FTC proposes consumer data rule changes for financial institutions

In notices to soon be published in the Federal Register, the FTC is seeking comment on proposed changes to the Safeguards Rule and the Privacy Rule under the Gramm-Leach-Bliley Act.

The Gramm-Leach-Bliley Act, enacted in 1999, provides a framework for regulating the privacy and data security practices of a broad range of financial institutions. Among other things, it requires financial institutions to provide customers with information about the institutions’ privacy practices and about their opt-out rights and to implement security safeguards for customer information.

The Safeguards Rule, which went into effect in 2003, requires a financial institution to develop, implement, and maintain a comprehensive information security program. The Privacy Rule, in effect since 2000, requires a financial institution to inform customers about its information-sharing practices and allow customers to opt out of having their information shared with certain third parties.

“We are proposing to amend our data security rules for financial institutions to better protect consumers and provide more certainty for business,” said Andrew Smith, director of the FTC’s Bureau of Consumer Protection. “While our original Safeguards Rule from 2003 has served consumers well, the proposed changes are informed by the FTC’s almost 20 years of enforcement experience. It also shows that, where we have rulemaking authority, we will exercise it as necessary to keep up with marketplace trends and respond to technological developments.”

“While our original Safeguards Rule from 2003 has served consumers well, the proposed changes are informed by the FTC’s almost 20 years of enforcement experience. It also shows that, where we have rulemaking authority, we will exercise it as necessary to keep up with marketplace trends and respond to technological developments.”

Andrew Smith, Director, Bureau of Consumer Protection, FTC

In August 2016, the FTC solicited comments on the Safeguards Rule as part of its periodic reviews. Among the topics offered for commentary were whether the rule should reference or incorporate any other information security standards or frameworks, such as the National Institute of Standards and Technology’s Cybersecurity Framework or the Payment Card Industry Data Security Standard (PCIDSS).

The majority of commenters advocated against referring to or incorporating these standards and frameworks. Some argued that the FTC should not adopt the NIST Framework as a binding set of obligations because it would lead to a “check the box” security mandate and would add a layer of complexity for institutions that already have to comply with numerous preexisting federal and state requirements. The Electronic Transactions Association, for example, argued that the framework is “not designed to replace an organization’s cyber-security risk management” and that it is not intended to be a standard or checklist.

Although the PCIDSS may be appropriate for payment card issuers and acquirers, MasterCard and others argued that it would not necessarily apply well to other financial institutions.

The FTC says the Safeguards Rule should include more detailed requirements for the development and establishment of information security programs. The proposed amendments are based primarily on the cyber-security regulations issued by the New York Department of Financial Services and the insurance data security model law issued by the National Association of Insurance Commissioners.

Among the suggested changes is expanding the current requirement of designating an “employee or employees to coordinate information security programs.” This individual is referenced as a chief information security officer, or CISO. Financial institutions would not be required to grant that specific title to the designated individual. The proposed amendment would also no longer allow financial institutions to designate more than one employee to coordinate the information security program.

Under the proposal, the CISO need not be an employee of the financial institution. He or she can be an employee of an affiliate or a service provider. The proposed change is meant to accommodate financial institutions that may prefer to retain an outside expert or those that lack the resources to employ their own information security staff qualified to oversee a program.

Another proposal is designed to ensure that a financial institution inventories the data in its possession and the systems on which that data is collected, stored, or transmitted. It would also require a company to understand which devices and networks contain customer information, who has access to them, and how those systems are connected to each other and to external networks.

The current proposal also demands that financial institutions restrict access to physical locations containing customer information only to authorized individuals. This would require them to protect physical locations, as opposed to networks, that contain customer information and are designed to address the threat to physical copies of records. Institutions would be required to protect paper files and control access to areas in which these files are stored. This may include restricting access to work areas where personnel are using hard copies of customer information or requiring physical locks on filing cabinets containing customer information. The provisions would also include policies for securing physical devices that contain personal information, such as laptops, tablets, phones, and thumb drives.

Proposed amendments would also require financial institutions to encrypt all customer information and “implement multifactor authentication for any individual accessing customer information” or “internal networks that contain customer information.” The FTC emphasizes multifactor authentication as a minimum standard for allowing access to customer information

Another change up for discussion requires information systems to include audit trails designed to detect and respond to security events.

