|October 9, 2000
Re: Gramm-Leach-Bliley Act Privacy Safeguard Rule, 16 CFR Part 313-Comment
To Whom It May Concern:
As students of Business and Society at Florida International University in Miami, we are required to select and conduct research on one of several class-selected proposed Federal rules. Students are required to work in groups of two to five persons in order to adequately research, prepare, and submit a formal comment on aspects of their selected rule.
Our group, consisting of the maximum five persons, selected this particular rule on which to voice our comments. As individuals and as a group, we strongly feel that all individuals have an intrinsic right to privacy. This is especially true for non-public and personal information that must be disclosed to financial institutions (or to any other institution or organization for that matter) as we seek to conduct our affairs.
Before going further, we pause to commend and applaud the efforts of the respective federal authorities, and in particular the Federal Trade Commission, as they seek to develop and implement the necessary safeguards rule to protect the rights of all concerned. We cannot stress enough the need to have such a rule in place to protect us from such intolerable invasions. The passing of the G-L-B Act is quite timely, perhaps long overdue.
We urge you to seriously consider the following comments (three specific aspects of the proposed rule have been selected for comment) as you seek to complete the development and implementation of this rule.
Range of Information Subject to the Safeguards Rule
To assist us with the preparation of our formal comment, we conducted a survey of twenty individuals from various backgrounds to get their views and opinions. Together with over ninety percent (90%) of the surveyed group, we feel that "customer records and information" is similar in definition to "customer non-public information." The two should be treated as one and the same in the establishment of the safeguards rule. Information including customer contact details, demographic details, and transactional records are all a part of the foregoing. Further, we strongly feel that any information whatsoever that is disclosed to a financial institution during the course of business is privileged and should be held in the strictest confidence by that institution.
In our opinion, there is a thin line between the definition of a consumer and a customer. It is our belief that once a relationship of whatever nature is established between the two parties, the institution has a duty of care to either customer or consumer and should respect the individual's right to privacy. The safeguards rule should apply to the records of both groups. If an institution is unable to differentiate between the records, the rule should require that institution to protect both types of information.
Range of Financial Institutions subject to the Safeguards Rule
Consistent with the foregoing, all information disclosed to a financial institution (whether by a mere consumer or an established customer) must be held in the strictest confidence. In our opinion, a financial institution should, under no circumstance, disclose information to a third party without the approval of the customer or consumer. The rule should require the primary institution involved to seek the written approval of its customer or consumer before disclosing any information to a third party. The same restriction regarding disclosure and protection should be placed upon the secondary institution receiving the information.
Comments as to the other Aspects of the Commissions Safeguards Rule
We are cognizant of the fact that not all institutions are the same and that each will be impacted differently by technological advancements and changes. We are also well aware of the need to balance costs against benefits in order to make sound and profitable investment decisions. It becomes difficult, therefore, to have a standardized rule requiring all financial institutions to keep pace with changes in technology.
We strongly believe that certain minimum procedures are needed for financial institutions to follow in protecting customer/consumer personal non-public information. For example, all institutions should be required to have an effective electronic database system that does not allow access to unauthorized individuals. This system should be constantly checked to ensure that there are no breaches.
The safeguards rule should definitely outline procedures that financial institutions must follow to demonstrate compliance. All institutions should have designated administrative personnel to ensure compliance. Additionally, they should be required to follow a standard audit process that will ensure that they are in compliance with the requirements of the rule.
On behalf of the members of my group, I am,
Calvin R. Ashley,