Public Workshop Examining Information Security for Financial Institutions and Information Related to Changes to the Safeguards Rule

Federal Register, Volume 85 Issue 45 (Friday, March 6, 2020)
[Federal Register Volume 85, Number 45 (Friday, March 6, 2020)]
[Proposed Rules]
[Pages 13082-13086]
From the Federal Register Online via the Government Publishing Office []
[FR Doc No: 2020-04610]
16 CFR Part 314
Public Workshop Examining Information Security for Financial
Institutions and Information Related to Changes to the Safeguards Rule
AGENCY: Federal Trade Commission.
ACTION: Public workshop and request for public comment.
SUMMARY: The Federal Trade Commission (``FTC'' or ``Commission'') is
holding a public workshop relating to its April 4, 2019, Notice of
Proposed Rulemaking (``NPRM'') announcing proposed changes to the
Commission's Safeguards Rule. The workshop will explore information
concerning the cost of information security for financial institutions,
the availability of information security services for smaller financial
institutions, and other issues raised in comments received in response
to the NPRM.
DATES: The public workshop will be held on May 13, 2020, from 9:00 a.m.
until 4:30 p.m., at the Constitution Center Conference Center, located
at 400 7th Street SW, Washington, DC. Requests to participate as a
panelist must be received by March 13, 2020. Any written comments
related to agenda topics or the issues discussed by the panelists at
the workshop must be received by June 12, 2020.
ADDRESSES: Interested parties may file a comment or a request to
participate as a panelist online or on paper, by following the
instructions in the Filing Comments and Requests to Participate as a
Panelist part of the SUPPLEMENTARY INFORMATION section below. Write
``Safeguards Rule, 16 CFR part 314, Project No. P145407,'' on your
comment and file your comment online at by
following the instructions on the web-based form. If you prefer to file
your comment on paper, mail your comment to the following address:
Federal Trade Commission, Office of the Secretary, 600 Pennsylvania
Avenue NW, Suite CC-5610 (Annex B), Washington, DC 20580, or deliver
your comment to the following address: Federal Trade Commission, Office
of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor,
Suite 5610 (Annex B), Washington, DC 20024.
FOR FURTHER INFORMATION CONTACT: David Lincicum (202-326-2773),
Division of Privacy and Identity Protection, Bureau of Consumer
Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW,
Washington, DC 20580.
I. Introduction
    In 1999,\1\ Congress enacted the Gramm Leach Bliley Act (``GLB'' or
``GLBA''). The GLBA provides a framework for regulating the privacy and
data security practices of a broad range of financial institutions.
Among other things, the GLBA requires financial institutions to
implement security safeguards for customer information. Pursuant to the
GLBA, the Commission promulgated the Safeguards Rule in 2002. The
Safeguards Rule became effective on May 23, 2003.
    \1\ Public Law 106-102, 113 Stat. 1338 (1999).
    The Safeguards Rule requires a financial institution to develop,
implement, and maintain a comprehensive information security program
that consists of the
[[Page 13083]]
administrative, technical, and physical safeguards the financial
institution uses to access, collect, distribute, process, protect,
store, use, transmit, dispose of, or otherwise handle customer
information.\2\ The information security program must be written in one
or more readily accessible parts.\3\ The safeguards set forth in the
program must be appropriate to the size and complexity of the financial
institution, the nature and scope of its activities, and the
sensitivity of any customer information at issue.\4\ The safeguards
must also be reasonably designed to ensure the security and
confidentiality of customer information, protect against any
anticipated threats or hazards to the security or integrity of the
information, and protect against unauthorized access to or use of such
information that could result in substantial harm or inconvenience to
any customer.\5\
    \2\ 16 CFR 314.2(c).
    \3\ 16 CFR 314.3(a).
    \4\ 16 CFR 314.3(a), (b).
    \5\ 16 CFR 314.3(a), (b).
