BEFORE THE FEDERAL TRADE COMMISSION
WASHINGTON, D.C. 20580
PRIVACY OF CONSUMER FINANCIAL INFORMATION--SECURITY
COMMENTS OF THE NATIONAL ASSOCIATION OF
CONSUMER AGENCY ADMINISTRATORS
The National Association of Consumer Agency Administrators ("NACAA") submits the following comments in response to the Federal Trade Commissions Notice seeking comments on developing the administrative, technical and physical information Safeguards Rule that the Commission is required to establish pursuant to section 501(b) of the Gramm-Leach-Bliley Act ("the Act") for the financial institutions under its jurisdiction, as set forth in section 505(a)(7) of the Act.
NACAA is a non-profit association representing over 165 consumer agencies at all levels of government in the United States and several other countries. Member agencies provide direct constituent services, such as consumer complaint handling, consumer education, advising consumers and businesses about their legal rights and responsibilities, and enforcing consumer laws and regulations. NACAA supports public agencies responsible for ensuring a fair and informed marketplace and representing the rights of consumers.
NEED FOR RULES GOVERNING THE PRIVACY
NACAA member agencies receive complaints and inquiries from consumers about many different consumer problems. Among these problems are claims of "identity theft," credit card fraud, credit card cramming and sharing of consumers private personal information, which both disturbs consumers sense of equanimity and subjects them to unwanted solicitation and other contact.
NACAA applauds the efforts of the financial institution regulators who have put much thought and effort into their description of notices which must be given to consumers and customers concerning the use of their information, and "opt out" provisions, permitting customers to prevent their information from being distributed in certain circumstances. These advance disclosures are an important first step in providing protection for individuals from unwarranted distribution of their personal data. NACAA believes, however, that content must be added to the precatory language which so far only serves to warn both the financial institution and consumer and customer that the information may be shared with others, unless the customer opts out of this information sharing.
1. Range of Information subject to the Safeguards Rule
2. Range of Financial Institutions Subject to the Safeguards Rule
NACAA believes that consonant with consumers reasonable expectation of privacy, the Safeguards Rule should require that an originating financial institution, which maintains the information of consumers or customers, only disclose its "customer records and information" subject to the agreement of the receiving institutions agreement to comply with the Safeguards Rule in its handling of the information, if that institution is not otherwise so required to protect this information. To do otherwise would be to encourage the sharing of information in order to effect dissemination, which is not the intended result of the legislation or the Rule.
Section C. Questions as to Other Aspects of the Commissions Safeguards Rule
NACAA generally defers to the knowledge of financial institutions with respect to the questions raise by this Section of the Commissions Notice. NACAA does not have technical expertise in the day-to-day operations of financial institutions. NACAA observes, however, that at a minimum, financial institutions, regardless of size, should be required to shred documents containing personal information of both consumers and customers before disposal, to provide for the physical security of its customer records and information. NACAA also believes that for the sake of clarity of the Safeguards Rule, and easy reference therein, separating out categories that focus on particular areas of operations, such as "Personnel Training and Management," "Information Storage and Transmission," and "Records Disposal," would be of use both to financial institutions, and to members of the public who seek further clarification of the protections provided them.
3. Statutory Objectives
In response to the Commissions questions in this section, NACAA observes that the Commission, for the purposes of clarity and ease of use of the Rule, should define particular categories of threats and hazards, such as "Risks to Physical Security," "Risks to Integrity," or "Risks in Record Disposal," according to current technology and knowledge, with a requirement that financial institutions reassess these risks at regular intervals. An institution should also be required to reassess threats and hazards after it knows or should know of a new or emerging threat or hazard to the security or integrity of its records. NACAA also believes that customers should be granted access to their records in order to monitor the accuracy of the information in them, at a minimum, in the event the customer becomes aware that inaccurate information has caused the consumer financial harm--either fraud, denial of a financial service or product, or other defined categories of consumer harm.
As to preventing unwarranted access and use of customer records or information which could result in substantial harm or inconvenience to any customer, NACAA believes that financial institutions subject to the Rule should both be required to train their employees in procedures for preventing unauthorized use, and should maintain written policies concerning these procedures, as well as periodic recordkeeping and periodic auditing to demonstrate compliance with the policy and procedures.
Regarding "insuring security and confidentiality," NACAA believes that where applicable, the Safeguards Rule should require a financial institution that discloses customer records and information to notify the recipient of the information concerning the reuse and redisclosure of the information that is imposed by the Privacy Rule. As NACAA noted previously in its comments on the range of financial institutions subject to the Safeguards Rule, the recipient may not otherwise be subject to the Rule, and it might otherwise not be aware of these requirements.
D. Consideration of Other Agencies Safeguards Standards
NACAA notes that the proposed Interagency Guidelines and the NCUAs proposed Guidelines both require regulated financial institutions to implement an "Information Security Program" that is developed by following certain procedures outlined by the Guidelines. The Guidelines focus on the procedures that should be followed to develop a written information security program, and do not specify particular security measures that must be adopted.
NACAA believes that the fact that the Commission does not conduct regular examination of financial institutions does warrant more specific security measures. NACAA believes that a minimum standard should be established for all financial institutions subject to the Rule, mandating compliance, and establishing that a violation of the Rule is actionable by the Commission or by state authorities, or is otherwise a violation of the Commissions Fair Trade Practices Act. The Commissions suggestion that it create safeguards categories, as in its "questions as to scope of the Commissions Safeguards Rule," is a good one, and should be followed throughout the Rule, both for ease of use and clarification for institutions and consumers alike.
NACAA appreciates the opportunity to provide these comments to the FTC to assist in the development of the Safeguards Rule. NACAA invites the FTC to contact our Association for further clarification of our position or to request that NACAA respond to any questions that the FTC may have regarding these Comments.
SHERYL GOODWIN-LORD, President