Customer financial information privacy; security program,

[Federal Register: September 7, 2000 (Volume 65, Number 174)]

[Proposed Rules]

[Page 54186-54189]

From the Federal Register Online via GPO Access [wais.access.gpo.gov]

[DOCID:fr07se00-24]

FEDERAL TRADE COMMISSION

16 CFR Part 313

Privacy of Customer Financial Information--Security

AGENCY: Federal Trade Commission.

ACTION: Advance notice of proposed rulemaking and request for comment.

SUMMARY: In this document, the Federal Trade Commission (the ``Commission'' or ``FTC'') requests comment on developing the administrative, technical, and physical information Safeguards Rule that the Commission is required to establish pursuant to section 501(b) of the Gramm-Leach-Bliley Act (the ``G-L-B Act'' or ``Act'') for the financial institutions under its jurisdiction, as set forth in section 505(a)(7). After reviewing the comments received in response to this document and request for comment, the Commission will issue a notice of proposed rulemaking.

DATES: Comments must be received on or before October 10, 2000.

ADDRESSES: Written comments should be addressed to: Secretary, Federal Trade Commission, Room H-159, 600 Pennsylvania Avenue, NW., Washington, DC 20580. The Commission requests that commenters submit the original plus five copies, if feasible. Comments should also be submitted, if possible, in electronic form, on either a 5\1/4\ or 3\1/2\ inch computer disk, with a disk label stating the name of the commenter and the name version of the word processing program used to create the document. (Programs based on DOS or Windows are preferred. Files from other operating systems should be submitted in ASCII format.) Alternatively, the Commission will accept comments submitted to the following e-mail address: GLB501Rule@ftc.gov. Those commenters submitting comments by e-mail are advised to confirm receipt by consulting the postings on the Commission's website at www.ftc.gov. In addition, commenters submitting comments by e-mail are requested to indicate whether they are also providing their comments in other formats. Individual members of the public filing comments need not submit multiple copies or comments in electronic form. All submissions should be captioned ``Gramm-Leach-Bliley Act Privacy Safeguards Rule, 16 CFR Part 313-Comment.''

FOR FURTHER INFORMATION CONTACT: Laura Berger, Attorney, Division of Financial Practices, Federal Trade Commission, Washington, DC 20580, 202-326-3224.

SUPPLEMENTARY INFORMATION

Section A. Background

On November 12, 1999, President Clinton signed the G-L-B Act (Pub. L. 106-102) into law. Subtitle A of Title V of the Act, captioned Disclosure of Nonpublic Personal Information, limits the instances in which a financial institution may disclose nonpublic personal information about a consumer to nonaffiliated third parties, and requires a financial institution to disclose to all of its customers the institution's privacy policies and practices with respect to information sharing with both affiliates and nonaffiliated third parties. Title V also requires the Commission to establish by rule appropriate standards for the financial institutions subject to its jurisdiction relating to administrative, technical, and physical safeguards (hereinafter ``Safeguards Rule'') to insure the security and confidentiality of customer records and information, to protect against any anticipated threats or hazards to the security or integrity of such records, and to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

On May 12, 2000, the Commission issued a final rule implementing the requirements of Subtitle A that relate to the disclosure of nonpublic personal information about a consumer to nonaffiliated third parties and the disclosure to all customers of the institution's privacy policies and practices with respect to information sharing with both affiliates and nonaffiliated third parties (hereinafter ``Privacy Rule'').\1\ As required by section 504 of Subtitle A, the Commission worked with other federal government agencies and authorities (hereinafter ``the agencies'') \2\ to ensure that the Privacy Rule was consistent and comparable with the regulations prescribed by the agencies. The Privacy Rule will take effect on November 13, 2000, and full compliance is required on or before July 1, 2001.

\1\ The rule was published in the Federal Register at 65 FR 33646 (May 24, 2000).

\2\ The Office of the Comptroller of the Currency (``OCC''); the Board of Governors of the Federal Reserve System (``Board''); the Federal Deposit Insurance Corporation (``FDIC''); the Office of Thrift Supervision (``OTS''); the National Credit Union Administration (``NCUA''); the Secretary of the Treasury (``Treasury''); and the Securities and Exchange Commission (``SEC''). Section 504 required these agencies to prescribe, within six months of the Act's date of enactment (by May 12, 2000), ``such regulations as may be necessary to carry out the purposes of

[Subtitle A] with respect to financial institutions subject to their jurisdiction under section 505.''

The Act does not require the Commission (or other agencies) to coordinate in developing a Safeguards Rule, and permits the agencies, with the exception of the SEC and the Commission, to develop their safeguards standards by issuing guidelines.