    In order to develop, implement, and maintain its information
security program, a financial institution must identify reasonably
foreseeable internal and external risks to the security,
confidentiality, and integrity of customer information that could
result in the unauthorized disclosure, misuse, alteration, destruction,
or other compromise of such information, including in the areas of: (1)
Employee training and management; (2) information systems, including
network and software design, as well as information processing,
storage, transmission, and disposal; and (3) detecting, preventing, and
responding to attacks, intrusions, or other systems failures.\6\ The
financial institution must then design and implement safeguards to
control the risks identified through the risk assessment, and must
regularly test or otherwise monitor the effectiveness of the
safeguards' key controls, systems, and procedures.\7\ The financial
institution is also required to evaluate and adjust its information
security program in light of the results of this testing and
monitoring, as well as any material changes in its operations or
business arrangements, or any other circumstances that it knows or has
reason to know may have a material impact on its information security
program.\8\ The financial institution must also designate an employee
or employees to coordinate the information security program.\9\
    \6\ 16 CFR 314.4(b).
    \7\ 16 CFR 314.4(c).
    \8\ 16 CFR 314.4(e).
    \9\ 16 CFR 314.4(a).
    Finally, the Safeguards Rule requires financial institutions to
take reasonable steps to select and retain service providers that are
capable of maintaining appropriate safeguards for customer information
and require those service providers by contract to implement and
maintain such safeguards.\10\
    \10\ 16 CFR 314.4(d).
    On August 29, 2016, the Commission solicited comments on the
Safeguards Rule as part of its periodic review of its rules and
guides.\11\ The Commission sought comment on a number of general
issues, including the economic impact and benefits of the Rule;
possible conflicts between the Rule and state, local, or other federal
laws or regulations; and the effect on the Rule of any technological,
economic, or other industry changes. The Commission received 28
comments from individuals and entities representing a wide range of
viewpoints.\12\ Most commenters agreed that there is a continuing need
for the Rule and that it benefits consumers and competition.\13\
    \11\ Safeguards Rule, Request for Comment, 81 FR 61632 (Sept. 7,
    \12\ The comments are posted at: The Commission has assigned each
comment a number appearing after the name of the commenter and the
date of submission. This notice cites comments using the last name
of the individual submitter or the name of the organization,
followed by the number assigned by the Commission.
    \13\ See, e.g., Mortgage Bankers Association (Comment #39);
National Automobile Dealers Association (Comment #40); Data &
Marketing Association (Comment #38); Electronic Transactions
Association (Comment #24); State Privacy & Security Coalition
(Comment #26).
    After reviewing the comments, the Commission published a Notice of
Proposed Rulemaking (``NPRM'') proposing to amend the Rule to include
more detailed requirements for the development and establishment of the
information security program required under the Rule, including
requirements for encrypting financial information, the use of
multifactor authentication, a written incident response plan, and the
creation of periodic reports for the financial institution's board of
directors.\14\ In addition, the Commission proposed amendments to the
definition of ``financial institution'' and the addition of examples
previously contained in the Privacy Rule to clarify the Safeguards
Rule.\15\ The Commission sought public comment on these proposed
amendments as well as requesting information about the cost, benefits
and options for information security for financial institutions,
particularly smaller institutions. The Commission received 48
comments.\16\ Thirteen comments from consumer groups, individuals,
academic institutions, and government groups generally supported the
addition of more detailed requirements as proposed. Twenty-four
comments from industry groups and individuals generally opposed the
addition, on the grounds that they would impose unwarranted costs on
financial institutions.
    \14\ 84 FR 13158 (April 4, 2019).
    \15\ Id.
    \16\ The comments are posted at
II. Issues for Discussion at the Workshop
    As part of the Safeguards Rule rulemaking, the FTC has decided to
seek additional information about the costs and benefits of the
proposed rule changes and the ability of financial institutions to
comply with them. The workshop will seek information, empirical data,
and testimony from security professionals who have worked with
financial services companies, and will cover such topics as:
    (1) Price models for specific elements of information security
    (2) Industry standards for security in various industries;
    (3) How risks of cybersecurity events change based on the size of
the financial institutions;
    (4) Availability of third party information security services aimed
at different sized institutions;
    (5) Different methods of achieving continuous monitoring of
information security systems;
    (6) Costs and optimal frequency of penetration and vulnerability
testing and the factors that affect that determination;
    (7) Best uses for security logs and audit trails;
    (8) The advantages and disadvantages of having a single person
responsible for the information security program;
    (9) How different corporate governance structures can affect
performance of information security programs;
    (10) Costs of encryption and multifactor authentication, and
possible alternatives to these technologies
    (11) Whether SMS is an appropriate factor for multifactor
    (12) The optimal balance between documentation and implementation
of security measures.
