October 9, 2001
Re: Gramm-Leach-Bliley Act Privacy Safeguards Rule, 16 CFR Part 314 - Comment
Dear Mr. Secretary:
Associated Credit Bureaus, Inc. (ACB) appreciates the opportunity to offer these comments on the FTC's proposed rule regarding standards for safeguarding customer information (Safeguards Rule), which is authorized by Title V of the Gramm-Leach-Bliley Act (GLB Act).
ACB is an international trade association representing more than 500 consumer reporting agencies. These consumer information companies provide fraud prevention and risk management products, credit and mortgage reports, tenant and employment screening services, check fraud and verification services and collections services.
The stated objectives of the proposed Safeguards Rule are to: (1) ensure the security and confidentiality of customer records and information; (2) protect against anticipated threats or hazards to the security or integrity of such records; and (3) protect against unauthorized access to, and use of, such records or information that could result in substantial harm or inconvenience to a customer. Proposed § 314.3(b).
To accomplish these objectives, the proposed rule would require a financial institution to implement a written information security program having safeguards appropriate to the size and complexity of the financial institution, the nature and scope of its activities, and the sensitivity of any customer information at issue. Proposed § 314.3(a). The program must contain the elements set forth in Proposed § 314.4 and must be reasonably designed to achieve the rule's objectives. The proposed rule is intended to give financial institutions the flexibility to design their own information safeguards programs as long as the program contained the rule's basic elements and met its stated objectives. The Commission has invited comments on the benefits and burdens of these provisions and other issues.
ACB strongly supports the proposed rule's objectives. Because much of the information held by consumer reporting agencies is considered highly confidential, ACB members believe safeguarding this data is one of our most important responsibilities.
In particular, ACB applauds the Commission's goal of establishing standards that are appropriately flexible for the wide array of financial institutions covered by the FTC's proposed rule.(1) Each covered institution must be able to develop a compliance program that is tailored to its own operation. The Safeguards Rule should focus on setting the standards for protecting customer information and allow financial institutions the flexibility to determine how best to achieve these goals. The success of ACB members in protecting our data from security threats is attributable to our ability to adapt to a rapidly changing environment and meet new threats to data security as they arise.
Finally, we especially appreciate the Commission's acknowledgment of the need to carefully consider the benefits and burdens of each provision of the proposed Safeguards Rule. The final rule should avoid unproductive duplication of requirements so that each compliance dollar spent by financial institutions contributes directly to improving the security of customer information.
Proposed § 314.1 - Purpose and Scope
Compliance with Alternative Information Security Standards
The Commission requests comment on whether and how compliance with other information security rules and laws should be addressed in the Safeguards Rule. Although the GLBA is the most comprehensive federal law addressing the confidentiality of consumers' personal information, Congress has previously enacted more targeted laws that protect certain consumer information. By recognizing compliance with these laws as compliance with the FTC's Safeguards Rule, the Commission will avoid imposing additional compliance costs that do not benefit consumers.
ACB members have operated for many years under the original federal act protecting the security and confidentiality of consumers' financial information held by third parties - the Fair Credit Reporting Act ("FCRA"). The FCRA imposes unique obligations on consumer reporting agencies to protect the confidentiality of consumer information. The FCRA's safeguard requirements for consumer reporting agencies meet or exceed the requirements of the GLB Act
and the Commission's proposed Safeguards Rule. Because the FCRA contains a comprehensive scheme for protecting consumer information held by consumer reporting agencies, ACB urges the Commission to consider a consumer reporting agency's compliance with the FCRA as compliance with the Safeguards Rule.
The FCRA is significantly more protective of consumer information than the GLB Act. Under the GLB Act, the banking agencies have adopted safeguards guidelines that follow the approach generally used in setting rules for depository institutions. The banking agencies require financial institutions to establish appropriate policies and practices and then examine each institution to confirm the adequacy of the adopted policies and that they consistently adhere to them. The FTC's proposed rule largely follows this approach of requiring covered financial institutions to adopt an appropriate program to safeguard customer information.
In contrast, the FCRA's requirements are more specific and go well beyond physical safeguards. A review of just a sample of the FCRA's provisions illustrates the high level of protection Congress has afforded consumer information covered by the Act. The FCRA requires a consumer reporting agency to:
· Maintain reasonable procedures to limit the release consumer reports only to persons having a statutorily defined "permissible purpose" to obtain it. Sections 604(a); 607(a).
Finally, the FCRA provides for civil and criminal liability for any person who obtains a consumer report under false pretenses, and also provides that officers and employees of consumer reporting agencies can be prosecuted criminally for knowing and willful disclosure of consumer information that is not expressly authorized by the FCRA. Sections 616, 619, 620.
Operating under these strict statutory requirements, the consumer reporting industry has developed comprehensive and effective measures to safeguard the security and confidentiality of consumer information in its files. There is no evidence of any failure by the consumer reporting industry to meet its safeguard obligations. For that reason, the Commission's final rule should provide that a consumer reporting agency's compliance with the FCRA would constitute compliance with the final Safeguards Rule.
Scope of Coverage
Although ACB believes that a "safe harbor" of compliance with the FCRA is the most effective method of avoiding duplication in the requirements of the FCRA and the GLB Act, the Commission could accomplish substantially the same result by limiting the final rule's coverage to information about a financial institution's own customers.