[[Page 54187]]

On June 26, 2000, the OCC, Board, OTC, and FDIC published a joint Federal Register notice containing proposed Guidelines establishing standards for safeguarding customer information (hereinafter ``proposed Interagency Guidelines''), but requested comment as to whether a rule would be preferable to guidelines. 65 FR 39,471 (June 26, 2000). As proposed, the Interagency Guidelines will appear as an appendix to each Agency's Standards for Safety and Soundness. The NCUA published a Federal Register notice containing proposed safeguards guidelines on June 14, 2000. 65 FR 37,302. The NCUA's guidelines, as proposed, will be issued as an amendment to the NCUA's existing regulation governing security programs in federally-insured credit unions. As with the Privacy Rule, Treasury will not be issuing a separate rule. On June 22, 2000, the SEC adopted a final safeguards rule as part of its Privacy of Consumer Financial Information Final rule. See www.sec.gov/rules/ final34-42974.htm.

The SEC's safeguards rule restates the objectives of section 501(b), and passes along to financial institutions the requirement to develop policies and procedures that are ``reasonably designed'' to meet these goals.

Prior to issuing a proposed Safeguards Rule, the Commission seeks public comment on the following questions concerning the scope and potential requirements of such a rule. In formulating a proposed rule, the Commission will consider the costs and benefits of the proposed rule's requirements.

Section B. Questions as to Scope of the Commission's Safeguards Rule

In order to develop the Safeguards Rule the Commission is required to implement, the Commission seeks comment on several issues relevant to the proper scope of the rule.

1. Range of Information Subject to the Safeguards Rule

   The Commission requests comment on the range of information that should be subject to the Safeguards Rule. The privacy provisions of Subtitle A of Title V of the Act require that financial institutions provide certain notices of their privacy policies to individuals, but vary these requirements according to whether the individual is a ``customer'' or a ``consumer'' of the financial institution. Section 502 (a) & (b) (consumers); Section 503 (customers). Respecting consumers, the G-L-B Act generally prohibits a financial institution from disclosing nonpublic personal information about a consumer to a nonaffiliated third party without first notifying the consumer and providing an opportunity to opt out of the disclosure. Section 502 (a) & (b). Customers, however, are entitled to notice of a financial institution's privacy policies at the time that a customer relationship is established, and annually thereafter during the continuation of the relationship, regardless of whether nonpublic personal information will be shared with nonaffiliated third parties. Section 503.

   In contrast to the privacy provisions, section 501 of the G-L-B Act refers solely to customers' nonpublic personal information and customer records and information. Section 501(a) sets forth the ``policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information,'' while section 501(b), ``in furtherance of the policy in subsection (a)'', requires the Commission to establish standards: ``(1) To insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of such records; and (3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.'' Sections 501(a), 501(b)(1)-(3) (emphases added). The Commission requests comment on what constitutes ``customer records and information'' under subsection (b), particularly in light of the reference to ``customers' nonpublic personal information'' in subsection (a). Also, should the definition of ``customer records and information'' under the Safeguards Rule be similar to the definition of ``nonpublic personal information'' for customers under the Commission's Privacy Rule? Should the Safeguards Rule ever apply to ``consumer'' information maintained by a financial institution? Where, for example, a financial institution cannot accurately separate its customer records and information from its consumer records, should the Safeguards Rule require the financial institution to safeguard both types of records?

2. Range of Financial Institution Subject to the Safeguards Rule

   The Commission also requests comment on the range of financial institutions to which the Safeguards Rule should apply. With certain exceptions, a financial institution is defined in the Act as any institution the business of which is engaging in financial activities as described in section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)). Under the Commission's Privacy Rule, any institution that is significantly engaged in such financial activities is a financial institution. 16 CFR 313.3(k)(1). However, only those financial institutions that have ``consumers'' or establish ``customer relationships'' have an obligation to disclose their privacy policies under the Act. Secs. 502 & 503; 16 CFR 313.4 & 313.5. Financial institutions that have no customer relationships or consumers, but obtain nonpublic personal information from another financial institution (see, e.g., 16 CFR 313.13) are subject to the Privacy Rule's limitations on redisclosure and reuse of nonpublic personal information. 16 CFR 313.11. How should the Safeguard Rule apply when a financial institution discloses customer records and information to a financial institution that has no customer relationships or consumers? Should the Safeguards Rule require the originating financial institution to disclose its ``customer records and information'' subject to the agreement of the party (i.e., a different financial institution) receiving the information to comply with the Safeguards Rule in its handling of the information?

