[Federal Register Volume 66, Number 152 (Tuesday, August 7, 2001)]
[Proposed Rules]
[Pages 41162-41169]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 01-19338]
=======================================================================
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
16 CFR Part 314
RIN 3084 AA87
Standards for Safeguarding Customer Information
AGENCY: Federal Trade Commission.
ACTION: Proposed rule; request for public comment.
-----------------------------------------------------------------------
SUMMARY: The Federal Trade Commission (``FTC'' or ``Commission'') is
proposing certain standards relating to administrative, technical, and
physical information safeguards for financial institutions subject to
the Commission's jurisdiction. The Gramm-Leach-Bliley Act (``G-L-B
Act'' or ``Act'') requires the Commission to issue these standards.
They are intended to: insure the security and confidentiality of
customer records and information; protect against any anticipated
threats or hazards to the security or integrity of such records; and
protect against unauthorized access to or use of such records or
information that could result in substantial harm or inconvenience to
any customer.
DATES: Comments must be received not later than October 9, 2001.
ADDRESSES: Written comments should be addressed to: Secretary, Federal
Trade Commission, Room 159, 600 Pennsylvania Avenue, NW., Washington,
DC 20580. The Commission requests that commenters submit the original
plus five copies, if feasible. All comments will be posted on the
Commission's Web site: www.ftc.gov. To enable prompt review and public
access, paper submissions should include a version on diskette in PDF,
ASCII, WordPerfect or Microsoft Word format. Diskettes should be
labeled with: (1) The name of the commenter and (2) the name and
version of the word processing program used to create the document.
Alternatively, documents may be submitted to the following email
address: [email protected]. Parties submitting comments via email
should (1) confirm receipt by consulting the postings on the
Commission's Web site, www.ftc.gov; and (2) indicate whether they are
also providing their comments in other formats. Individual members of
the public filing comments need not submit multiple copies or comments
in electronic form. All submissions should be captioned ``Gramm-Leach-
Bliley Act Privacy Safeguards Rule, 16 CFR Part 314--Comment.''
FOR FURTHER INFORMATION CONTACT: Laura D. Berger, Attorney, Division of
Financial Practices, (202) 326-3224.
SUPPLEMENTARY INFORMATION: The contents of this preamble are listed in
the following outline:
A. Background
B. Overview of Comments Received
C. Section-by-Section Analysis
D. Paperwork Reduction Act
E. Regulatory Flexibility Act
A. Background
On November 12, 1999, President Clinton signed the G-L-B Act
(Public Law 106-102) into law. The purpose of the Act was to reform and
modernize the banking industry by eliminating existing barriers between
banking and commerce. Under the Act, banks are now permitted to engage
in a broad range of activities, including insurance and securities
brokering, with new affiliated entities.
Title V of the Act, captioned ``Disclosure of Nonpublic Personal
Information,'' addresses privacy and security issues raised by these
new arrangements and covers a broad range of traditional and non-
traditional financial institutions. Regarding privacy, the Act limits
the instances in which a financial institution may disclose nonpublic
personal information about a consumer to nonaffiliated third parties;
it also requires a financial institution to make certain disclosures
concerning its privacy policies and practices with respect to
information sharing with both affiliates and nonaffiliated third
parties. See sections 502 and 503, respectively. On May 12, 2000, the
Commission issued a final rule, Privacy of Consumer Financial
Information, 16 CFR Part 313, which implemented Subtitle A as it
relates to these requirements (hereinafter ``Privacy Rule'').\1\ The
Privacy Rule took effect on November 13, 2000, and full compliance is
required on or before July 1, 2001.
---------------------------------------------------------------------------
\1\ The rule was published in the Federal Register at 65 FR
33646 (May 24, 2000).
---------------------------------------------------------------------------
Regarding the security of financial information, the Act requires
the Commission and certain other federal agencies (``the Agencies'') to
establish standards for financial institutions relating to
administrative, technical, and physical information safeguards.\2\ See
15 U.S.C. 6801(b), 6805(b)(2). As described in the Act, the objectives
of these standards are to: (1) Insure the security and confidentiality
of customer records and information; (2) protect against any
anticipated threats or hazards to the security or integrity of such
records; and (3) protect against unauthorized access to or use of such
records or information which could result in substantial harm or
inconvenience to any customer. See 15 U.S.C. 6801(b) (1)-(3). While the
Act permits most of the Agencies to develop their safeguards standards
by issuing guidelines, it requires the SEC and the Commission to
proceed by rule.\3\
---------------------------------------------------------------------------
\2\ The other agencies responsible for establishing safeguards
standards are: the Office of the Comptroller of the Currency
(``OCC''); the Board of Governors of the Federal Reserve System
(``Board''); the Federal Deposit Insurance Corporation (``FDIC'');
the Office of Thrift Supervision (``OTS''); the National Credit
Union Administration (``NCUA''); the Secretary of the Treasury
(``Treasury''); and the Securities and Exchange Commission
(``SEC''). In addition, on December 21, 2000, Congress amended the
Commodity Exchange Act to add the Commodity Futures Trading
Commission (``CFTC'') to the list of federal functional regulators.
\3\ Although section 504 of the Act required the Agencies to
work together to issue consistent and comparable rules to implement
the Act's privacy provisions, the Act does not require the Agencies
to coordinate in developing their safeguards standards. Where
appropriate, however, the Commission has sought consistency with the
other agencies' standards, particularly those issued by the banking
agencies (see n.5, infra).