    A more detailed agenda will be published at a later date, in
advance of the scheduled workshop.
[[Page 13084]]
III. Public Participation Information
A. Workshop Attendance
    The workshop is free and open to the public, and will be held at
the Constitution Center, 400 7th Street SW, Washington, DC. It will be
webcast live on the FTC's website. For admittance to the Constitution
Center, all attendees must show valid government-issued photo
identification, such as a driver's license. Please arrive early enough
to allow adequate time for this process.
    This event may be photographed, videotaped, webcast, or otherwise
recorded. By participating in this event, you are agreeing that your
image--and anything you say or submit--may be posted indefinitely at or on one of the Commission's publicly available social
media sites.
B. Requests To Participate as a Panelist
    The workshop will be organized into panels, which will address the
designated topics. Panelists will be selected by FTC staff. Other
attendees will have an opportunity to comment and ask questions. The
Commission will place a transcript of the proceeding on the public
record. Requests to participate as a panelist must be received on or
before March 13, 2020, as explained Section IV below. Persons selected
as panelists will be notified on or before March 27, 2020. Disclosing
funding sources promotes transparency, ensures objectivity, and
maintains the public's trust. If chosen, prospective panelists will be
required to disclose the source of any support they received in
connection with participation at the workshop. This information will be
included in the published panelist bios as part of the workshop record.
C. Electronic and Paper Comments
    The submission of comments is not required for participation in the
workshop. If a person wishes to submit paper or electronic comments
related to the agenda topics or the issues discussed by the panelists
at the workshop, such comments should be filed as prescribed in Section
IV, and must be received on or before June 12, 2020.
IV. Filing Comments and Requests To Participate as a Panelist
    You can file a comment, or request to participate as a panelist,
online or on paper. For the Commission to consider your comment, we
must receive it on or before June 12, 2020. For the Commission to
consider your request to participate as a panelist, we must receive it
by March 13, 2020. Write ``Safeguards Rule, 16 CFR 314, Comment,
Project No. P145407'' and your comment and ``Safeguards Rule, 16 CFR
314, Request to Participate, Project No. P145407'' on your request to
participate. Your comment--including your name and your state--will be
placed on the public record of this proceeding, including to the extent
practicable, on the publicly available website,
    Postal mail addressed to the Commission is subject to delay due to
heightened security screening. As a result, we encourage you to submit
your comments online, or to send them to the Commission by courier or
overnight service. To make sure that the Commission considers your
online comment, you must file it at
    Because your comment will be placed on a publicly accessible
website,, you are solely responsible for
making sure that your comment does not include any sensitive or
confidential information. In particular, your comment should not
include any sensitive personal information, such as your or anyone
else's Social Security number; date of birth; driver's license number
or other state identification number, or foreign country equivalent;
passport number, financial account number, or credit or debit card
number. You are also solely responsible for making sure your comment
does not include any sensitive health information, such as medical
records or other individually identifiable health information. In
addition, your comment should not include any ``trade secret or any
commercial or financial information which . . . is privileged or
confidential''--as provided by Section 6(f) of the FTC Act, 15 U.S.C.
46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)-- including in
particular competitively sensitive information such as costs, sales
statistics, inventories, formulas, patterns, devices, manufacturing
processes, or customer names.
    Comments containing material for which confidential treatment is
requested must be filed in paper form, must be clearly labeled
``Confidential,'' and must comply with FTC Rule 4.9(c). In particular,
the written request for confidential treatment that accompanies the
comment must include the factual and legal basis for the request, and
must identify the specific portions of the comments to be withheld from
the public record.\17\ Your comment will be kept confidential only if
the FTC General Counsel grants your request in accordance with the law
and the public interest. Once your comment has been posted on the website, we cannot redact or remove your
comment from the FTC website, unless you submit a confidentiality
request that meets the requirements for such treatment under FTC Rule
4.9(c), and the General Counsel grants that request.
