On March 5, 2019 the Federal Trade Commission (“FTC”) published requests for comment on proposed amendments to two key rules under the Gramm-Leach-Bliley Act (“GLBA”).  Most significantly, the FTC is proposing to add more detailed requirements to the Safeguards Rule, which governs the information security programs financial institutions must implement to protect customer data.

In addition, the FTC is proposing to expand the definition of “financial institution” under the Safeguards Rule and the Privacy Rule to include “finders.”  Finally, the FTC is proposing to amend the Privacy Rule to make technical and conforming changes resulting from legislative amendments to GLBA in the Dodd-Frank Act and FAST Act of 2015.

Proposed Revisions to the Safeguards Rule’s Information Security Program Requirements

The Safeguards Rule establishes requirements for the information security programs of all financial institutions subject to FTC jurisdiction.  The Rule, which first went into effect in 2003, requires financial institutions to develop, implement, and maintain a comprehensive information security program.  As currently drafted, the Safeguards Rule has few prescriptive requirements, but instead generally directs financial institutions to take reasonable steps to protect customer information.

The FTC’s proposed revisions would add substantially more detail to these requirements.  Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, explained that the purpose of the proposed changes is “to better protect consumers and provide more certainty for business.”  The new requirements are primarily based on the cybersecurity regulations issued by New York Department of Financial Services (“NYSDFS”), and the insurance data security model law issued by the National Association of Insurance Commissioners.

Some of the specific proposed changes include:

  • Revising the requirement to designate an “employee or employees to coordinate [the] information security program” to require designation of a single individual, referred to as a Chief Information Security Officer (“CISO”), as responsible for overseeing and implementing the program;
  • Adding requirements to financial institutions’ risk assessments, including that the assessment must be written, describe how the information security program will address the identified risks, and be performed periodically;
  • Requiring financial institutions to implement access controls on information systems, as well as restrict access to physical locations containing customer information only to authorized individuals;
  • Requiring customer information to be encrypted, both in transit and at rest;
  • Requiring implementation of multi-factor authentication for any individual accessing customer information;
  • Requiring information systems to include audit trails designed to detect and respond to security events;
  • Requiring financial institutions to develop procedures for the secure disposal of customer information in any format that is no longer necessary for their business operations or other legitimate business purposes;
  • Requiring financial institutions to develop procedures for change management;
  • Requiring financial institutions to implement policies and procedures “to monitor the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users;”
  • Requiring regular testing and continuous monitoring of relevant key controls, systems and procedures;
  • Requiring that financial institutions implement appropriate training and education, including verifying that key security personnel take steps to maintain current cybersecurity knowledge, and utilize qualified security personnel;
  • Expanding the requirement to oversee service providers to require financial institutions to periodically assess such service providers based on the information security risk they present;
  • Requiring that financial institutions establish incident response plans; and
  • Requiring that the financial institution’s CISO report at least annually to the institution’s board of directors on issues related to the information security program.

Dissenting Statement of Commissioners Phillips and Wilson

Notably, the proposal to amend the Safeguards Rule was issued pursuant to a 3-2 divided vote of the FTC’s commissioners.  Commissioners Noah Phillips and Christine Wilson issued a dissenting statement that argues that the proposed approach “trades flexibility for a more prescriptive approach, potentially handicapping smaller players or newer entrants.”  Further, while Commissioners Phillips and Wilson acknowledge that the amendments remain a mere proposal, they “are concerned that the specific suggestions . . . will frame the debate so as to take the Commission in a direction that may be unwarranted,” particularly in light of the possibility of new comprehensive federal data protection legislation.

Other Proposed Changes to the Privacy Rule and the Safeguards Rule

The FTC is also proposing to make certain changes to the Privacy Rule, which is also issued under the GLBA. The Privacy Rule implements the information sharing restrictions in GLBA solely as to motor vehicle dealers.  The Dodd-Frank Act transferred the bulk of the rulemaking authority for implementing these provisions to the Consumer Financial Protection Bureau (“CFPB”), which does so pursuant to Regulation P (Privacy of Consumer Financial Information).

