FTC Considering Making Changes to GLBA's Safeguards, Privacy Rule
New amendments to the rules, proposed last week and largely based on the New York State Department of Financial Services’ Cybersecurity Regulation, would better protect customer information held by financial institutions.
The Federal Trade Commission is considering making changes to how it interprets the Safeguards Rule and the Privacy Rule under the Gramm-Leach-Bliley Act (GLBA) in an attempt to more closely align with requirements of other agencies, like the New York Department of Financial Services and the National Association of Insurance Commissioners’ “Model Law.”
April Tabor, the FTC's Acting Secretary, published two notices of proposed rulemaking, seeking request for public comment last week.
Currently, under the Safeguards Rule, financial institutions have to protect consumer information they collect, through an information security program and by identifying and assessing risks to customer information. The Privacy Rule requires financial institutions to tell their customers about their information-sharing and make clear that they have a right to "opt-out" if they don't want their data shared with third parties.
The FTC's proposed modifications (.PDF) to the Safeguards Rule is five-pronged. According to Tabor it would add provisions to give financial institutions more guidance around developing specific actions of an information security program, namely access controls, authentication, and encryption. It would also up the accountability of institutions by requiring reports to boards of directors on information security programs.
Another change would build off the current definition of financial institution to include any organization that's engaged in activities the Federal Reserve Board determines fits the mold of "financial activities." The amendment would incorporate the definition of "financial institution" too; currently it borrows the definition from another FTC rule, Privacy of Consumer Financial Information Rule.
The most interesting amendment here is the adoption of enhanced security controls. The FTC says in the documentation that it views financial institutions having access controls as "a fundamental requirement of all information security programs," and encryption as "an appropriate and important way to protect customer information from unauthorized use and access."
Encryption is one area where the FTC is on the fence still though. One proposed amendment would require financial institutions to encrypt all customer data, both in transit and at rest. Later in the same amendment, the FTC muddies the waters a bit by saying it’s considering allowing CISOs to use alternative ways to protect customer information a la the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. This would essentially let an organization use an alternative to encryption if they don't think it will be reasonable in their environment.
Other proposed amendments, like requiring financial institutions to implement multi-factor authentication for individuals accessing customer information, requiring the implementation of policies and procedures to monitor the activity of authorized user, providing personnel with security awareness training, and to establish an incident response plan, directly mirror NYDFS' Cybersecurity Regulation (23 NYCRR 500).
The FTC's proposed amendments (.PDF) to the Privacy Rule would align it with requirements of the Gramm-Leach-Bliley Act as amended by the Dodd-Frank and FAST Acts. Specifically, the FTC is looking to revise the scope of the Privacy Rule, the rule's annual customer privacy notice requirement - and similar to the proposed Safeguards Rule change - how it defines "financial institution."
Aside from modifying the definition of "financial institution," the changes would really be be just to clarify when motor vehicle dealers have to provide annual privacy notices. Another change would mirror the Dodd-Frank Act by removing references that don't apply to motor vehicle dealers.
It’s important to note that everyone at the FTC isn’t completely on board with these proposed changes. Commissioners Noah Phillips and Christine Wilson voted against increasing the requirements out of concern the proposed changes would be more prescriptive, something that could "create traps for small business and entrench incumbents," according to Phillips.
Today, Commissioner Wilson and I voted against a Notice of Proposed Rulemaking to increase requirements for financial institutions under the Safeguards Rule. You can find our dissent here: https://t.co/qcxAfVmFSf. (1/3) https://t.co/jd19HxkwZf— Noah J. Phillips (@FTCPhillips) March 5, 2019
The two published a dissenting statement (.PDF) last Tuesday saying they support the FTC's calls for federal data security legislation but worry that the changes be too one-size-fits-all and could “dilute core data security measures.”
The two are also concerned with that fact the NYDFS's Cybersecurity Rule was only put into action two years ago and that making rule changes around it may be too premature.
"We do not have data about the impact and efficacy of those regulations, so whether to adopt a version of them at the federal level and whether that version should be a floor for or should preempt state-level rules seem like questions worthy of more study," the two wrote.
As soon the notices of proposed rule making surface in the Federal Register, individuals will have 60 days to file comment.