Mar 122019

FTC Seeks Comment on Proposed Changes to its GLBA Safeguards and Privacy Rules

Christopher Fonzone, Seferina Berch and Snezhana Stadnik Tapia
, , , , ,

Over the last few years, States have enacted increasingly aggressive legislation concerning data privacy and security, raising concerns that companies will be subject to a patchwork of different standards.  Congress has recently taken notice, convening hearings on potential federal privacy legislation, with the possibility of preemption a hot topic during the hearings.  Last week, the Federal Trade Commission (“FTC”) got into the act as well, releasing two notices of proposed rulemaking (“NPRM”) on potential changes to its the Standards for Safeguarding Customer Information (“Safeguards Rule”) and Privacy of Consumer Financial Information Rule (“Privacy Rule”) under the Gramm-Leach-Bliley Act.  The proposed amendments – and particularly the proposed changes to the Safeguard Rule – signal the FTC’s desire to align its rules with those of key states and to further protect customer information held by financial institutions.

Aligning the Safeguards Rule with State Regimes

The Safeguards Rule specifies that financial institutions subject to the FTC’s jurisdiction must develop, implement, and maintain a comprehensive information security program for handling customer data.  In 2016, the FTC conducted a periodic review of this Rule, and, in response to the comments it received during this review and subsequent developments, the FTC is proposing to add more detailed requirements to the Rule.  Of particular note, the Safeguards Rule NPRM proposes to align the FTC’s requirements with those of the New York Department of Financial Services (“NYDFS”), as found in its cybersecurity regulations, and the National Association of Insurance Commissioners (“NAIC”), as found in its insurance data security model law.  Drawing and adopting from both the NYDFS’s and NAIC’s rules, the Commission states in its NPRM that it used these models because they “maintain the balance between providing detailed guidance and avoiding overly prescriptive requirements for information security programs.”

Of particular note, the FTC’s proposed requirements include requiring financial institutions to:

  • develop an incident response plan as part of their information security program;
  • designate a qualified individual to be responsible for the oversight, implementation, and enforcement of the institution’s security program;
  • conduct periodic reevaluations of institutional risk assessments based on their individual needs and resources;
  • restrict access to physical locations containing customer information only to authorized individuals (and, relatedly, develop policies for securing physical devices which contain personal information, such as laptops and phones);
  • encrypt all customer information, both in transit and at rest, unless the institution can show such encryption is not reasonable and can provide an equivalent alternative measure;
  • Implement multi-factor authentication for when individuals access customer data;
  • ensure that their information systems under the Rule have audit trails designed to detect and respond to security events;
  • develop secure disposal procedures for customer information in any format that is no longer necessary for business operations or other legitimate business purposes;
  • monitor user activity to detect unauthorized access to or tampering with customer information;
  • test or otherwise monitor the safeguards regularly;
  • provide information security personnel with training and ensure they take steps to stay abreast of key cybersecurity knowledge;
  • assess the risk profile and safeguards of service providers periodically; and
  • have their Chief Information Security Officer report in writing at least once a year to the Board on the overall status of the information security program, the company’s compliance with the Safeguards Rule, and any other material matters related to the information security program.

The Commission’s vote to submit the Safeguard Rule NPRM was divided, with Commissioners Noah Phillips and Christine Wilson dissenting.  In their dissent, Phillips and Wilson emphasize the importance of maintaining a flexible standard in the field of data security, where “standards continuously evolve,” and argue that the current proposal “trades flexibility for a more prescriptive approach, potentially handicapping smaller players or newer entrants.”  In particular, the two Commissioners argue that the cost of such enhanced precautions – which have not yet been shown to significantly reduce risk or increase benefits to consumers – can have an outsized impact on small or new businesses and potentially decrease competition.  (The proposed amendments would exempt from many obligations institutions that maintain personal information from fewer than 5,000 customers.)  They also disagree with the decision to base so many changes on the NYDFS cybersecurity regulations, which are only two years old and thus lack significant data on their impact and efficacy.

Other Notable Changes

The FTC’s proposals also include changes designed to align the Safeguards Rule and Privacy Rule with the Dodd-Frank Act in 2010 and the FAST Act in 2015, both of which amended GLBA.  Notably, the Dodd-Frank Act narrowed the FTC’s rulemaking authority for the Privacy Rule to include only certain motor vehicle dealers and not any other financial institutions previously subject to the FTC’s Rule, transferring most of the rest of the authority to the Consumer Financial Protection Bureau (“CFPB”).  The proposed changes would amend the Rule to reflect this change.

In accordance with the FAST Act, the revised Privacy Rule would also clarify when motor vehicle dealers must provide annual privacy notices.

Finally, the FTC is seeking to expand the definition of “financial institution” under both the Safeguards Rule and the Privacy Rule to include “finders,” or those who “charge a fee to connect consumers who are looking for a loan to a lender.”  The proposed expansion would harmonize the definition among regulators, specifically the CFPB and the Federal Reserve, and “create a more consistent regulatory landscape.”

Christopher Fonzone

cfonzone@sidley.com

Seferina Berch

sberch@sidley.com

Snezhana Stadnik Tapia

sstadnik@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.