    \17\ See 16 CFR 4.9(c).
    Requests to participate as a panelist at the workshop should be
submitted electronically to [email protected], or, if
mailed, should be submitted in the manner detailed below. Parties are
asked to include in their requests a brief statement setting forth
their expertise in or knowledge of the issues on which the workshop
will focus as well as their contact information, including a telephone
number and email address (if available), to enable the FTC to notify
them if they are selected.
    If you file your comment or request on paper, write ``Safeguards
Rule, 16 CFR part 314, Comment, Project No. P145407'' on your comment
and on the envelope and ``Safeguards Rule, 16 CFR part 314, Request to
Participate, Project No. P145407,'' on your request and on the
envelope, and mail your comment to the following address: Federal Trade
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite
CC-5610 (Annex F), Washington, DC 20580, or deliver your comment to the
following address: Federal Trade Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex
F). If possible, submit your paper comment or request to the Commission
by courier or overnight service.
    Visit the Commission website at to read this
Notice and the news release describing it. The FTC Act and other laws
that the Commission administers permit the collection of public
comments to consider and use in this proceeding as appropriate. The
Commission will consider all timely and responsive public comments that
it receives on or before June 12, 2020. The Commission will consider
all timely requests to participate as a panelist in the workshop that
it receives by March 13, 2020. For information on the Commission's
privacy policy, including routine uses permitted by the Privacy Act,
V. Communications by Outside Parties to Commissioners or Their Advisors
    Written communications and summaries or transcripts of oral
communications respecting the merits of this proceeding, from any
[[Page 13085]]
party to any Commissioner or Commissioner's advisor, will be placed on
the public record.\18\
    \18\ See 16 CFR 1.26(b)(5).
    By direction of the Commission.
April J. Tabor,
Acting Secretary.
Concurring Statement of Commissioners Christine S. Wilson and Noah
Joshua Phillips
    Today the Commission announced a public workshop relating to its
April 4, 2019 notice of proposed rulemaking (``NPRM'') recommending
changes to the Commission's Safeguards Rule. Although we dissented from
the issuance of the NPRM, we concur with the decision to hold this
workshop. Our dissent from the issuance of the NPRM \1\ was based in
part on the fact that the FTC lacked an adequate evidentiary basis for
the proposed rule's requirements, so we applaud the FTC's willingness
to seek additional information, empirical data, and testimony from
stakeholders and experts to inform the agency's analysis of potential
changes to the Safeguards Rule.
    \1\ Dissenting Statement of Commissioner Noah Joshua Phillips
and Commissioner Christine S. Wilson, Regulatory Review of
Safeguards Rule (Mar. 5, 2019),
    Our dissent expressed several concerns that subsequently were
echoed in comments submitted to the FTC during the NPRM process:
     First, we were concerned that the proposed revisions are
overly prescriptive. We are wary of trading flexibility for a costly
one-size-fits-all approach that would divert company resources away
from risk management initiatives specifically tailored to each entity's
unique data collection, usage, and storage practices.\2\ Our wariness
was exacerbated by the fact that the proposal would apply remedies
imposed in specific data security enforcement actions--generally
outside the context of the Safeguards Rule and only to the firms named
in those actions--to financial information generally, without a basis
to conclude that the Safeguards Rule is not adequate or that covered
firms systematically have worse data security than those not covered,
such that additional regulation beyond the current Rule would be
    \2\ Comments express similar concerns that the proposal is
overly prescriptive and creates costs that may not significantly
reduce data security risks or increase consumer benefits. See
Comments submitted by Office of Advocacy, U.S. Small Business
Administration, National Automobile Dealers Association, Mortgage
Bankers Association, Global Privacy Alliance, Software Information &
Industry Association, and U.S. Chamber of Commerce. NPRM Comments
are posted at
     Second, we were concerned that this new and prescriptive
approach would impose significant incremental costs without materially
reducing data security risks or significantly increasing consumer
benefits.\3\ The submission from NADA, by way of example, highlights
the incremental costs imposed by the proposed revisions: NADA estimates
that it would cost the average car dealership one-time, up-front costs
of $293,975, with $276,925 in additional costs each year.\4\ These
incremental costs will be particularly burdensome for new entrants and
smaller companies, which may ultimately hinder competition with larger
and better-established rivals.