---------------------------------------------------------------------------
On September 7, 2000, the Commission published in the Federal
Register a Notice and Request for Comment (``the Notice'') on the scope
and potential requirements of a Safeguards Rule for the financial
institutions subject to its jurisdiction. 65 FR 54186. The Comment
period for the Notice ended on October 24, 2000, and the Commission
received 30 comments
[[Page 41163]]
from a variety of interested parties.\4\ The Commission has considered
those comments, as well as the standards adopted by the other Agencies,
in formulating its proposed rule.\5\ The Commission also has considered
the Final Report that was issued by the Federal Trade Commission
Advisory Committee on Online Access and Security on May 15, 2000
(hereinafter ``Advisory Committee's Report'' or ``ACR'').\6\ While the
Advisory Committee's Report addressed security only in the online
context, the Commission believes that its principles have general
relevance to information safeguards. The Commission now offers for
comment a proposed rule governing the safeguarding of customer records
and information for the financial institutions subject to its
jurisdiction.
---------------------------------------------------------------------------
\4\ In response to a request from a commenter, the Commission
added 14 days to the initial 30-day comment period. 65 FR 59766
(Oct. 6, 2000).
\5\ Since publication of the Notice, the NCUA and the remaining
banking agencies--the OCC, the Board, the FDIC, and OTS--have issued
final guidelines. 66 FR 8152 (Jan. 30, 2001); 66 FR 8616 (Feb. 1,
2001). Earlier, on June 29, 2000, the SEC had adopted a final
safeguards rule as part of its Privacy of Consumer Financial
Information Final Rule (hereinafter ``SEC rule''). 65 FR 40334. On
March 21, 2001, the CFTC issued a proposed rule that mirrors the SEC
rule. See 66 FR 15550 at 15562, 15574. As with the Privacy Rule,
Treasury will not be issuing a separate rule.
\6\ The Advisory Committee was composed of 40 members (including
representatives from industry, consumer groups, and academia)
nominated through a public notice and comment process. See 64 FR
71457 (Dec. 21, 1999). One of its main purposes was to give advice
and recommendations to the Commission regarding the implementation
of adequate security for personal information collected from
consumers online. ACR at 2. Its charter, membership, and Report are
available on the Commission's website, at www.ftc.gov.
---------------------------------------------------------------------------
B. Overview of Comments Received
As noted above, the Notice sought comment on the potential scope
and requirements of a Commission rule, including the proper level of
specificity of the rule's requirements,\7\ and the extent to which the
rule should resemble the other Agencies' standards. 65 FR at 54189. Of
the 30 comments the Commission received,\8\ three were from
corporations or associations related to higher education or the funding
of student loans; \9\ seven were from corporations performing various
financial or internet-related services; \10\ two were from companies
that provide information security services; \11\ seven were from trade
associations; \12\ one was from a non-profit association of consumer
groups; \13\ three were from other governmental or non-profit
professional associations; \14\ and six were from individuals and other
interested parties.\15\ Virtually all of the comments urged that the
standards for safeguarding information be flexible, and contain few, if
any, specific requirements.\16\ These comments pointed out that
institutions need discretion to make decisions appropriate to their
current operations and to adapt to changes in technology and their
business environments,\17\ and that implementation of the rule should
not disrupt safeguards programs that entities have in place
already.\18\ In addition, many private companies praised the
flexibility of the then-proposed guidelines issued by the banking
agencies (``Banking Agency Guidelines''), and stated that conforming
the Commission's rule to the Guidelines would minimize the burden of
complying with the rule.\19\
---------------------------------------------------------------------------
\7\ Among other things, it asked whether the rule should set
forth particular minimum procedures a financial institution must
follow, or should rely on more general standards, such as
``reasonable policies and procedures'' to achieve the Act's
purposes. 65 FR at 54188.
\8\ These comments are available on the Commission's website, at
www.ftc.gov.
\9\ Iowa Student Loan Liquidity Corporation (``Iowa Student
Loan''); Texas Guaranteed Student Loan Corp. (``TGSL''); United
Student Aid Funds, Inc. (``USA Funds'').
\10\ Household Finance Corporation (``Household''); Intuit;
MasterCard International (``MasterCard''); Morgan Stanley Dean
Witter Credit Corporation (``MSDWCC''); Plainview Financial
Services, Ltd. (``Plainview''); Visa USA, Inc. (``Visa''); 724
Solutions, Inc. (``724 Solutions'').
\11\ RSA Security, Inc.; Tiger Testing.
\12\ American Collectors Ass'n, Inc. (``ACA''); America's
Community Bankers (``ACB''); Credit Union Nat'l Ass'n (``CUNA'');
Nat'l Ass'n of Indep. Insurers (``NAII''); Nat'l Indep. Automobile
Dealers Ass'n (``NIADA''); Nat'l Council of Investigation and
Security Services, Inc. (``NCISS''); Nat'l Retail Federation
(``NRF'').
\13\ Nat'l Ass'n of Consumer Agency Administrators (``NACAA'').
\14\ Committee on Internet and Litigation of the Commercial and
Federal Litigation Section, New York State Bar Ass'n (CI & L); Nat'l
Ass'n of Attorneys General (``NAAG''); North American Securities
Administrators Ass'n, Inc. (``NASAA'').
\15\ Calvin Ashley (``Ashley''); Professor Mark Budnitz, Georgia
State Univ. College of Law; Evan Hendricks, Editor/Publisher of
Privacy Times, and Consultant to PrivaSys; John Merryman; Martin D.
Rosenblatt, MD; Doug Scala.
\16\ ACA at 5; ACB at 1; CI & L at 2; Household at 1; Intuit at
2, 4, 6; Iowa Student Loan at 1; MasterCard at 2, 3; NIADA at 1, 3;
TGSL at 1; USA Funds at 3; Visa at 2.
\17\ See, e.g., Intuit at 2; NRF at 5; Visa at 2.
\18\ See, e.g., CI & L at 2; Intuit at 5-6; Iowa Student Loan at
1.
\19\ See, e.g., Intuit at 14; USA Funds at 6; Visa at 1-2, 4.
