The National Association of Consumer Agency Administrators ("NACAA") submits the following comments in response to the Federal Trade Commission’s Notice seeking comments on developing the administrative, technical and physical information Safeguards Rule that the Commission is required to establish pursuant to section 501(b) of the Gramm-Leach-Bliley Act ("the Act") for the financial institutions under its jurisdiction, as set forth in section 505(a)(7) of the Act.

NACAA is a non-profit association representing over 165 consumer agencies at all levels of government in the United States and several other countries. Member agencies provide direct constituent services, such as consumer complaint handling, consumer education, advising consumers and businesses about their legal rights and responsibilities, and enforcing consumer laws and regulations. NACAA supports public agencies responsible for ensuring a fair and informed marketplace and representing the rights of consumers.

NACAA member agencies receive complaints and inquiries from consumers about many different consumer problems. Among these problems are claims of "identity theft," credit card fraud, credit card cramming and sharing of consumers’ private personal information, which both disturbs consumers’ sense of equanimity and subjects them to unwanted solicitation and other contact.

NACAA applauds the efforts of the financial institution regulators who have put much thought and effort into their description of notices which must be given to consumers and customers concerning the use of their information, and "opt out" provisions, permitting customers to prevent their information from being distributed in certain circumstances. These advance disclosures are an important first step in providing protection for individuals from unwarranted distribution of their personal data. NACAA believes, however, that content must be added to the precatory language which so far only serves to warn both the financial institution and consumer and customer that the information may be shared with others, unless the customer opts out of this information sharing.

1. Range of Information subject to the Safeguards Rule

Many consumers, NACAA is only too aware from the complaints it receives, seldom read the inserts that financial institutions place in their monthly statements. The print is often too small and too dense, and the language too legalistic for consumers to feel much comfort in the usefulness of the information provided. NACAA believes, therefore, that it is unlikely that customers and consumers will recognize much of a distinction between "customers’ nonpublic personal information" under the Commissions’s Privacy Rule and "customer records and information" under the Safeguards Rule. Other than the fact that a consumer will not likely expect an annual privacy policy disclosure from a financial institution with which he or she only does sporadic business, both "consumers" and "customers" will feel it is their right to opt out of the sharing of their personal information, and that their personal information should be safeguarded, regardless of whether they have a continuing "customer" relationship with the institution. Nothing but confusion can come of the artificial distinctions so drawn. NACAA therefore recommends that the Safeguards Rule should apply to both consumer and customer information, regardless of whether that institution can accurately separate its customer records and information from its consumer records. NACAA believes that even with the best of intentions, information from both "customers" and "consumers" will become intermingled in the files of most, if not all, financial institutions.

2. Range of Financial Institutions Subject to the Safeguards Rule

NACAA believes that consonant with consumers’ reasonable expectation of privacy, the Safeguards Rule should require that an originating financial institution, which maintains the information of consumers or customers, only disclose its "customer records and information" subject to the agreement of the receiving institution’s agreement to comply with the Safeguards Rule in its handling of the information, if that institution is not otherwise so required to protect this information. To do otherwise would be to encourage the sharing of information in order to effect dissemination, which is not the intended result of the legislation or the Rule.

Section C. Questions as to Other Aspects of the Commission’s Safeguards Rule

NACAA generally defers to the knowledge of financial institutions with respect to the questions raise by this Section of the Commission’s Notice. NACAA does not have technical expertise in the day-to-day operations of financial institutions. NACAA observes, however, that at a minimum, financial institutions, regardless of size, should be required to shred documents containing personal information of both consumers and customers before disposal, to provide for the physical security of its customer records and information. NACAA also believes that for the sake of clarity of the Safeguards Rule, and easy reference therein, separating out categories that focus on particular areas of operations, such as "Personnel Training and Management," "Information Storage and Transmission," and "Records Disposal," would be of use both to financial institutions, and to members of the public who seek further clarification of the protections provided them.

In response to the Commission’s questions in this section, NACAA observes that the Commission, for the purposes of clarity and ease of use of the Rule, should define particular categories of threats and hazards, such as "Risks to Physical Security," "Risks to Integrity," or "Risks in Record Disposal," according to current technology and knowledge, with a requirement that financial institutions reassess these risks at regular intervals. An institution should also be required to reassess threats and hazards after it knows or should know of a new or emerging threat or hazard to the security or integrity of its records. NACAA also believes that customers should be granted access to their records in order to monitor the accuracy of the information in them, at a minimum, in the event the customer becomes aware that inaccurate information has caused the consumer financial harm--either fraud, denial of a financial service or product, or other defined categories of consumer harm.

As to preventing unwarranted access and use of customer records or information which could result in substantial harm or inconvenience to any customer, NACAA believes that financial institutions subject to the Rule should both be required to train their employees in procedures for preventing unauthorized use, and should maintain written policies concerning these procedures, as well as periodic recordkeeping and periodic auditing to demonstrate compliance with the policy and procedures.

Regarding "insuring security and confidentiality," NACAA believes that where applicable, the Safeguards Rule should require a financial institution that discloses customer records and information to notify the recipient of the information concerning the reuse and redisclosure of the information that is imposed by the Privacy Rule. As NACAA noted previously in its comments on the range of financial institutions subject to the Safeguards Rule, the recipient may not otherwise be subject to the Rule, and it might otherwise not be aware of these requirements.

NACAA notes that the proposed Interagency Guidelines and the NCUA’s proposed Guidelines both require regulated financial institutions to implement an "Information Security Program" that is developed by following certain procedures outlined by the Guidelines. The Guidelines focus on the procedures that should be followed to develop a written information security program, and do not specify particular security measures that must be adopted.

NACAA believes that the fact that the Commission does not conduct regular examination of financial institutions does warrant more specific security measures. NACAA believes that a minimum standard should be established for all financial institutions subject to the Rule, mandating compliance, and establishing that a violation of the Rule is actionable by the Commission or by state authorities, or is otherwise a violation of the Commission’s Fair Trade Practices Act. The Commission’s suggestion that it create safeguards categories, as in its "questions as to scope of the Commission’s Safeguards Rule," is a good one, and should be followed throughout the Rule, both for ease of use and clarification for institutions and consumers alike.

NACAA appreciates the opportunity to provide these comments to the FTC to assist in the development of the Safeguards Rule. NACAA invites the FTC to contact our Association for further clarification of our position or to request that NACAA respond to any questions that the FTC may have regarding these Comments.

RESPECTFULLY SUBMITTED,