    \3\ See Comment from the National Independent Automobile Dealers
Association (noting the considerable costs imposed on financial
institutions from the proposed revisions and the need for the FTC to
demonstrate a clear link between its proposal and reductions in data
security risks and increases in consumer benefits).
    \4\ Comment from the National Automobile Dealers Association
(NADA), 42.
     Third, we were concerned that the suggested Rule revisions
substituted the Commission's judgment for a private firm's governance
    \5\ This sentiment is reflected in the comment from the Software
Information & Industry Association.
     Fourth, we were concerned that the Rule was premature
because the proposed regulations are substantially based on relatively
new New York State Department of Financial Services regulations that
have not been market-tested for feasibility and efficacy.\6\
    \6\ Comments express similar concerns that the FTC's proposed
regulations rely on untested frameworks and recommend allowing time
to assess the impacts of the model legislation. See Comments from
the Office of Advocacy, US Small Business Administration, CTIA,
National Automobile Dealers Association, and Consumer Data Industry
Association (CDIA).
    The workshop will enable the FTC to obtain additional information
about the costs and benefits of the proposed rule changes and the
ability of companies that fall within the Rule's scope to comply with
the proposed changes. We continue to encourage stakeholders, including
experts in security for financial services companies, to comment and
provide evidence for this workshop. We are particularly interested in
hearing from those who are knowledgeable about security for small
businesses. In light of the significant proposed changes to the
Safeguards Rule, and the concerns expressed by many commenters thus
far, we view this additional solicitation of input from stakeholders as
Statement of Commissioner Rohit Chopra Joined by Commissioner Rebecca
Kelly Slaughter
     Corporate America's surveillance of our personal data is
not just about privacy. Foreign actors are stealing and stockpiling
this data, which threatens our national security.
     Companies like Equifax, with their unquenchable thirst for
data and their shoddy security practices, are not victims. We must act
to curtail the collection, abuse, and misuse of data.
     Rather than ``hold our breath and wait'' for Congress, the
FTC should use the legal authority it has today to protect our
citizens, our economy, and our country.
    A few weeks ago, U.S. Attorney General William Barr announced
criminal indictments against four members of the Chinese People's
Liberation Army for conspiring to hack Equifax's computer systems. The
Attorney General noted that China has a ``voracious appetite for the
personal data of Americans'' and linked China with several other high-
profile hacks of personal data held by large U.S. corporations,
including the intrusions into one of America's largest hotel chains,
Marriott, and one of America's largest health insurers, Anthem.\1\
    \1\ William P. Barr, U.S. Attorney General, Attorney General
William P. Barr Announces Indictment of Four Members of China's
Military for Hacking into Equifax, Remarks as Prepared for Delivery,
(Feb. 10, 2020),
    The threat posed by China's hacks goes far beyond identity theft.
As explained by Attorney General Barr, ``these thefts can feed China's
development of artificial intelligence tools as well as the creation of
intelligence targeting packages.'' \2\ Safeguarding personal data is
undoubtedly a national security issue.
    \2\ Id.
    In spite of these risks, lax security practices continue to expose
our data. According to an alert by the Department of Homeland Security,
85 percent of targeted attacks are preventable.\3\ For example, it is
hard to call Equifax a victim. Their shoddy approach to security was
practically an invitation for the Chinese People's Liberation Army to
raid Americans' data. Equifax received critical alerts on the need to
[[Page 13086]]
software systems, but failed to do so. Equifax even stored sensitive
usernames and passwords in plain text.\4\
    \3\ Press Release, Department of Homeland Security, Alert (TA15-
119A) Top 30 Targeted High Risk Vulnerabilities, (Sept. 29, 2016),
    \4\ Fed. Trade Comm'n v. Equifax, Case 1:19-mi-99999-UNA, U.S.