---------------------------------------------------------------------------
These comments were instrumental in shaping the proposed rule. In
particular, consistent with the majority of comments, the proposed rule
follows the general approach of the Banking Agency Guidelines, and
contains flexible requirements wherever feasible. To ensure
flexibility, the proposed rule provides that each information security
program should be appropriate to the size and complexity of the
financial institution, the nature and scope of its activities, and the
sensitivity of the customer information at issue.\20\ At the same time,
consistent with the Banking Agency Guidelines, the proposed rule
requires that certain basic elements that the Commission believes are
important to information security be included in each program. Thus,
each financial institution must: (1) Designate an employee or employees
to coordinate its program; (2) assess risks in each area of its
operations; (3) design and implement an information security program to
control these risks; (4) require service providers (by contract) to
implement appropriate safeguards for the customer information at issue;
and (5) adapt its program in light of material changes to its business
that may affect its safeguards. These elements create a general
procedural framework, so that each financial institution can develop,
implement, and maintain appropriate safeguards even as its
circumstances change over time.
---------------------------------------------------------------------------
\20\ This approach is also constituent with the Advisory
Committee's finding, in the online context, that security is
``contextual'' and that a security program should have a
``continuous life cycle designed to meet the needs of the particular
organization or industry.'' See ACR at 18.
---------------------------------------------------------------------------
Comments respecting the impact of the Safeguards Rule on small
entities also were important in developing the proposed rule. Some
commenters pointed out that making the rule's requirements flexible
would enable smaller institutions to implement appropriate programs
without setting too low a target for more sophisticated operations.\21\
The proposed standard described above, which explicitly allows for
flexibility according to the size and complexity of a financial
institution and the nature and scope of its activities, should minimize
the rule's burdens on small entities.
---------------------------------------------------------------------------
\21\ ACB at 4; see also ACA at 5; Plainview at 2.
---------------------------------------------------------------------------
Additional comments, and the Commission's responses thereto, are
discussed in the following Section-by-Section analysis.
C. Section-by-Section Analysis
The Commission proposes to issue the Safeguards Rule as a new Part
314 of 16 CFR, to be entitled ``Standards for Safeguarding Customer
Information.'' This Part will follow the Privacy Rule, which is
contained in Part 313 of 16 CFR. The following is a section-by-section
analysis of the proposed rule.
[[Page 41164]]
Proposed section 314.1: Purpose and Scope
Paragraph 314.1(a) sets forth the general purpose of the proposed
rule, which is to establish standards for financial institutions to
develop, implement, and maintain administrative, technical, and
physical safeguards to protect the security, confidentiality, and
integrity of customer information. This paragraph also states the
statutory authority for the proposed rule.
Paragraph 314.1(b) sets forth the scope of the proposed rule, which
applies to the handling of customer information by all financial
institutions over which the FTC has jurisdiction. As noted in the
Privacy Rule, covered financial institutions include: non-depository
lenders, consumer reporting agencies, data processors, courier
services, retailers that extend credit by issuing credit cards to
consumers; personal property or real estate appraisers; check-cashing
businesses; mortgage brokers, and other entities under the Commission's
jurisdiction that are significantly engaged in financial
activities.\22\ As proposed, the rule covers the handling of customer
information by all financial institutions under the Commission's
jurisdiction, including not only financial institutions that collect
information from their own customers, but also financial institutions
that receive customer information from other financial
institutions.\23\ Although comments were mixed on this point,\24\ the
Commission believes that including recipient financial institutions
within the rule will assure greater safeguards for customer information
and is within the authority conferred by the Act. Nevertheless, the
Commission requests comment on the benefits and burdens of this
requirement and/or other issues or concerns that it raises.
---------------------------------------------------------------------------
\22\ Under section 313.3(k)(1) of the Privacy Rule, ``financial
institution'' means: ``any institution the business of which is
engaging in financial activities as described in section 4(k) of the
Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)). An institution
that is significantly engaged in financial activities is a financial
institution.'' Additional examples of financial institutions are
provided in section 313.3(k)(2) of the Privacy Rule.
\23\ Such recipient entities might include service providers or
affiliates of financial institutions that are also financial
institutions themselves. They might also include entities such as
consumer reporting agencies that routinely receive customer
information from other financial institutions.
\24\ Some commenters stated that the rule should establish
safeguards only for a financial institution's handling of
information about its own customers, and not for such information in
the hands of third-party financial institutions. See, e.g., ACA at
4; MasterCard at 4. By contrast, others urged that, consistent with
the way that the Privacy Rule's restrictions remain affixed to
information when it is disclosed by a financial institution,
safeguards should not be lost when information is transferred to
another financial institution. NAAG at 2; see also Intuit at 3-4,
13; NIADA at 2; USA Funds at 1.
---------------------------------------------------------------------------
Recipients of customer information that are not financial
institutions are not directly subject to the proposed rule's
requirements. However, as discussed in greater detail below, the
proposed rule requires financial institutions to ensure that customer
information remains protected when it is shared with their affiliates
and service providers, some of which may not be financial institutions.
See proposed paragraph 314.2 (b) (defining ``customer information'' to
include information handled or maintained by or on behalf of
affiliates); proposed paragraph 314.5(d) (requiring a financial
institution to select and retain appropriate service providers, and to
enter into contracts requiring them to maintain appropriate
safeguards).\25\ As discussed below, the Commission is seeking comment
on the various issues raised by these proposed provisions.
---------------------------------------------------------------------------
\25\ Although the proposed rule does not impose duties on
financial institutions with respect to other recipients of
information, the Commission notes that financial institutions must
also comply with the Privacy Rule, as well as section 5 of the FTC
Act, which prohibits unfair or deceptive acts and practices.
Therefore, financial institutions must ensure that any statements
they make regarding the security of customer information or the
manner in which it is handled by third parties must be accurate.
