The Federal Trade Commission is seeking comment from businesses, professional associations, consumer groups and others on proposed security standards for customer financial information held by a broad range of traditional and non-traditional financial institutions. The standards are required by the Gramm-Leach-Bliley Act, which as of July 1, 2001 requires financial institutions to notify customers about their privacy practices and allow consumers to "opt out" of having their nonpublic personal information disclosed to nonaffiliated third parties. The Act's security provisions require the Commission and certain other federal agencies to establish standards for financial institutions relating to administrative, technical and physical safeguards for customer information. As stated in a Federal Register Notice to be published August 7, the objectives of these standards are: to insure the security and confidentiality of customer records and information; protect against any anticipated threats or hazards to the security or integrity of such records; and protect against unauthorized access to, or use of, such records or information that could result in substantial harm or inconvenience to any customer.
The Commission published a Federal Register Notice and Request for Comment on September 7, 2000 seeking public comment on the scope and potential requirements of a Safeguards Rule and has considered the comments it received in response, as well as the safeguards standards adopted by other agencies, in formulating its proposed rule. "Virtually all of the comments urged that the standards for safeguarding information be flexible," the Notice says. "To ensure flexibility, the proposed rule provides that each information security program should be appropriate to the size and complexity of the financial institution, the nature and scope of its activities, and the sensitivity of the customer information at issue." At the same time, the proposed rule would require ". . . certain basic elements that the Commission believes are important to information security." Thus, each financial institution would be required to "1) designate an employee or employees to coordinate its [safeguards] program; 2) assess risks in each area of its operations; 3) design and implement an information security program to control these risks; 4) require service providers (by contract) to implement appropriate safeguards for the customer information at issue; and 5) adapt its program in light of material changes to its business that may affect its safeguards."
The Notice states that keeping the rule's requirements flexible would allow smaller businesses to implement appropriate programs without setting too low a target for more sophisticated operations. Thus, the Notice explains that "[t]he proposed standard . . . which explicitly allows for flexibility according to the size and complexity of a financial institution and the nature and scope of its activities, should minimize the rule's burdens on small entities."
The FTC is seeking comments until the first business day to fall 60 days after publication in the Federal Register, October 9, 2001. An original and five copies of comments should be submitted to: Secretary, Federal Trade Commission, Room 159, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. Comments may also be submitted via e-mail to GLB501Rule@ftc.gov
Copies of the Federal Register Notice will be available from the FTC's web site at http://www.ftc.gov and also from the FTC's Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC works for the consumer to prevent fraudulent, deceptive and unfair business practices in the marketplace and to provide information to help consumers spot, stop and avoid them. To file a complaint, or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1-877-382-4357), or use the complaint form at www.ftc.gov. The FTC enters Internet, telemarketing, identity theft and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.
(FTC File No. 002 3054)