a)
& (b). Customers, however, are entitled to notice of a financial
institution's privacy policies at the time that a customer relationship
is established, and annually thereafter during the continuation of the
relationship, regardless of whether nonpublic personal information will
be shared with nonaffiliated third parties. Section 503.
In contrast to the privacy provisions, section 501 of the G-L-B Act
refers solely to customers' nonpublic personal information and customer
records and information. Section 501(a) sets forth the ``policy of the
Congress that each financial institution has an affirmative and
continuing obligation to respect the privacy of its customers and to
protect the security and confidentiality of those customers' nonpublic
personal information,'' while section 501(b), ``in furtherance of the
policy in subsection (a)'', requires the Commission to establish
standards: ``(1) To insure the security and confidentiality of customer
records and information; (2) protect against any anticipated threats or
hazards to the security or integrity of such records; and (3) to
protect against unauthorized access to or use of such records or
information which could result in substantial harm or inconvenience to
any customer.'' Sections 501(a), 501(b)(1)-(3) (emphases added). The
Commission requests comment on what constitutes ``customer records and
information'' under subsection (b), particularly in light of the
reference to ``customers' nonpublic personal information'' in
subsection (a). Also, should the definition of ``customer records and
information'' under the Safeguards Rule be similar to the definition of
``nonpublic personal information'' for customers under the Commission's
Privacy Rule? Should the Safeguards Rule ever apply to ``consumer''
information maintained by a financial institution? Where, for example,
a financial institution cannot accurately separate its customer records
and information from its consumer records, should the Safeguards Rule
require the financial institution to safeguard both types of records?
2. Range of Financial Institution Subject to the Safeguards Rule
The Commission also requests comment on the range of financial
institutions to which the Safeguards Rule should apply. With certain
exceptions, a financial institution is defined in the Act as any
institution the business of which is engaging in financial activities
as described in section 4(k) of the Bank Holding Company Act of 1956
(12 U.S.C. 1843(k)). Under the Commission's Privacy Rule, any
institution that is significantly engaged in such financial activities
is a financial institution. 16 CFR 313.3(k)(1). However, only those
financial institutions that have ``consumers'' or establish ``customer
relationships'' have an obligation to disclose their privacy policies
under the Act. Secs. 502 & 503; 16 CFR 313.4 & 313.5. Financial
institutions that have no customer relationships or consumers, but
obtain nonpublic personal information from another financial
institution (see, e.g., 16 CFR 313.13) are subject to the Privacy
Rule's limitations on redisclosure and reuse of nonpublic personal
information. 16 CFR 313.11. How should the Safeguard Rule apply when a
financial institution discloses customer records and information to a
financial institution that has no customer relationships or consumers?
Should the Safeguards Rule require the originating financial
institution to disclose its ``customer records and information''
subject to the agreement of the party (i.e., a different financial
institution) receiving the information to comply with the Safeguards
Rule in its handling of the information?
Section C. Questions as to Other Aspects of the Commission's
Safeguards Rule
The Safeguards Rule must establish appropriate standards for
financial institutions subject to its jurisdiction relating to the
administrative, technical, and physical safeguards against the harms
contemplated by the Act, in order to protect customer records and
information from anticipated threats and hazards, and provide them with
security and confidentiality, including protection against unauthorized
access or use. At the same time, the Commission recognizes that
financial institutions may deem different safeguards appropriate
according to the size and complexity of the financial institution, the
nature and scope of its activities, and the nature of its records. In
what ways, if any, should the Safeguards Rule take into account the
need for financial institutions to keep pace with changing technology
and other changes to their operational environment? Should the
Safeguards Rule set forth minimum procedures a financial institution
must follow, a minimum level of effectiveness financial institutions
must maintain through their safeguards, or a combination of both? Do
any current private standards, association rules, or
[[Page 54188]]
guides provide useful guidance to the Commission in its formulation of
safeguards standards for financial institutions subject to the
Commission's jurisdiction? Should the Safeguards Rule delineate
mechanisms for financial institutions to demonstrate compliance with
the Rule? For example, should the Safeguards Rule require financial
institutions to use a particular audit process to measure their own
compliance?