---------------------------------------------------------------------------
A few commenters urged that compliance with alternative standards
should constitute compliance with the Safeguards Rule. For example, one
commenter urged that compliance with the SEC rule should constitute
compliance with the FTC rule, so that state investment advisors covered
by the FTC rule would be subject to the same standards as federal
investment advisors, which are covered by the SEC rule.\26\ Similarly,
another commenter urged that compliance with the Family Educational
Rights and Privacy Act (``FERPA'') should satisfy the Safeguards Rule,
just as it satisfies the Privacy Rule.\27\ The comment explained that
FERPA protects the security and integrity of student records by a
variety of requirements, including mandatory written student consent
prior to the release of personally identifiable information.\28\ The
Commission requests additional comment on whether and how compliance
with these and other laws and rules relating to information security--
including the rules relating to medical information under the Health
Insurance Portability and Accountability Act (``HIPAA'') of 1996--
should be addressed in the proposed rule.
---------------------------------------------------------------------------
\26\ NASAA at 2.
\27\ ACE at 1-2.
\28\ Id. at 2-3; see also USA Funds.
---------------------------------------------------------------------------
Proposed section 314.2: Definitions
This section defines terms for purposes of the proposed Safeguards
Rule. Proposed paragraph (a) of this section makes clear that, unless
otherwise stated, terms used in the Safeguards Rule bear the same
meaning as in the Commission's Privacy Rule. Thus, for example,
``customer'' under the Safeguards Rule is the same as under the Privacy
Rule: a consumer who has established a continuing relationship with an
institution.\29\ 16 CFR 313.3(h). Further, ``affiliate'' means ``any
company that controls, is controlled by, or is under common control
with another company.'' 16 CFR 313.3(a).\30\ The proposed Safeguards
Rule also defines the following new terms: ``customer information;''
``information security program;'' and ``service provider.'' See
paragraphs (b), (c), and (d), respectively, of proposed section 314.2.
---------------------------------------------------------------------------
\29\ By virtue of the Privacy Rule's definition of ``consumer,''
customer does not include a business. See sections 313.3(e) and (h)
of the Privacy Rule (defining ``consumer'' and ``customer,''
respectively).
\30\ Other relevant definitions from the Privacy Rule include:
``control,'' ``nonpublic personal information,'' and as discussed
above, ``financial institution.'' See 16 CFR 313.3(g), (n), and (k),
respectively.
---------------------------------------------------------------------------
Proposed paragraph (b) defines ``customer information'' as any
record containing nonpublic personal information, as defined in
paragraph 313.3(n) of the Privacy Rule, about a customer of a financial
institution, whether in paper, electronic, or other form, that is
handled or maintained by or on behalf of a financial institution or its
affiliates.\31\ The Commission proposes to include information handled
or maintained by or on behalf of affiliates in this definition to
ensure that customer information does not lose its protections merely
because it is shared with affiliates, which is freely allowed under the
G-L-B Act and Privacy Rule.\32\ Thus, to the extent that a financial
institution shares customer information with its affiliates, the
proposed rule would require it to ensure that the affiliates maintain
appropriate safeguards for the customer information at issue.
---------------------------------------------------------------------------
\31\ Section 501(b) of the Act refers to the protection of both
customer ``records'' and ``information.'' However, for the sake of
simplicity, the proposed rule (like the Banking Agency Guidelines)
uses the term ``customer information'' to encompass both information
and records.
\32\ See section 502(a) (restricting disclosures only to
nonaffiliated third parties).
---------------------------------------------------------------------------
[[Page 41165]]
The Commission recognizes that certain entities (e.g., banks) that
meet the proposed rule's definition of ``affiliate'' simultaneously may
be covered by another agency's safeguards standards. In response, the
Commission notes that it does not intend to duplicate existing
requirements for affiliates that are financial institutions directly
subject to safeguards standards. Instead, the proposed requirement is
designed to ensure that safeguards are not lost in the event that
customer information is disclosed to an affiliate that is not a
financial institution, or that is not required to safeguard information
about another financial institution's customers. The Commission
requests comment on: (1) The benefits and burdens of this proposal,
including any compliance burdens imposed on entities already covered by
the safeguards standards of other Agencies; (2) whether any additional
guidance is needed on what safeguards are appropriate for affiliates;
and (3) other issues or concerns raised by this requirement. The
Commission also requests comment on whether information shared with
affiliates already is protected adequately by other provisions of the
proposed rule.\33\
---------------------------------------------------------------------------
\33\ As noted above, the proposed rule would directly cover an
affiliate that receives customer information from a financial
institution and is itself a financial institution. Further, an
affiliate that meets the definition of ``service provider'' in the
proposed rule will be subject to contractural requirements to
maintain safeguards. See proposed paragraph 314.5(d). Thus, other
provisions of the proposed rule may already cover information
handled or maintained by at least some affiliates.
---------------------------------------------------------------------------
The proposed Safeguards Rule applies solely to ``customer
information'' and not to information about other consumers who do not
meet the definition of ``customer.'' This approach is consistent with
the Banking Agency Guidelines, as well as the majority of comments that
addressed this issue.\34\ The commenters pointed out that the language
of section 501 refers only to customers, and does not instruct or
authorize the Commission to establish safeguards covering other
information.\35\ However, other commenters who favored requiring
safeguards for all nonpublic personal information noted flaws in this
approach, namely, that: (1) Financial institutions may be unable to
distinguish accurately between customer and consumer information,\36\
and (2) consumers may not understand the customer-consumer distinction,
and may believe that their information is subject to safeguards that do
not apply to them.\37\
---------------------------------------------------------------------------
\34\ See Banking Agency Guidelines, section I.A.; see also ACA
at 3-4; ACB at 3; Intuit at 3; MasterCard at 3; NCISS at 1; NRF at
2-3; NIADA at 1-2; TGSL at 2; Plainview at 1; Visa at 3; cf NAAG at
1-2 (supporting limitation, but urging that term ``customer
information'' be broadly construed).
\35\ See, e.g., ACA at 3-4; TGSL at 2; Visa at 3.
\36\ Ashley at 2; Intuit at 3; NAAG at 2; NACAA at 3.
\37\ NACAA at 3.