The proposed rule would apply to all "customer" information in a financial institution's possession, even if the information does not relate to the financial institution's own customers. See proposed § 314.1(b). Throughout its Supplementary Information, the Commission discusses its concern that customer information receive appropriate protection whether it is held by a financial institution, an affiliate, or a service provider. ACB agrees with this concern but believes less burdensome methods exist to accomplish this goal. Indeed, other provisions of the Commission's Privacy Rule and proposed Safeguards Rule provide this protection:
Moreover, the FTC's approach appears to be at odds with the GLB Act and with the guidelines issued by the federal banking agencies. The express language of the GLB Act distinguishes between customer information and consumer information and expresses the Congressional intent that the safeguard standards apply to the financial institutions' own customers' nonpublic personal information. Subsection 501(a) states:
15 U.S.C. §6801(a); GLBA §501(a) (emphasis added).
The proposed Safeguards Rule is promulgated pursuant to GLBA subsection 501(b), which requires that the rule be established in "[i]n furtherance of the policy in subsection (a)." 15 U.S.C. §6801(b); GLBA §501(b). Because the FTC's proposed rule would require financial institutions to adopt a safeguards program for information involving other financial institutions' customers, the proposal is inconsistent with the express language of the GLBA and the Congressional intent that the safeguard standards for financial institutions apply to the institutions' own customers' nonpublic personal information.
In addition, the FTC's proposal is in contrast to the guidelines issued by the federal banking agencies and appears to be at odds with the GLB Act itself. The banking agency guidelines stated:
Federal Banking Agency Guidelines/Joint Final Rule, 66 Fed. Reg. 8616 et seq., (emphasis added). Accordingly, the Office of the Comptroller of the Currency, the Federal Reserve System and the Federal Deposit Insurance Corporation guidelines define "customer" as "any customer of the bank as defined in [the Privacy Rule], see id. at 8633, 8635, 8638 (emphasis added). The Office of Thrift Supervision's guidelines use different words but achieve the same result. The OTS guidelines define "customer" as "any of your customers as defined in [the Privacy Rule]." Id. at 8640 (emphasis added). The coverage of FTC's Safeguards Rule should not exceed that of the banking agencies' guidelines.
Proposed § 314.3 - Standards and Objectives
Requirement for "Written" Program
ACB agrees that the information security program ought to be in writing and supports the Commission's observation that the program need not be set forth in a single document. Our members' information security programs are highly confidential business procedures. A requirement that the program be reflected in a single master document could actually increase its vulnerability to improper access, which could compromise the institution's entire information security program. Due to the importance of this point, the FTC should consider incorporating into the final rule:
Requirement for "Comprehensive" Program
The banking agency guidelines and examination procedures require an "adequate" written information security program, whereas the Commission's proposed rule uses the phrase "comprehensive written information security program." The term "comprehensive" should be deleted as unnecessary. The required content of the information security program is described in the next section on "elements." Proposed § 314.4(a). Inserting "comprehensive" in this section could create potential confusion on whether it is a substantive requirement relating to the content of the program or a description of the level of detail in the program's written description. The proposed language could lead to unproductive debates about whether the description of the program is sufficiently comprehensive. The Safeguards Rule's focus should be kept on the desired result - safeguarding customer information.
Finally, ACB notes that proposed § 314.3(b)(1) uses the term "insure" rather than "ensure." We believe that the intent is to "ensure" the confidentiality of the customer information and note that the FTC uses "ensure" in the Supplemental Information. 66 Fed. Reg., at 41164.
Proposed § 314.4 - Elements
The Commission has asked for comment on whether the Safeguards Rule should apply to all service providers. 66 Fed. Reg., at 41166. ACB believes there is no need to apply the rule to service providers receiving data under the exceptions in §§ 313.14 and 313.15 of the FTC's Privacy Rule.
When nonpublic personal information is disclosed under one of the exceptions in the Privacy Rule, no requirement exists for contractual language to protect the confidentiality of the information. Such a contractual requirement is unnecessary because the GLB Act limits the redisclosure of the nonpublic personal information by the party that receives it under those exceptions. Because the GLB Act itself provides for the confidentiality of the nonpublic personal information, there is no need for a contractual requirement to protect it.
Proposed § 314.5 - Effective Date
The proposed rule would require financial institutions to implement an information security program not later than one year from the date on which a final rule is issued. One element of the program requires the financial institution to oversee service providers by, among other things, contractually obligating the service provider to implement and maintain appropriate safeguards for the customer information at issue. Proposed § 314.4(d)(2). The Commission has sought comment on whether it should provide for a two-year transition period with respect to the rule's effective date to allow the continuation of existing contracts with service providers, even if these contracts would not fully satisfy the rule's requirements.
If the final rule retains proposed § 314.4(d), ACB urges such a grandfathering provision for existing contracts. As we explain above, protection of information held by service providers is already covered by the Privacy Rule. Moreover, the proposed Safeguards Rule assures the protection of these data even without a contractual provision. Proposed § 314.4(d)(1) would require not only that financial institutions select service providers that are capable of maintaining appropriate safeguards, but also that they retain capable service providers. Consequently, financial institutions must comply with the substantive requirement of retaining service providers that have appropriate safeguards procedures, even if their contracts with their service providers lacked the proposed rule's contractual language. By grandfathering existing service provider contracts for two years, the Commission would enable a financial institution to add the specific safeguards language when its contracts are amended or renewed in the normal course of business. Such a transition period would reduce the cost of compliance without compromising the Safeguards Rule.
ACB greatly appreciates the opportunity to provide these comments on the FTC's proposed Safeguards Rule. If you have any questions on our comments, or if we can otherwise be of further assistance in connection with the proposal, please do not hesitate to call me at 202.408.7416.
Stuart K. Pratt
1. There is ambiguity in the extent to which the GLB Act privacy provisions apply to financial institutions, such as consumer reporting agencies, which do not engage in the financial activities specifically set forth in § 4(k) of the Bank Holding Companies Act, but which may engage in activities which the Federal Reserve Board has determined to be "financial in nature" when they are performed in conjunction with banking activities. See 12 C.F.R. § 225.28.