The Federal Trade Commission (FTC) is seeking public comment on the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, which requires financial institutions under its jurisdiction, and their affiliates and service providers, to establish measures to keep customer information secure.
The FTC published its request for public comment Aug. 29 in the Federal Register as part of its systematic review of all rules and guidelines.
The commission promulgated the Privacy Rule in 2002, borrowing the definition of “financial institution” from the Privacy Rule, which defined it as “any institution the business of which is engaging in financial activities as described in Section 4(k) of the Bank Holding Company Act of 1956.”
When promulgating the Privacy Rule, the FTC decided to define “financial activities” as only those deemed by the Federal Reserve Board to be “financial in nature,” and not “incidental” or “complementary” to financial activities, conflicting with other federal agencies’ definitions. The FTC also decided that activities determined to be financial in nature after the enactment of the GLBA would not be automatically included in the privacy rule, but would have to take additional action to include them.
These two decisions effectively limited the activities covered by the FTC’s rules, and now the commission is seeking comment on whether the Safeguards Rule should be amended to include either incidental activities, or those determined by the GLB after 1999 to be financial in nature or incidental to financial activities.
The commission is requesting general comment on whether there is a continuing need for specific provisions of the rule; what modifications can be made to the rule to make it more beneficial to consumers; what costs the rule has imposed on consumers and how those costs can be reduced; how the rule impacts businesses, especially small businesses; the degree of industry compliance with the rule; whether the rule conflicts with any other federal, state or local laws or regulations; and what modifications should be made to the rule to account for changes in relevant technology or economic conditions.
But the FTC has some more specific questions it would like input on, including:
- Should the elements of a comprehensive information security program include a response plan in the event of a breach? If so, what should such a plan contain?
- Should the rule be modified to include more specific and prescriptive requirements for information security programs?
- Should the rule be modified to reference or incorporate information security standards or frameworks such as the National Institute of Standards and Technology’s Cybersecurity Framework or the Payment Card Industry Data Security Standard?
- Should the rule include its own definitions of terms, such as “financial institution”?
- Should the term “financial institution” be expanded to include “entities that are significantly engaged in activities that the Federal Reserve Board has found to be incidental to financial activities?”
- Should that definition of “financial institution” also include activities that have been found to be closely related to banking or incidental to financial activities by regulation or order in effect after the enactment of the rule?
Comments must be received by Nov. 7, 2016, and all comments received will be posted on the FTC’s website.