---------------------------------------------------------------------------
While the Commission believes that limiting the rule to ``customer
information'' is warranted by the plain language of section 501,\38\ it
shares some of the concerns raised by the commenters who favored
broader protections. In response, the Commission notes that protecting
information about consumers may be a part of providing reasonable
safeguards to ``customer information'' where the two types of
information cannot be segregated reliably. Further, consistent with its
mandate under the Privacy Rule and section 5 of the FTC Act, the
Commission expects that, as with customers, any information that a
financial institution provides to a consumer will be accurate
concerning the extent to which safeguards apply to them.
---------------------------------------------------------------------------
\38\ See section 501(a) & (b)(1)-(3). By contrast to section
501, the privacy provisions of the Act apply to both ``customers''
and ``consumers'' of financial institutions, but require greater
disclosures to the former. See section 502(a) & (b) (consumers);
section 503 (customers).
---------------------------------------------------------------------------
Finally, proposed paragraphs (c) and (d) contain definitions of
``information security program'' and ``service provider.''
``Information security program'' is defined as ``the administrative,
technical, or physical safeguards'' that a financial institution uses
``to access, collect, process, store, use, transmit, dispose of, or
otherwise handle customer information.'' This definition is similar to
the Banking Agency Guidelines' definition of ``customer information
system.'' See Banking Agency Guidelines, section I.C.2.d. ``Service
provider'' is defined as ``any person or entity that receives,
maintains, processes, or otherwise is permitted access to customer
information through its provision of services directly to a financial
institution that is subject to the rule.'' This definition is virtually
identical to the definition of ``service provider'' in the Banking
Agency Guidelines. See Banking Agency Guidelines, section I.C.2.e. The
Commission requests comment on both of these proposed definitions.
Proposed section 314.3: Standards for Safeguarding Customer Information
This section sets forth the general standards that a financial
institution must meet to comply with the rule, namely to ``develop,
implement, and maintain a comprehensive written information security
program that contains administrative, technical, and physical
safeguards' that are appropriate to the size and complexity of the
entity, the nature and scope of its activities, and the sensitivity of
any customer information at issue. See proposed paragraph (a). This
standard is highly flexible, consistent with the comments and the
Banking Agency Guidelines. It is also consistent with the Advisory
Committee's Report, which concluded that a business should develop ``a
program that has a continuous life cycle designed to meet the needs of
a particular organization or industry'' and that ``different types of
data warrant different levels of protection.'' See ACR at 18. Paragraph
(a) also requires that each information security program include the
basic elements set forth in proposed section 314.4 of the rule, and be
reasonably designed to meet the objectives set forth in section
314.3(b).
By requiring a written information security program, the Commission
means to ensure a comprehensive, coordinated approach to security. As
under the Banking Agency Guidelines, which also require a written
program,\39\ the program need not be set forth in a single document, as
long as all parts of the program are coordinated and can be identified
and accessed readily.\40\ For this reason, and because of the general
flexibility of the proposed rule's requirements, the Commission does
not expect the preparation of a written program to be unduly
burdensome. Nevertheless, the Commission requests comment on the
benefits and burdens of this requirement and/or other issues or
concerns that it raises; whether any burden is disproportionate for
smaller entities; and how any burden can be lessened while still
ensuring that each financial institution develops an effective program
for which it is accountable.
---------------------------------------------------------------------------
\39\ See Banking Agency Guidelines, section II.A.
\40\ See Preamble to the Banking Agency Guidelines, 66 FR 8619
(if the elements of the program ``are not maintained on a
consolidated basis, management should have an ability to retrieve
the current documents from those responsible for the overall
coordination and ongoing reevaluation of the program.''
---------------------------------------------------------------------------
Paragraph (b) of this section restates the objectives of section
501(b) of the Act and incorporates them as the objectives of the
proposed rule.
Proposed Section 314.4: Elements
This section sets forth general elements that a financial
institution should adopt as part of its information security program.
The elements create a framework for developing, implementing, and
maintaining the
[[Page 41166]]
required safeguards, but leave each financial institution discretion to
tailor its information security program to its own circumstances.\41\
---------------------------------------------------------------------------
\41\ Many of these procedures are similar to those identified by
the Advisory Committee's Report as ``essential elements'' of an
effective program. See ACR at 18 (assessment of risk, establishment
and implementation of a plan based on the identified risks, and
periodic reassessment of risks).
---------------------------------------------------------------------------
Proposed paragraph (a) requires each financial institution to
designate an employee or employees to coordinate its information
security program in order to ensure accountability within each entity
for achieving adequate safeguards. This requirement is similar to the
Banking Agency Guidelines' requirements to involve and report to the
Board of Directors. See Banking Agency Guidelines, Paragraphs III.A.,
and III.F., respectively. However, because many entities subject to the
Commission's jurisdiction are not controlled by Boards of Directors,
the rule permits a financial institution to designate any responsible
employee or employees that it chooses. The Commission believes that
this requirement will ensure accountability within a flexible
framework.\42\ The Commission seeks comment on the benefits and burdens
of this paragraph and/or other issues or concerns that it raises, as
well as whether there are effective alternative means to achieve
accountability for compliance with the rule.
---------------------------------------------------------------------------
\42\ This proposal responds to comments seeking flexibility in
designating responsible employees. See, e.g., Visa at 5 (suggesting
the rule should allow financial institutions to designate either an
individual, or a working group or committee); ACB at 4 (opposing
idea of a single privacy officer); CUNA at 2 (same). See also NAAG
at 2; MSDWCC at 3 (stating that designation of a privacy officer
would ensure accountability).
---------------------------------------------------------------------------
Proposed paragraph (b) requires each financial institution to
``identify reasonably foreseeable internal and external risks to the
security, confidentiality, and integrity of customer information that
could result in the unauthorized disclosure, misuse, alteration,
destruction or other compromise of such information, and assess the
sufficiency of any safeguards in place to control these risks.''