   Section C. Questions as to Other Aspects of the Commission's Safeguards Rule

   The Safeguards Rule must establish appropriate standards for financial institutions subject to its jurisdiction relating to the administrative, technical, and physical safeguards against the harms contemplated by the Act, in order to protect customer records and information from anticipated threats and hazards, and provide them with security and confidentiality, including protection against unauthorized access or use. At the same time, the Commission recognizes that financial institutions may deem different safeguards appropriate according to the size and complexity of the financial institution, the nature and scope of its activities, and the nature of its records. In what ways, if any, should the Safeguards Rule take into account the need for financial institutions to keep pace with changing technology and other changes to their operational environment? Should the Safeguards Rule set forth minimum procedures a financial institution must follow, a minimum level of effectiveness financial institutions must maintain through their safeguards, or a combination of both? Do any current private standards, association rules, or

   [[Page 54188]]

   guides provide useful guidance to the Commission in its formulation of safeguards standards for financial institutions subject to the Commission's jurisdiction? Should the Safeguards Rule delineate mechanisms for financial institutions to demonstrate compliance with the Rule? For example, should the Safeguards Rule require financial institutions to use a particular audit process to measure their own compliance?

1. Small Financial Institutions

   The Commission seeks comment on how the Safeguards Rule will achieve the results contemplated by the Act without unduly burdening the ability of small financial institutions to serve consumers. Further, to the extent commenters recommend that the Safeguards Rule require specific administrative, technical and physical safeguards, the Commission requests comment on whether the requirements are appropriate for small financial institutions.

2. Specificity of the Safeguards Rule

   What specific steps, if any, should the Safeguards Rule require financial institutions to take to provide administrative, technical, and physical safeguards for their customer records and information? Is a different level of specificity appropriate according to whether the Safeguards Rule is prescribing administrative, technical, or physical measures? For example, should the Safeguards Rule prescribe specific minimum measures, such as shedding of discarded paper records, that a financial institution must take to provide for the physical security of its customer records and information? Similarly, to provide for administrative security, should the Safeguards Rule require that financial institutions take particular minimum steps, such as designating an employee who is responsible for monitoring internal access to customer records and information? Alternatively, when dealing with technical safeguards, should the Safeguards Rule set forth a more general standard for adequate safeguards, such as ``effective controls or programs'' or ``reasonable policies and procedures''? If the Safeguards Rule provides a more general standard for administrative, technical, or physical safeguards, what examples or other clarification of adequate safeguards should be included? For example, should the Safeguards Rule set forth categories or areas of administrative, technical and physical safeguards (``safeguards categories'') for financial institutions to address in designing and implementing safeguards appropriate to their operations? Would safeguards categories that require a financial institution to focus on particular areas of operations, such as ``Personnel Training and Management,'' ``Information Storage and Transmission,'' and ``Records Disposal,'' assist financial institutions to develop and maintain safeguards in a thorough and consistent manner? Would a common standard, such as ``effective controls or programs'' or ``reasonable policies and procedures'' suggested above, apply to every safeguards category, or would some safeguards categories, such as ``Records Disposal,'' be subject to more objective requirements?

3. Statutory Objectives

   The Commission seeks comment on how the Safeguards Rule should reflect the three objectives for information safeguards that are set forth in section 501(b)(1)-(3) of the Act. a. Anticipation of Threats or Hazards to Security or Integrity

   Section 501(b) requires the Commission to establish standards for administrative, technical and physical safeguards to ``protect against anticipated threats or hazards to the security or integrity'' of customer records and information obtained by financial institutions. Section 501(b)(2). Should ``anticipated threats and hazards'' be defined, and if so, how? Should the Safeguards Rule require financial institutions to anticipate threats and hazards according to particular procedures? If so, what threats and hazards should be assessed, and by what procedures? Should the Safeguards Rule require financial institutions to assess threats and hazards according to particular categories (``risk categories''), such as ``Risks to Physical Security,'' ``Risks to Integrity,'' or ``Risks in Records Disposal''? When assessing threats and hazards, should a financial institution be required to classify the value and sensitivity of the records to be protected and/or the gravity of any threats? Under what circumstances, if any, should financial institutions be required to conduct these assessments in writing?

   Should the Safeguards Rule require that financial institutions reassess the threats or hazards to their information security systems, and, if so, at what intervals? Should the Safeguards Rule define technical or other changes to an institution's information security environment that warrant reevaluation of existing safeguards? Among other times, should a financial institution be required to assess threats and hazards within a reasonable time after it knows or should know of a new or emerging threat or hazard to the security or integrity of its records? Similarly, should the Safeguards Rule require that the effectiveness of existing safeguards be evaluated through appropriate tests? If so, how specifically should the standards define these tests?