Audit trails are chronological logs that show who has accessed an information system and what activities the user engaged in during a given period. The proposed rule neither requires any specific type of audit trail, nor that every transaction be recorded in its entirety. It must, however, be designed to allow the financial institution to detect when the system has been compromised or when an attempt to compromise has been made. The audit trail must also provide sufficient information for the financial institution to reasonably respond to the event. The proposed amendment does not require that the audit trails be retained for any particular period.

An amendment to existing rules would require financial institutions to develop procedures for the secure disposal of customer information in any format that is no longer necessary for their business operations or other legitimate business purposes. “The disposal of records, both physical and digital, can result in exposure of customer information if not performed properly,” the FTC says. “Similarly, if records are retained when they are no longer necessary, there is a risk that those records will be subject to unauthorized access.”

Financial institutions could also be required to adopt procedures for change management. Change management procedures govern the addition, removal, or modification of elements of an information system. Under the proposal, firms would need to develop procedures to assess the security of devices, networks, and other items added to their information system. For example, an institution that acquired a new subsidiary and wished to combine the new subsidiary’s network with its own would be required to assess the security of the new network and the effect of adding it to the existing network.

Financial institutions would be required to implement policies and procedures designed “to monitor the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users.” In addition to threats posed by outside actors, “authorized users such as employees and contractors can pose a substantial risk to the security of customer information,” the FTC says. “This amendment would require financial institutions to take steps to monitor those users and their activities related to customer information in a manner adapted to the financial institution’s particular operations and needs.”

A proposed change would retain existing requirements regarding the oversight of service providers but add a requirement that institutions periodically assess service providers “based on the risk they present and the continued adequacy of their safeguards.” The current rule requires an assessment of service providers’ safeguards only at the onboarding stage; the proposed amendment is designed to require financial institutions to monitor their service providers on an ongoing basis to ensure they are maintaining adequate safeguards to protect customer information that they possess or access.

Commenters will also be asked to consider a change that requires a financial institution’s CISO to “report in writing, at least annually, to [the financial institution’s] board of directors or equivalent governing body” regarding the overall status of the information security program and compliance with the Safeguards Rule. For financial institutions that do not have a board of directors or equivalent, the CISO must make the report to a senior officer responsible for the financial institution’s information security program. The FTC is requesting comments on whether the proposed rule should also require the board or equivalent governing body to certify compliance with the rule.

Defusing confusion

Under the Dodd-Frank Act, the majority of the FTC’s rulemaking authority for the Privacy Rule was transferred to the Consumer Financial Protection Bureau, with the exception of rulemaking authority pertaining to certain motor vehicle dealers. The Safeguards Rule, however, still applies to all financial institutions within the FTC’s general enforcement jurisdiction.

“This creates a confusing situation where the Privacy Rule, on its face, appears to cover types of ‘financial institutions’ that the Privacy Rule no longer covers,” the FTC statement says.

To address this, the FTC proposes incorporating the definition of “financial institution” and accompanying examples from the Privacy Rule into the modernized Safeguards Rule.

“This change will only increase the clarity of the Rule,” it says. One notable change: expanding the definition of “financial institution” to include so-called “finders” who charge a fee to connect consumers looking for a loan to a lender.

Comments must be received 60 days after publication in the Federal Register. Once processed, comments will be posted on Regulations.gov.

The Commission vote to submit the Privacy Rule notice for publication in the Federal Register was 5-0. The Commission vote to submit the Safeguards Rule notice for publication in the Federal Register was 3-2. Commissioners Noah Joshua Phillips and Christine Wilson issued a dissenting statement.

The proposed regulations may be premature, they wrote. “They are based in substantial part on regulations promulgated two years ago by the New York State Department of Financial Services,” they explained. “We do not have data about the impact and efficacy of those regulations, so whether to adopt a version of them at the federal level and whether that version should be a floor for or should preempt state-level rules seem like questions worthy of more study.”

The Safeguards Rule, as it stands today “is a flexible approach, appropriate to a company’s size and complexity,” the commissioners added. “This proposal would move us away from that approach. There are direct costs for enhanced precautions, but this record does not demonstrate that those costs will significantly reduce data security risks or significantly increase consumer benefits. The expansion of the rule could create traps for the unwary, especially small and innovative businesses. Further, large incumbents can often absorb regulatory compliance costs more effectively than new entrants or smaller players, potentially decreasing competition.”

Another complaint: The notice of proposed rulemaking “proposes that the Commission substitute its own judgment for a private firm’s governance decisions, including but not limited to the appropriate level of board engagement, hiring and training requirements, and program accountability structures.”