Because some of the comments sought further guidance on steps to take
in conducting a risk assessment,\43\ the proposed paragraph also
requires financial institutions to consider such risks in each relevant
area of their operations, including three areas of particular
importance to information security: (1) Employee training and
management; (2) information systems, including information processing,
storage, transmission and disposal; and (3) prevention and response
measures for attacks, intrusions, or other systems failures. This
paragraph is similar to the Banking Agency Guidelines' requirement to
assess risks,\44\ but adds these core areas of operation in response to
the comments. Beyond the three core areas of operation that a financial
institution must consider, each entity would have discretion to
determine what areas of its operation are relevant to risk assessment.
The Commission seeks comment on the benefits and burdens of this
paragraph and/or other issues or concerns that it raises; whether
specifying certain areas of operation is helpful and appropriate; and/
or whether additional guidance would be useful.\45\
---------------------------------------------------------------------------
\43\ See e.g., NIADA at; Intuit at 7-8.
\44\ See Banking Agency Guidelines, Paragraph
III. B.
\45\ Consistent with the comments, the proposed rule does not
require financial institutions to conduct risk assessment according
to any predetermined schedule. See NIADA at 4; USA Funds at 3.
However, as discussed below, proposed paragraph (e) requires that
each financial institution adjust its program in light of any
material changes to its business. The Commission envisions that the
timeliness of such adjustments would be relevant to the adequacy of
a financial institutions' safeguards under the rule.
---------------------------------------------------------------------------
Proposed paragraph (c) requires each financial institution to
``design and implement information safeguards to control the risks
[identified] through risk assessment, and regularly test or otherwise
monitor the effectiveness of the safeguards' key controls, systems, and
procedures.'' As in paragraph (b), a financial institution must address
each relevant area of its operations in developing its program.\46\ The
obligation to monitor (and, in paragraph (e), discussed below, to
adjust in light of changes) the information security program is
consistent with the Advisory Committee's findings that a security
program should have ``a continuous life cycle'' and that companies
should be prepared to ``revisit and revise [their security standards]
on a constant basis.'' ACR at 18. It also is similar to the Banking
Agency Guidelines' requirement to ``[r]egularly test the key controls,
systems and procedures of the information security program.'' See
Banking Agency Guidelines, paragraph III.C.3. Consistent with the
commenters' support for the use of testing \47\ but concern about the
potential costs and effectiveness of such procedures,\48\ the proposed
rule does not require that particular audit procedures or tests be
used. The Commission requests comment on the benefits and burdens of
this paragraph and/or other issues or concerns that it raises.
---------------------------------------------------------------------------
\46\ For example, in the area of employee training and
management, an entity could implement a training program designed to
combat the risk that unauthorized third parties could gain access to
customer information. Or, with respect to its information systems,
an entity could implement a particular protocol for disposing of
customer information to control any risk that unauthorized parties
could gain access to discarded information. Similarly, in the area
of prevention and response measures for attacks and system failures,
an entity could maintain appropriate controls or monitoring systems
to deter and detect actual or attempted attacks or intrusions.
\47\ See, e.g., CUNA at 3; Intuit at 10; Tiger Testing 1-2.
\48\ ACB at 5; USA Funds at 4.
---------------------------------------------------------------------------
Proposed paragraph (d) requires each financial institution to
oversee its service providers. This obligation requires each financial
institution to select and retain service providers ``that are capable
of maintaining appropriate safeguards'' for the customer information at
issue, and to require its service providers by contract to ``implement
and maintain such safeguards.'' This provision, which is similar to a
requirement in the Banking Agency Guidelines,\49\ is intended to ensure
that customer information will remain protected when it is shared with
another entity to carry out processing, servicing, and similar
functions on behalf of the financial institution. It also ensures that
the obligation to safeguard information is not diminished simply
because certain functions are outsourced rather than performed in-
house. The Commission requests comment on the benefits and burdens of
this requirement and/or other issues or concerns that it raises,
including: (1) Whether additional guidance is needed on what safeguards
are appropriate for service providers; (2) whether the contract
requirement is necessary to ensure the protection of customer
information or whether there is an equally protective alternative; (3)
whether, for service providers that are themselves financial
institutions or are subject to other safeguards standards, the rule
should offer an exception to the contract requirement; and (4) whether
the rule should apply to all service providers, given that the Privacy
Rule does not require financial institutions to enter into
confidentiality contracts with service providers that receive
information under the general exceptions in sections 313.14 and 313.15
of that rule.
---------------------------------------------------------------------------
\49\ Banking Agency Guidelines, section III.D.
---------------------------------------------------------------------------
The Commission is aware that an entity providing services both to a
financial institution subject to the Commission's rule and to one
subject to the Banking Agency Guidelines could be subject to
contractual obligations under both the proposed rule and the
Guidelines, albeit for different sets of information. In some cases, a
service
[[Page 41167]]
provider--such as a data processor--that is subject to such contractual
obligations also would be a financial institution subject to the
Commission's rule. The Commission believes, however, that the
similarity of the proposed rule to the Banking Agency Guidelines, and
the flexible standards of the proposed rule, should prevent any
conflict. Nonetheless, comment is requested on any potential difficulty
for service providers in complying simultaneously with these various
requirements.
Proposed paragraph (e) requires each financial institution to
``evaluate and adjust [its] information security program'' in light of
any material changes to its business that may affect its safeguards.
This paragraph is similar to section III.E. of the Banking Agency
Guidelines. Such material changes may include, for example, changes in
technology; changes to its operations or business arrangements, such as
mergers and acquisitions, alliances and joint ventures, outsourcing
arrangements, or changes in the services provided; new or emerging
internal or external threats to information security; or other
circumstances that give it reason to know that its information security
program is vulnerable to attack or compromise. The Commission seeks
comment on the benefits and burdens of this requirement and/or other
issues or concerns that it raises.
