FTC Seeks to Update its Safeguards and Privacy Rules
On March 5, 2019, the Federal Trade Commission (FTC) published notices of proposed rulemaking to amend the existing standards for the safeguarding of consumer information, 16 C.F.R. Part 314 (the Safeguards Rule) (available here), and the privacy of consumer financial information, 16 C.F.R. Part 313 (the Privacy Rule) (available here), applicable under Title V of the Gramm-Leach-Bliley Act (GLBA) to financial institutions within the FTC's jurisdiction, which would include entities that are "engaged in activities that are incidental to financial activities," such as non-bank financial institutions that are not otherwise subject to the enforcement authority of another regulator. If adopted, the proposed rules will have a significant impact on the operations of covered financial institutions.
Specifically, the proposed amendments would significantly enhance the Safeguards Rule and make less extensive, but nonetheless notable changes to the Privacy Rule. Both rules have remained largely unchanged since their adoption roughly two decades ago, while during those decades, technological advancements have substantially altered the ways in which financial institutions obtain, use, transmit, and manage consumer information. In addition, shifts in consumer expectations regarding the privacy and security of their personal information, coupled with more aggressive rulemaking and enforcement activity by state regulatory authorities, has highlighted the need for robust information security and privacy controls and risk management processes. The FTC's proposed amendments would bring the agency's GLBA rules more into alignment with these recent developments. Interested parties may submit comments to the FTC in response to the proposals within 60 days of their publication in the Federal Register.
The Current Safeguards and Privacy Rules
In brief, the existing Safeguards Rule requires financial institutions to develop, implement, and maintain information security programs that consist of the administrative, technical, and physical safeguards that a financial institution uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information. Financial institutions' information security programs are intended to be risk-based and reasonably designed in accordance with the size and complexity of the institution and the nature of its activities. The Safeguards Rule was designed to be flexible and non-prescriptive in order to allow financial institutions to adapt to technological changes and innovations in security practices within the requirements of the Safeguards Rule. According to the FTC, the proposed amendments to the Safeguards Rule do not seek to upend this approach, but do provide more detailed guidance for financial institutions regarding the essential components of a compliant information security program.
The Privacy Rule requires financial institutions to provide consumers with notice of their privacy practices and to limit their use and disclosure of "nonpublic personal information" (NPI) as prescribed by the Privacy Rule. When originally adopted, the Privacy Rule applied to a wide range of nonbank financial institutions under the FTC's jurisdiction; however, the Dodd-Frank Wall Street Reform and Consumer Protection Act (the Dodd-Frank Act) transferred the majority of the rulemaking authority granted to the FTC under Title V of the GLBA to the Consumer Financial Protection Bureau (the CFPB). The CFPB then implemented consumer privacy regulations comparable to the Privacy Rule under its Regulation P, 12 C.F.R. Part 1016. Following this transition, the FTC's rulemaking authority under Title V of the GLBA continued to apply only to certain motor vehicle dealers. In addition, the FTC and other financial regulatory agencies with enforcement authority under the GLBA continued to maintain this authority with respect to all financial institutions subject to each agency's respective jurisdiction.1
Proposed Amendments to the Safeguards Rule
The FTC's proposed amendments to the Safeguards Rule are modeled in large part after two existing information security regulatory regimes: the cybersecurity regulations published by the New York State Department of Financial Services (the NYDFS), which apply to New York state-chartered banks, insurance companies and other financial services firms, and the insurance data security model law published by the National Association of Insurance Commissioners, which was developed to provide a guiding framework to the insurance industry and its regulated entities.2 According to the FTC, the proposed amendments to the Safeguards Rule seek to achieve the following objectives, among others: (1) provide covered financial institutions with more guidance on how to develop and implement specific aspects of an overall information security program, such as access controls, authentication, and encryption; (2) improve the accountability of financial institutions' information security programs, such as by requiring periodic reports to boards of directors or governing bodies; and (3) exempt small businesses from certain requirements of the amended Safeguards Rule.
Specific notable provisions of the proposed amendments include the following:
- Consistent with the amendments to the Privacy Rule described below, expanding the definition of "financial institution" to include entities that are engaged in activities that are deemed to be incidental to financial activities;
- Requiring financial institutions to designate a Chief Information Security Officer (CISO) to oversee an institution's entire information security program and report to the institution's board of directors or governing body, at least annually, on the status of the institution's information security program, its compliance with applicable regulatory requirements and other information security risk management matters;
- Establishing requirements for information security risk assessments designed to ensure that such assessments are thorough and complete (e.g., requiring risk assessments to be in writing and to include information on how an institution can mitigate or accept identified risks and modify its information security program to address such risks, and establishing that risk assessments should be updated periodically);
- Requiring the implementation of access controls for financial institutions' information systems (including multi-factor authentication for authorized users) and physical security controls for any locations where customer information is stored;
- Requiring the encryption of customer information, both in transit and at rest (unless, subject the review and approval of the institution's CISO, alternative measures are deemed to be more feasible);
- Establishing that information systems must include audit trails designed to detect and respond to security events;
- Requiring financial institutions to develop procedures for the secure disposal of customer information that is no longer necessary for business operations or other legitimate business purposes;
- Requiring financial institutions to conduct continuous information system monitoring or periodic penetration testing and vulnerability assessments, and to implement policies and procedures designed to monitor the activity of authorized users and detect unauthorized access to, or use or tampering of, customer information;
- Requiring financial institutions to utilize qualified personnel to manage the institution's information security program and to implement policies and procedures governing information security training and education for all employees;
- Establishing risk-based standards for service provider onboarding and oversight; and
- Requiring financial institutions to develop and implement written incident response plans (WIRPs) that address specific prescribed areas in order to enable an institution to promptly respond to, and recover from, any security event materially affecting its information systems or customer data.
