Over the last few years, States have enacted increasingly aggressive legislation concerning data privacy and security, raising concerns that companies will be subject to a patchwork of different standards. Congress has recently taken notice, convening hearings on potential federal privacy legislation, with the possibility of preemption a hot topic during the hearings. Last week, the Federal Trade Commission (“FTC”) got into the act as well, releasing two notices of proposed rulemaking (“NPRM”) on potential changes to its the Standards for Safeguarding Customer Information (“Safeguards Rule”) and Privacy of Consumer Financial Information Rule (“Privacy Rule”) under the Gramm-Leach-Bliley Act. The proposed amendments – and particularly the proposed changes to the Safeguard Rule – signal the FTC’s desire to align its rules with those of key states and to further protect customer information held by financial institutions.
Aligning the Safeguards Rule with State Regimes
The Safeguards Rule specifies that financial institutions subject to the FTC’s jurisdiction must develop, implement, and maintain a comprehensive information security program for handling customer data. In 2016, the FTC conducted a periodic review of this Rule, and, in response to the comments it received during this review and subsequent developments, the FTC is proposing to add more detailed requirements to the Rule. Of particular note, the Safeguards Rule NPRM proposes to align the FTC’s requirements with those of the New York Department of Financial Services (“NYDFS”), as found in its cybersecurity regulations, and the National Association of Insurance Commissioners (“NAIC”), as found in its insurance data security model law. Drawing and adopting from both the NYDFS’s and NAIC’s rules, the Commission states in its NPRM that it used these models because they “maintain the balance between providing detailed guidance and avoiding overly prescriptive requirements for information security programs.”
Of particular note, the FTC’s proposed requirements include requiring financial institutions to:
- develop an incident response plan as part of their information security program;
- designate a qualified individual to be responsible for the oversight, implementation, and enforcement of the institution’s security program;
- conduct periodic reevaluations of institutional risk assessments based on their individual needs and resources;
- restrict access to physical locations containing customer information only to authorized individuals (and, relatedly, develop policies for securing physical devices which contain personal information, such as laptops and phones);
- encrypt all customer information, both in transit and at rest, unless the institution can show such encryption is not reasonable and can provide an equivalent alternative measure;
- Implement multi-factor authentication for when individuals access customer data;
- ensure that their information systems under the Rule have audit trails designed to detect and respond to security events;
- develop secure disposal procedures for customer information in any format that is no longer necessary for business operations or other legitimate business purposes;
- monitor user activity to detect unauthorized access to or tampering with customer information;
- test or otherwise monitor the safeguards regularly;
- provide information security personnel with training and ensure they take steps to stay abreast of key cybersecurity knowledge;
- assess the risk profile and safeguards of service providers periodically; and
- have their Chief Information Security Officer report in writing at least once a year to the Board on the overall status of the information security program, the company’s compliance with the Safeguards Rule, and any other material matters related to the information security program.
The Commission’s vote to submit the Safeguard Rule NPRM was divided, with Commissioners Noah Phillips and Christine Wilson dissenting. In their dissent, Phillips and Wilson emphasize the importance of maintaining a flexible standard in the field of data security, where “standards continuously evolve,” and argue that the current proposal “trades flexibility for a more prescriptive approach, potentially handicapping smaller players or newer entrants.” In particular, the two Commissioners argue that the cost of such enhanced precautions – which have not yet been shown to significantly reduce risk or increase benefits to consumers – can have an outsized impact on small or new businesses and potentially decrease competition. (The proposed amendments would exempt from many obligations institutions that maintain personal information from fewer than 5,000 customers.) They also disagree with the decision to base so many changes on the NYDFS cybersecurity regulations, which are only two years old and thus lack significant data on their impact and efficacy.
Other Notable Changes
The FTC’s proposals also include changes designed to align the Safeguards Rule and Privacy Rule with the Dodd-Frank Act in 2010 and the FAST Act in 2015, both of which amended GLBA. Notably, the Dodd-Frank Act narrowed the FTC’s rulemaking authority for the Privacy Rule to include only certain motor vehicle dealers and not any other financial institutions previously subject to the FTC’s Rule, transferring most of the rest of the authority to the Consumer Financial Protection Bureau (“CFPB”). The proposed changes would amend the Rule to reflect this change.
In accordance with the FAST Act, the revised Privacy Rule would also clarify when motor vehicle dealers must provide annual privacy notices.
Finally, the FTC is seeking to expand the definition of “financial institution” under both the Safeguards Rule and the Privacy Rule to include “finders,” or those who “charge a fee to connect consumers who are looking for a loan to a lender.” The proposed expansion would harmonize the definition among regulators, specifically the CFPB and the Federal Reserve, and “create a more consistent regulatory landscape.”