Proposed Section 314.5: Effective Date
Proposed section 314.5 requires each financial institution to
implement an information security program not later than one year from
the date on which a final rule is issued. The Commission requests
comment on whether one year is an appropriate amount of time for
covered entities to come into compliance with the rule. It also
requests comment on whether the rule should contain a transition period
to allow the continuation of existing contracts with service providers,
even if they would not satisfy the rule's requirements. Such a
provision could parallel section 313.18(c) of the Privacy Rule, which
provides a two-year period for grandfathering existing contracts.
D. Paperwork Reduction Act
The Paperwork Reduction Act (``PRA''), 44 U.S.C. Chapter 35,
requires federal agencies to seek and obtain Office of Management and
Budget (``OMB'') approval before undertaking a collection of
information directed to ten or more persons. 44 U.S.C. 3502(3)(a)(i).
Under the PRA, a rule creates a ``collection of information'' when ten
or more persons are asked to report, provide, disclose, or record
information'' in response to ``identical questions.'' See 44 U.S.C.
3502(3)(A). Applying these standards, the Commission has determined
that the proposed standards do not constitute a ``collection of
information.'' The proposed rule calls upon affected entities to
develop or strengthen their information security programs in order to
provide reasonable safeguards. Each financial institution's means of
complying with the rule will vary according to its size, complexity,
the nature and scope of its activities, and the sensitivity of the
information involved. Although these compliance efforts must be
summarized in writing, the discretionary balancing of factors and
circumstances that is involved here does not require entities to answer
``identical questions,'' and therefore does not trigger the PRA's
requirements. See ``The Paperwork Reduction Act of 1995: Implementing
Guidance for OMB Review of Agency Information Collection,'' Office of
Information and Regulatory Affairs, OMB (August 16, 1999), at 20-21.
E. Regulatory Flexibility Act
The Regulatory Flexibility Act (RFA), 5 U.S.C. 604(a), requires an
agency either to provide an Initial Regulatory Flexibility Analysis
with a proposed rule, or certify that the proposed rule will not have a
significant economic impact on a substantial number of small entities.
The FTC does not expect that this rule, if adopted, would have the
threshold impact on small entities. First, most of the burdens flow
from the mandates of the Act, not from the specific provisions of the
proposed rule. Second, the proposed rule imposes requirements that are
scalable according to the size and complexity of each institution, the
nature and scope of its activities, and the sensitivity of its
information. Thus, the burden is likely to be less on small
institutions, to the extent that their operations are smaller or less
complex. Nonetheless, the Commission has determined that it is
appropriate to publish an Initial Regulatory Flexibility Analysis
(``IRFA'') in order to inquire into the impact of the proposed rule on
small entities. The Commission invites comment on the burden on small
entities that may result from this rulemaking, and has prepared the
following analysis.
1. Reasons for the Proposed Rule
Section 501(b) of the G-L-B Act requires the FTC to establish
standards for financial institutions subject to its jurisdiction
relating to administrative, technical, and physical standards.
According to section 501(b), these standards must: (1) Insure the
security and confidentiality of customer records and information; (2)
protect against any anticipated threats or hazards to the security or
integrity of such records; and (3) protect against unauthorized access
to or use of such records or information which could result in
substantial harm or inconvenience to any customer. The requirements of
the proposed rule are intended to fulfill the obligations imposed by
section 501(b).
2. Statement of Objectives and Legal Basis
The objectives of the proposed rule are discussed above. The legal
basis for the proposed rule is section 501(b) of the G-L-B Act.
3. Description of Small Entities to Which the Rule Will Apply
Determining a precise estimate of the number of small entities that
are financial institutions subject to the proposed rule is not readily
feasible. The definition of ``financial institution,'' as under the
Privacy Rule, includes any institution the business of which is
engaging in a financial activity, as described in section 4(k) of the
Bank Holding Company Act, which incorporates by reference the
activities listed in 12 CFR 225.28 and 12 CFR 211.5(d), consolidated in
12 CFR 225.86. See 65 FR 14433 (Mar. 17, 2000). The G-L-B Act does not
specify the categories of financial institutions subject to the
Commission's jurisdiction; rather, section 505(a)(5) vests the
Commission with enforcement authority with respect to ``any other
financial institution or other person that is not subject to the
jurisdiction of any [other] agency or authority [charged with enforcing
the statute].'' Financial institutions covered by the rule will include
many of the same lenders, financial advisors, loan brokers and
servicers, collection agencies, financial advisors, tax preparers, real
estate settlement services, and others that are subject to the Privacy
Rule. However, many of these financial institutions will not be subject
to the Safeguards Rule to the extent that they do not have any
``customer information'' within the meaning of the Safeguards Rule.
4. Projected Reporting, Recordkeeping and Other Compliance Requirements
The proposed rule does not impose any reporting or any specific
recordkeeping requirements within the meaning of the PRA, discussed
above. The proposed rule requires each covered institution to develop a
written
[[Page 41168]]
information security program covering customer information that is
appropriate to its size and complexity, the nature and scope of its
activities, and the sensitivity of the customer information at issue.
In so doing, the institution must assure itself that any affiliate to
which it discloses customer information maintains appropriate
safeguards. In addition, each institution must designate an employee or
employees to coordinate its safeguards; identify and assess foreseeable
risks to customer information, and evaluate the effectiveness of any
existing safeguards for controlling these risks; design and implement a
safeguards program, and regularly monitor its effectiveness; require
service providers (by contract) to implement appropriate safeguards for
the customer information at issue; and evaluate and adjust its program
to material changes that may affect its safeguards, such as new or
emerging threats to information security. These requirements will apply
to institutions of all sizes that are subject to the FTC's
jurisdiction.
A few comments received in response to the Notice expressed concern
about the burden on small businesses of maintaining information
security. The Commission has attempted to address these concerns by
making the requirements flexible so that each entity can simplify its
information security program to the same extent that its overall
operations are simplified. Nonetheless, the Commission is concerned
about the potential impact of the proposed rule on small institutions,
and invites comment on the costs of establishing and operating an
information security program for such entities, particularly any costs
stemming from the proposed requirements to: (1) Designate an employee
or employees to coordinate safeguards; (2) regularly test or otherwise
monitor the effectiveness of the safeguards' key controls, systems, and
procedures; (3) develop a comprehensive information security program in
written form; and (4) ensure that affiliates with which the entities
share information maintain adequate safeguards.