1. Small Financial Institutions
The Commission seeks comment on how the Safeguards Rule will
achieve the results contemplated by the Act without unduly burdening
the ability of small financial institutions to serve consumers.
Further, to the extent commenters recommend that the Safeguards Rule
require specific administrative, technical and physical safeguards, the
Commission requests comment on whether the requirements are appropriate
for small financial institutions.
2. Specificity of the Safeguards Rule
What specific steps, if any, should the Safeguards Rule require
financial institutions to take to provide administrative, technical,
and physical safeguards for their customer records and information? Is
a different level of specificity appropriate according to whether the
Safeguards Rule is prescribing administrative, technical, or physical
measures? For example, should the Safeguards Rule prescribe specific
minimum measures, such as shedding of discarded paper records, that a
financial institution must take to provide for the physical security of
its customer records and information? Similarly, to provide for
administrative security, should the Safeguards Rule require that
financial institutions take particular minimum steps, such as
designating an employee who is responsible for monitoring internal
access to customer records and information? Alternatively, when dealing
with technical safeguards, should the Safeguards Rule set forth a more
general standard for adequate safeguards, such as ``effective controls
or programs'' or ``reasonable policies and procedures''? If the
Safeguards Rule provides a more general standard for administrative,
technical, or physical safeguards, what examples or other clarification
of adequate safeguards should be included? For example, should the
Safeguards Rule set forth categories or areas of administrative,
technical and physical safeguards (``safeguards categories'') for
financial institutions to address in designing and implementing
safeguards appropriate to their operations? Would safeguards categories
that require a financial institution to focus on particular areas of
operations, such as ``Personnel Training and Management,''
``Information Storage and Transmission,'' and ``Records Disposal,''
assist financial institutions to develop and maintain safeguards in a
thorough and consistent manner? Would a common standard, such as
``effective controls or programs'' or ``reasonable policies and
procedures'' suggested above, apply to every safeguards category, or
would some safeguards categories, such as ``Records Disposal,'' be
subject to more objective requirements?
3. Statutory Objectives
The Commission seeks comment on how the Safeguards Rule should
reflect the three objectives for information safeguards that are set
forth in section 501(b)(1)-(3) of the Act.
a. Anticipation of Threats or Hazards to Security or Integrity
Section 501(b) requires the Commission to establish standards for
administrative, technical and physical safeguards to ``protect against
anticipated threats or hazards to the security or integrity'' of
customer records and information obtained by financial institutions.
Section 501(b)(2). Should ``anticipated threats and hazards'' be
defined, and if so, how? Should the Safeguards Rule require financial
institutions to anticipate threats and hazards according to particular
procedures? If so, what threats and hazards should be assessed, and by
what procedures? Should the Safeguards Rule require financial
institutions to assess threats and hazards according to particular
categories (``risk categories''), such as ``Risks to Physical
Security,'' ``Risks to Integrity,'' or ``Risks in Records Disposal''?
When assessing threats and hazards, should a financial institution be
required to classify the value and sensitivity of the records to be
protected and/or the gravity of any threats? Under what circumstances,
if any, should financial institutions be required to conduct these
assessments in writing?
Should the Safeguards Rule require that financial institutions
reassess the threats or hazards to their information security systems,
and, if so, at what intervals? Should the Safeguards Rule define
technical or other changes to an institution's information security
environment that warrant reevaluation of existing safeguards? Among
other times, should a financial institution be required to assess
threats and hazards within a reasonable time after it knows or should
know of a new or emerging threat or hazard to the security or integrity
of its records? Similarly, should the Safeguards Rule require that the
effectiveness of existing safeguards be evaluated through appropriate
tests? If so, how specifically should the standards define these tests?
Finally, how should the Safeguards Rule protect against anticipated
threats and hazards to the integrity of customer records and
information? Should protecting integrity of customer records and
information include requiring a financial institution to notify a
customer when his or her records and information are subject to loss,
damage, or unauthorized access? Does insuring integrity of customer
records and information require that customers be granted periodic
access to their records, in order to monitor the accuracy of this
information?
b. Preventing Unwarranted Access and Use
In addition to requiring protection against anticipated threats and
hazards, section 501(b) requires that the safeguards standards
``protect against unauthorized access to or use of such records or
information which could result in substantial harm or inconvenience to
any customer.'' Section 501(b)(3). Should ``unauthorized access'' and
``unauthorized use'' be defined, and if so, how? Should the Safeguards
Rule require financial institutions to follow certain minimum
procedures to ``protect against unauthorized access to'' customer
records and information? Are there any circumstances under which
financial institutions should be required to maintain written records
of their procedures for preventing unauthorized access and use?