District Court for the Northern District of Georgia, Atlanta
Division, Complaint for Permanent Injunction and Other Relief at 7-8
(July 22, 2019),
    The costs of maintaining the status quo approach are significant
and mounting. According to industry analysis, the majority of small
businesses currently ``do not have a cyberattack prevention plan,'' \5\
yet nearly half of them have experienced at least one breach within the
last year.\6\ Data breaches can be particularly perilous for small
businesses and new entrants, with one survey finding that 66 percent
could face temporary or permanent closure if their systems are
    \5\ Craig Lurey, Cyber Mindset Exposed: Keeper Unveils its 2019
SMB Cyberthreat Study, Keeper Security, (July 24, 2019),
    \6\ Hiscox Cyber Readiness Report 2019, Hiscox Ltd., (Apr. 23,
    \7\ Press Release, VIPRE Announces Launch of VIPRE Endpoint
Security--Cloud Edition, Business Wire, (Oct. 2, 2017),
    The process of putting into place clear rules requiring
corporations to prevent abuse and misuse personal data is long overdue.
As the agency responsible for data protection across most of the
economy, the Federal Trade Commission plays a central role.
    While the effort to update the Safeguards Rule is a start, its
reach will be limited to certain nonbank financial institutions like
Equifax, and violations don't even come with any civil penalties. Given
the ongoing harms to individuals and our country, we should use every
tool in our toolbox to address data security issues. The Commission has
urged Congress to act, but I agree with Commissioner Rebecca Kelly
Slaughter, who has argued that ``we cannot simply hold our breath and
wait.'' \8\ There are many ways that we can curtail the collection,
misuse, and abuse of personal data, including launching a rulemaking
that broadly applies to companies across sectors so there are
meaningful sanctions for violators. We have this authority today.
    \8\ Last year, Commissioner Slaughter described how the FTC
could use its existing authority to initiate a data protection
rulemaking. See Rebecca Kelly Slaughter, Commissioner, Fed. Trade
Comm'n, Remarks at the Silicon Flatirons Conference at the
University of Colorado Law School: The Near Future of U.S. Privacy
Law, (September 6, 2019),
    Commissioners Wilson and Phillips argue that we must consider the
impact of data security on competition. I agree. Data security must
also be top of mind in our competition enforcement work across sectors
of the economy. We should be reviewing how mergers can lead to a race
to the bottom on data security. We need to rigorously scrutinize data
deals. Companies are being bought and sold based on the data they have
and the data they can continue to collect. Acquired data is being
merged into larger databases and used in ways that people may not have
authorized when they signed up for the service or initially provided
their information.
    We need to continue to take a close look at what promises were made
in exchange for data access and whether those promises were upheld when
the data was sold. We also need to examine how companies are
integrating different security systems, whether strong security
standards are being maintained, and whether sensitive data is being
handled appropriately.
    Finally, we need to consider whether there are limits to the amount
of data one company can collect and compile, the types of data one
company can combine, and the ways in which data can be used and
monetized. The scale and scope of data collection that large companies
are engaging in has made them--and us--sitting ducks for malicious
actors. Since these companies are more fixated on monetizing that data
than securing it, their mass surveillance has become a national
security threat. Our adversaries know that these large firms have
essentially done the dirty work of collecting intelligence on our
citizens, and lax security standards make it easy to steal. Ultimately,
we need to fix the market structures and incentives that drive firms to
harvest and traffic in our private information, so that complacent
companies are punished when they don't care about our security needs or
    The extraordinary step of criminal indictments of members of the
Chinese People's Liberation Army announced by the Attorney General is
yet another wake-up call. Until we take serious steps to curb corporate
surveillance, the risks to our citizens and country will only grow as
bad actors continue to steal and stockpile our data. The FTC will need
to act decisively to protect families, businesses, and our country from
these unquantifiable harms.
[FR Doc. 2020-04610 Filed 3-5-20; 8:45 am]