The FTC is proposing to make a small number of changes to the Privacy Rule to align it with the CFPB’s Regulation P and a Federal Reserve Board interpretive regulation.  Specifically, the FTC is proposing to expand the definition of “financial institution” to explicitly include “finders,” who “charge a fee to connect consumers who are looking for a loan to a lender.”  This proposed change would align with Regulation P’s definition of “financial institution,” which incorporates an interpretation of the Federal Reserve Board that acting as a finder is an activity “incidental to a financial activity.”  The FTC is proposing an identical revision to the definition of “financial institution” in the Safeguards Rule.  The FTC is also proposing technical or clarifying amendments to the Privacy Rule to align with the changes to the GLBA annual privacy notices contained in the Dodd-Frank Act and the FAST Act of 2015.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mike Nonaka Mike Nonaka

Michael Nonaka is co-chair of the Financial Services Group and advises banks, financial services providers, fintech companies, and commercial companies on a broad range of compliance, enforcement, transactional, and legislative matters.

He specializes in providing advice relating to federal and state licensing and…

Michael Nonaka is co-chair of the Financial Services Group and advises banks, financial services providers, fintech companies, and commercial companies on a broad range of compliance, enforcement, transactional, and legislative matters.

He specializes in providing advice relating to federal and state licensing and applications matters for banks and other financial institutions, the development of partnerships and platforms to provide innovative financial products and services, and a broad range of compliance areas such as anti-money laundering, financial privacy, cybersecurity, and consumer protection. He also works closely with banks and their directors and senior leadership teams on sensitive supervisory and strategic matters.

Mike plays an active role in the firm’s Fintech Initiative and works with a number of banks, lending companies, money transmitters, payments firms, technology companies, and service providers on innovative technologies such as bitcoin and other cryptocurrencies, blockchain, big data, cloud computing, same day payments, and online lending. He has assisted numerous banks and fintech companies with the launch of innovative deposit and loan products, technology services, and cryptocurrency-related products and services.

Mike has advised a number of clients on compliance with TILA, ECOA, TISA, HMDA, FCRA, EFTA, GLBA, FDCPA, CRA, BSA, USA PATRIOT Act, FTC Act, Reg. K, Reg. O, Reg. W, Reg. Y, state money transmitter laws, state licensed lender laws, state unclaimed property laws, state prepaid access laws, and other federal and state laws and regulations.

Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

As part of her practice, she also regularly represents clients in strategic transactions involving personal data and cybersecurity risk. She advises companies from all sectors on compliance with laws governing the handling of health-related data. Libbie is recognized as an Up and Coming lawyer in Chambers USA, Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”

Photo of David Stein David Stein

David Stein advises clients on credit reporting, financial privacy, financial technology, payments, retail financial services, and fair lending issues. He assists a broad range of financial services firms, consumer reporting agencies, financial technology companies, and their vendors with regulatory, compliance, supervision, enforcement, and…

David Stein advises clients on credit reporting, financial privacy, financial technology, payments, retail financial services, and fair lending issues. He assists a broad range of financial services firms, consumer reporting agencies, financial technology companies, and their vendors with regulatory, compliance, supervision, enforcement, and transactional matters.

David has significant experience advising clients on compliance with the FCRA, GLBA, ECOA, EFTA, E-Sign Act, TILA, TISA, FDCPA, Dodd-Frank Wall Street Reform and Consumer Protection Act, and FTC Act, as well as state financial privacy laws. David is a member of the firm’s fintech and artificial intelligence initiatives and works with clients on issues related to cutting edge technologies, such as blockchain, virtual currencies, big data and data analytics, artificial intelligence, online lending, and payments technology.

David previously served in senior regulatory, policy-making, and management positions at the Consumer Financial Protection Bureau (CFPB) and the Federal Reserve Board (FRB). He played a significant role in developing regulations and policy on credit reporting, financial privacy, retail payments systems, consumer credit, fair lending, overdraft services, debit interchange, unfair or deceptive acts or practices, and mortgage origination and servicing. David draws upon his government experience in representing clients before the CFPB, the FRB, and other regulatory agencies and leverages his insights into the regulatory process to provide clients with practical, actionable advice.