On August 29, 2016, the FTC announced it is seeking public comment on its Safeguards Rule as part of a systematic review of all FTC rules and guides. The Safeguards Rule came into force in 2003 after the Gramm-Leach-Bliley Act (GLBA) required that the FTC and other agencies establish administrative, technical, and physical information security standards for financial institutions. Of particular note is the FTC’s call for comments on whether it should reference or incorporate other standards, such as PCI-DSS or NIST standards, which may signal a shift from the FTC’s previous resistance toward using express standards in defining reasonable security. The Wyndham case included complaints that the FTC has not clearly communicated what it considers to be “reasonable security,” though the Commission’s recent LabMD Opinion specifically referenced the NIST Guide for Conducting Risk Assessments as a helpful framework for conducting risk assessments.
Under 15 U.S.C. § 6805, GLBA grants the FTC jurisdiction over “any other financial institution or other person that is not subject to the jurisdiction of any agency or authority under paragraphs (1) through (6) of this subsection.” The Rule’s definition of “financial institution” is limited to institutions significantly engaged in financial activities, but not activities incidental or complementary to financial activities, as defined by the Federal Reserve Board. The Safeguards Rule requires financial institutions to develop, implement, and maintain comprehensive information security programs to protect the data of all customer information in the institution’s possession, including information about the customers of other institutions. The Rule also requires institutions to perform risk assessments, design and implement safeguards to address identified risks, and regularly test or otherwise monitor the effectiveness of those safeguards.
The FTC is asking stakeholders for input on the efficacy and cost effectiveness of the Safeguards Rule in practice; the effect on the Rule of any technological, economic, or other industry changes; and any possible conflict between the Rule and other state, local, or federal laws or regulations. The Commission also encourages stakeholders to provide feedback on five specific proposed changes to the Rule.
- Should the Rule’s required information security program include a response plan in the event of a breach that affects the security, integrity, or confidentiality of customer information?
- Should the Rule include more specific and prescriptive requirements for information security plans?
- Should the Rule reference or incorporate any other information security standards or frameworks (e.g., the NIST Cybersecurity Framework or PCI-DSS)?
- Should the Rule include its own definition of terms, such as “financial institution,” rather than incorporating definitions from the Privacy Rule?
- Should the Rule’s definition of “financial institutions” be expanded to include “entities that are significantly engaged in activities that the Federal Reserve Board has found to be incidental to financial activities”?
The deadline for comments is November 7, 2016.