The Federal Trade Commission (FTC) has released two proposed rules that would amend its regulations implementing the Gramm-Leach-Bliley Act (GLBA). These regulations, known as the Safeguards Rule and the Privacy Rule, provide a framework for regulating the data security and data privacy practices of the financial institutions under the FTC’s jurisdiction.*
In each of the two releases, the FTC proposes to expand the definition of “financial institution” to make the FTC’s rules more consistent with those of the other regulators covered by the GLBA. In particular, the revised definition would include entities that are engaged in activities that are incidental to financial activities as described in section 4(k) of the Bank Holding Company Act of 1956. Such an addition would bring “finders”- companies that bring together buyers and sellers – within the scope of the rules.
The FTC’s Safeguards Rule requires financial institutions subject to its authority under the GLBA to implement and maintain an information security program to safeguard the security and confidentiality of customer information.
The FTC is proposing amendments to its Safeguards Rule that would introduce more specificity into the existing requirements. The amendments are primarily based on the cybersecurity regulations issued by the New York Department of Financial Services (NYDFS) and the insurance data security model law issued by the National Association of Insurance Commissioners (NAIC). They would require applicable financial institutions to:
Financial institutions that maintain customer information for fewer than 5,000 consumers would be exempt from certain of the proposed requirements.
Unlike the FTC’s Safeguards Rule, its Privacy Rule applies only to certain motor vehicle dealers.
The FTC’s proposed amendments to the Privacy Rule are primarily technical in nature and would:
Two FTC Commissioners concurrently published a dissenting statement indicating their belief the proposed amendments to the Safeguards Rule may be premature, given that there is not yet data on the impact and efficacy of the NYDFS Cybersecurity Regulations and that the Congress and the Executive Branch are discussing potential privacy and data security legislation.
* The GLBA requires the FTC, Federal Reserve, OCC, FDIC, NCUA, SEC, and state insurance authorities to each establish information security standards for the entities under their jurisdiction. The Federal Reserve, OCC, and FDIC jointly issued Interagency Guidelines Establishing Information Security Standards for the entities they supervise, including insured depository institutions, holding companies, and the branches and agencies of foreign banks, along with the subsidiaries of those entities except for broker-dealers, persons providing insurance, investment companies, and investment advisers. The FTC promulgated the Safeguards Rule for those entities under its authority, which extends to financial institutions not otherwise regulated by the other agencies covered by the GLBA.
The Dodd-Frank Act transferred the GLBA privacy notice rulemaking authorities of the Federal Reserve OCC, FDIC, NCUA and the FTC (except for certain motor vehicle dealers) to the CFPB. The CFPB finalized the implementing regulations as Regulation P.