If the Safeguards Rule should require financial institutions to
follow certain minimum steps to prevent unauthorized access and use,
what procedures are most appropriate for the diverse range of financial
institutions subject to the Commission's jurisdiction? For example,
should the Safeguards Rule require that financial institutions
designate a person within the institution who is responsible for
preventing and detecting unauthorized access to and use of customer
records and information? Similarly, should the Safeguards Rule require
that financial institutions enter into confidentiality agreements with
their employees or train their employees in procedures for preventing
unauthorized access to and
[[Page 54189]]
use of customer records and information?
c. Insuring Security and Confidentiality
In addition to requiring protection against anticipated threats and
hazards and against unauthorized access and use, section 501(b)
requires that the safeguards standards ``insure the security and
confidentiality of customer records and information'' Section
501(b)(1). Does this requirement mean something more than protecting
against anticipated threats and hazards and unauthorized access and
use? In particular, what should insuring ``confidentiality'' of
information mean? What measures should the Safeguards Rule require a
financial institution to take to maintain the confidentiality and
security of customer records and information that it discloses? Where
applicable, should the Safeguards Rule require a financial institution
that discloses customer records and information to notify the
recipients of the limitations on reuse and redisclosure of the
information imposed by the Privacy Rule?
d. Consideration of Other Agencies' Safeguards Standards
The proposed Interagency Guidelines and the NCUA's proposed
Guidelines (collectively, ``the proposed Guidelines'') both require
regulated financial institutions to implement an ``Information Security
Program'' that is developed by following certain procedures outlined by
the respective proposed Guidelines. In their respective section III.A.,
the proposed Guidelines require each financial institution to involve
its board of directors and management in various aspects of developing,
implementing, and assessing an information security program. Under both
proposals, a financial institution must take four basic steps to
develop an information security program: (1) Identify and assess the
risks that may threaten protected information; (2) develop a written
plan containing policies and procedures to manage and control these
risks; (3) implement and test the plan; and (4) adjust the plan on a
continuing basis to account for changes in technology, the sensitivity
of the protected information, and internal or external threats to
information security. Similarly, in their respective sections III.C.,
both proposals provide a list of factors that a financial institution
should consider in developing its information security program. The
factors include specific potential elements of a security plan that
should be considered, such as ``contract provisions and oversight
mechanisms'' to protect the security of information handled by service
providers (respective III.C.(g)), as well as broader issues that the
security plan should address, such as ``[a]cess rights to [covered]
information,'' (respective III.C.(a)). Using the procedures provided by
the proposed Guidelines, each covered financial institution is to
develop a comprehensive information security program, the adequacy of
which will be reviewed by the relevant agency through established
oversight procedures, such as safety and soundness reviews. Finally, in
their respective sections III.D., the proposed Guidelines require
financial institutions to exercise due diligence in managing and
monitoring outsourcing arrangements, in order to make sure that its
service providers have implemented an effective information security
program.
The proposed guidelines focus on the procedures that should be
followed to develop a written information security program, and do not
specify particular security measures that must be adopted. They do
provide, however, that the Board of Directors must oversee efforts to
develop, implement, and maintain an ``effective'' information security
program. Should the Commission's Safeguards Rule be similar to the
proposed Guidelines, and if so, how? Does the Act's requirement that
the Commission issue a rule, rather than guidelines, warrant a
different approach? Does the fact that the Commission does not conduct
regular examination of financial institutions warrant more specific
security measures? What, if any, features of the more general approach
to safeguards taken by the SEC in its Privacy of Consumer Financial
Information Final Rule (described in Section A, supra) are suitable for
the Commission's Safeguards Rule?
By direction of the Commission.
C. Landis Plummer,
Acting Secretary.
[FR Doc. 00-22945 Filed 9-6-00; 8:45 am]
BILLING CODE 6750-01-M