5. Identification of Duplicative, Overlapping, or Conflicting Federal
Rules
The FTC is unable to identify any statutes, rules, or policies that
would conflict with the requirement to develop and implement an
information security program. However, as discussed above, the
Commission is requesting comment on the extent to which other federal
standards involving privacy or security of information may duplicate
and/or satisfy the proposed rule's requirements. In addition, the FTC
seeks comment and information about any statutes or rules that may
conflict with any of the proposed requirements, as well as any other
state, local, or industry rules or policies that require a covered
institution to implement business practices that comport with the
requirements of the proposed rule.
6. Discussion of Significant Alternatives
The G-L-B Act requires the FTC to issue a rule that establishes
standards for safeguarding customer information. In addition, the G-L-B
Act requires that standards be developed for institutions of all sizes.
Therefore, the proposed rule applies to entities with assets of $100
million or less. However, the standards in the proposed rule are
flexible, so that each institution may develop an information security
program that is appropriate to its size and the nature of its
operations. The FTC welcomes comment on any significant alternatives,
consistent with the G-L-B Act, that would minimize the impact on small
entities.
Proposed Rule
List of Subjects for 16 CFR Part 314
Consumer protection, Credit, Data protection, Privacy, Trade
practices.
For the reasons set forth in the preamble, the Federal Trade
Commission proposes to amend 16 CFR Ch. I, Subchapter C, by adding a
new part 314 to read as follows:
PART 314--STANDARDS FOR SAFEGUARDING CUSTOMER INFORMATION
Sec. 314.1 Purpose and scope.
314.2 Definitions.
314.3 Standard for safeguarding customer information.
314.4 Elements.
314.5 Effective date.
Authority: 15 U.S.C. 6801(b), 6805(b)(2).
Sec. 314.1 Purpose and scope.
(a) Purpose. This part (``rule''), which implements sections 501
and 505(b)(2) of the Gramm-Leach-Bliley Act, sets forth standards for
developing, implementing, and maintaining reasonable administrative,
technical, and physical safeguards to protect the security,
confidentiality, and integrity of customer information.
(b) Scope. This rule applies to the handling of customer
information by all financial institutions over which the Federal Trade
Commission (``FTC'' or ``Commission'') has jurisdiction. This rule
refers to such entities as ``you.'' The rule applies to all customer
information in your possession, regardless of whether such information
pertains to individuals with whom you have a customer relationship, or
pertains to the customers of other financial institutions that have
provided such information to you.
Sec. 314.2 Definitions.
(a) In general. Except as modified by this rule or unless the
context otherwise requires, the terms used in this rule have the same
meaning as set forth in the Commission's rule governing the Privacy of
Consumer Financial Information, 16 CFR part 313.
(b) ``Customer information'' means any record containing nonpublic
personal information, as defined in 16 CFR 313.3(n), about a customer
of a financial institution, whether in paper, electronic, or other
form, that is handled or maintained by or on behalf of you or your
affiliates.
(c) ``Information security program'' means the administrative,
technical, or physical safeguards you use to access, collect, process,
store, use, transmit, dispose of, or otherwise handle customer
information.
(d) ``Service provider'' means any person or entity that receives,
maintains, processes, or otherwise is permitted access to customer
information through its provision of services directly to a financial
institution that is subject to the rule.
Sec. 314.3 Standards for safeguarding customer information.
(a) Information security program. You shall develop, implement, and
maintain a comprehensive written information security program that
contains administrative, technical, and physical safeguards that are
appropriate to your size and complexity, the nature and scope of your
activities, and the sensitivity of any customer information at issue.
Such safeguards shall include the elements set forth in Sec. 314.4 and
shall be reasonably designed to achieve the objectives of this rule, as
set forth in paragraph (b) of this section.
(b) Objectives. The objectives of section 501(b) of the Act, and of
this rule, are to:
(1) Insure the security and confidentiality of customer
information;
(2) Protect against any anticipated threats or hazards to the
security or integrity of such information; and
(3) Protect against unauthorized access to or use of such
information that could result in substantial harm or inconvenience to
any customer.
[[Page 41169]]
Sec. 314.4 Elements.
In order to develop, implement, and maintain your information
security program, you shall:
(a) Designate an employee or employees to coordinate your
information security program.
(b) Identify reasonably foreseeable internal and external risks to
the security, confidentiality, and integrity of customer information
that could result in the unauthorized disclosure, misuse, alteration,
destruction, or other compromise of such information, and assess the
sufficiency of any safeguards in place to control these risks. At a
minimum, such risk assessment should include consideration of risks in
each relevant area of your operations, including:
(1) employee training and management;
(2) information systems, including information processing, storage,
transmission, and disposal; and
(3) prevention and response measures for attacks, intrusions, or
other systems failures.
(c) For all relevant areas of your operations, including those set
forth in paragraph (b) of this section, design and implement
information safeguards to control the risks you identify through risk
assessment, and regularly test or otherwise monitor the effectiveness
of the safeguards' key controls, systems, and procedures.
(d) Oversee service providers, by:
(1) selecting and retaining service providers that are capable of
maintaining appropriate safeguards for the customer information at
issue; and
(2) requiring your service providers by contract to implement and
maintain such safeguards.
(e) Evaluate and adjust your information security program in light
of any material changes to your business that may affect your
safeguards.
Sec. 314.5 Effective date.
Each financial institution subject to the Commission's jurisdiction
must implement an information security program pursuant to this rule
not later than one year from the date on which a final rule is issued.
By direction of the Commission.
C. Landis Plummer,
Acting Secretary.
[FR Doc. 01-19338 Filed 8-6-01; 8:45 am]
BILLING CODE 6750-01-P