   Finally, how should the Safeguards Rule protect against anticipated threats and hazards to the integrity of customer records and information? Should protecting integrity of customer records and information include requiring a financial institution to notify a customer when his or her records and information are subject to loss, damage, or unauthorized access? Does insuring integrity of customer records and information require that customers be granted periodic access to their records, in order to monitor the accuracy of this information? b. Preventing Unwarranted Access and Use

   In addition to requiring protection against anticipated threats and hazards, section 501(b) requires that the safeguards standards ``protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.'' Section 501(b)(3). Should ``unauthorized access'' and ``unauthorized use'' be defined, and if so, how? Should the Safeguards Rule require financial institutions to follow certain minimum procedures to ``protect against unauthorized access to'' customer records and information? Are there any circumstances under which financial institutions should be required to maintain written records of their procedures for preventing unauthorized access and use?

   If the Safeguards Rule should require financial institutions to follow certain minimum steps to prevent unauthorized access and use, what procedures are most appropriate for the diverse range of financial institutions subject to the Commission's jurisdiction? For example, should the Safeguards Rule require that financial institutions designate a person within the institution who is responsible for preventing and detecting unauthorized access to and use of customer records and information? Similarly, should the Safeguards Rule require that financial institutions enter into confidentiality agreements with their employees or train their employees in procedures for preventing unauthorized access to and

   [[Page 54189]]

   use of customer records and information? c. Insuring Security and Confidentiality

   In addition to requiring protection against anticipated threats and hazards and against unauthorized access and use, section 501(b) requires that the safeguards standards ``insure the security and confidentiality of customer records and information'' Section 501(b)(1). Does this requirement mean something more than protecting against anticipated threats and hazards and unauthorized access and use? In particular, what should insuring ``confidentiality'' of information mean? What measures should the Safeguards Rule require a financial institution to take to maintain the confidentiality and security of customer records and information that it discloses? Where applicable, should the Safeguards Rule require a financial institution that discloses customer records and information to notify the recipients of the limitations on reuse and redisclosure of the information imposed by the Privacy Rule? d. Consideration of Other Agencies' Safeguards Standards

   The proposed Interagency Guidelines and the NCUA's proposed Guidelines (collectively, ``the proposed Guidelines'') both require regulated financial institutions to implement an ``Information Security Program'' that is developed by following certain procedures outlined by the respective proposed Guidelines. In their respective section III.A., the proposed Guidelines require each financial institution to involve its board of directors and management in various aspects of developing, implementing, and assessing an information security program. Under both proposals, a financial institution must take four basic steps to develop an information security program: (1) Identify and assess the risks that may threaten protected information; (2) develop a written plan containing policies and procedures to manage and control these risks; (3) implement and test the plan; and (4) adjust the plan on a continuing basis to account for changes in technology, the sensitivity of the protected information, and internal or external threats to information security. Similarly, in their respective sections III.C., both proposals provide a list of factors that a financial institution should consider in developing its information security program. The factors include specific potential elements of a security plan that should be considered, such as ``contract provisions and oversight mechanisms'' to protect the security of information handled by service providers (respective III.C.(g)), as well as broader issues that the security plan should address, such as ``[a]cess rights to [covered] information,'' (respective III.C.(a)). Using the procedures provided by the proposed Guidelines, each covered financial institution is to develop a comprehensive information security program, the adequacy of which will be reviewed by the relevant agency through established oversight procedures, such as safety and soundness reviews. Finally, in their respective sections III.D., the proposed Guidelines require financial institutions to exercise due diligence in managing and monitoring outsourcing arrangements, in order to make sure that its service providers have implemented an effective information security program.

   The proposed guidelines focus on the procedures that should be followed to develop a written information security program, and do not specify particular security measures that must be adopted. They do provide, however, that the Board of Directors must oversee efforts to develop, implement, and maintain an ``effective'' information security program. Should the Commission's Safeguards Rule be similar to the proposed Guidelines, and if so, how? Does the Act's requirement that the Commission issue a rule, rather than guidelines, warrant a different approach? Does the fact that the Commission does not conduct regular examination of financial institutions warrant more specific security measures? What, if any, features of the more general approach to safeguards taken by the SEC in its Privacy of Consumer Financial Information Final Rule (described in Section A, supra) are suitable for the Commission's Safeguards Rule?

   By direction of the Commission. C. Landis Plummer, Acting Secretary.

   [FR Doc. 00-22945Filed9-6-00; 8:45 am]

   BILLING CODE 6750-01-M