Notably, financial institutions that maintain customer information concerning fewer than 5,000 consumers would be exempt from certain requirements of the amended Safeguards Rule, including, for example, system monitoring and penetration testing and vulnerability assessments, the implementation of a WIRP, and CISO reporting requirements.
Proposed Amendments to the Privacy Rule
The FTC's proposed amendments to the Privacy Rule would result in two substantive changes: (1) modifications to annual privacy notice requirements to implement the statutory changes to the GLBA enacted by the Fixing America's Surface Transportation Act (the FAST Act) and (2) consistent with the proposed amendments to the Safeguards Rule noted above, expanding the scope and definition of "financial institution" to include entities that are engaged in activities that are incidental to financial activities.3
The FAST Act established that a financial institution is not required to provide an annual privacy notice under the Privacy Rule if it: (1) only shares NPI with nonaffiliated third parties in a manner that does not require notice of an opt-out right to be provided to its customers (pursuant to Subpart C of the Privacy Rule, 16 C.F.R. §§ 313.13–313.15) and (2) has not changed its privacy policies and practices with respect to the disclosure of NPI since it last provided a privacy notice to its customers. The CFPB published a final rule to implement these statutory changes in September 2018. The FTC's proposal would amend the annual notice requirements set forth under Section 313.5 of the Privacy Rule in accordance with the statutory exception established by the FAST Act and the CFPB's relevant amendments to Regulation P.
The FTC's proposed amendments to the Privacy Rule would also modify its scope (which as noted, is limited to motor vehicle dealers) and the corresponding definition of "financial institution" to include companies that engage in activities that are financial in nature or incidental to such financial activities.4 The FTC notes that one effect of this proposed amendment is that "finders"—i.e., persons or entities that charge a fee to connect consumers with a financial institution—would be captured by the definition of "financial institution." However, the FTC also notes that the anticipated impact of this change would be minimal based its expectation that most motor vehicle dealers currently subject to the Privacy Rule are directly involved in obtaining financing for their customers.
Takeaways for Financial Institutions
While the FTC's proposed amendments to its Privacy Rule are likely to have a modest impact on affected financial institutions; the agency's proposed amendments to the Safeguards Rule could have a significant impact—particularly smaller nonbank financial institutions that are not subject to the NYDFS's cybersecurity regulations or other state data security laws and have not yet been required to implement sophisticated and comprehensive information security controls. As NYDFS-licensed institutions and other entities subject to comprehensive data security regulatory requirements can attest, the establishment and maintenance of an information security program that complies with the requirements of the amended Safeguards Rule can be a massive and costly undertaking.
Financial institutions under the FTC's jurisdiction should strongly consider the submission of comments to the FTC in an effort to shape any future final rule. As discussed in the FTC's proposals, it has solicited industry input for several years—particularly with respect to the Safeguards Rule—and appears intent on preserving the existing flexible, risk-based framework of the Safeguards Rule while also modernizing the it and adding more detailed requirements with respect to its core elements. In certain instances, the FTC has requested comments on specific and material issues that were not included in the proposed amendments, but may very well be included in a final rule. For example, the proposed requirement that financial institutions develop and implement WIRPs does not create any independent reporting or notification obligations; however, the FTC has solicited input on whether financial institutions should be required to report security incidents to the FTC (in addition to fulfilling any existing reporting requirements that may apply) and, if so, what parameters should be put in place for such a reporting obligation. The FTC also requests input on whether it would be appropriate to require financial institutions' CISOs or boards of directors to certify compliance to the FTC. These potential provisions, each of which is a requirement under the NYDFS's cybersecurity regulations, may necessitate the development of specific policies, procedures and controls and would create new liability and risk for many financial institutions. In sum, financial institutions should closely monitor the FTC's rulemaking process and may benefit from active participation.
* * *
Financial institutions interested in assistance with submitting comments to the FTC or seeking counseling on information security and privacy matters are encouraged to contact any of the authors listed below or your Arnold & Porter contact.
The Dodd-Frank Act curtailed substantially the FTC's rulemaking authority with respect to the Privacy Rule, but not with respect to the Safeguards Rule. Accordingly, the Safeguards Rule continues to apply to an array of non-bank financial institutions within the FTC's enforcement jurisdiction.
The FTC's proposed rulemaking would also implement technical corrections to the Privacy Rule to ensure that the regulatory text is consistent with the text of the GLBA, as amended by the Dodd-Frank Act. For example, the FTC proposes to remove certain provisions of the Privacy Rule that do not apply to motor vehicle dealers.
A "financial institution" is defined at present under the Privacy Rule as "any institution the business of which is engaging in financial activities as described in section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. § 1843(k)). An institution that is significantly engaged in financial activities is a financial institution." 16 C.F.R. § 313.3(k)(1). The Privacy Rule also includes an illustrative list of institutions that are, and are not, deemed to be "financial institutions," as well as a list of examples of entities that are not deemed to be "significantly engaged in financial activities." See id. § 313.3(k)(2)–(4).