October 9, 2001
Via Electronic Mail
Secretary, Federal Trade Commission
Re: GLBA Standards for Safeguarding Customer Information Proposed 16 C.F.R. Part 314 – Comment
The Council of Insurance Agents & Brokers (the "Council") submits these comments to assist the Commission in its consideration of the rules that it has proposed under the Gramm-Leach-Bliley Act (GLBA) 1 to establish standards for financial institutions relating to administrative, technical and physical information safeguards (Proposed Rule).2 The Council represents the nation’s largest commercial property and casualty insurance agencies and brokerage firms. More than 80 of the Council’s members are small businesses. Council members, who operate both nationally and internationally, conduct business in more than 2,000 locations, employ more than 120,000 people, and annually place more than 80 percent of the commercial property and casualty insurance premiums in the United States. In addition, Council members specialize in a wide range of insurance products and risk management services for business, industry, government, and the public.
Although the Council’s members generally are regulated by the States under the GLBA and not subject directly to the Proposed Rule, many of the financial institutions with which they do business on a regular basis, such as consumer reporting agencies, are subject to FTC jurisdiction. Its members thus are affected indirectly by the Proposed Rule because, under its terms, these institutions must ensure the safety and security not only of the data they collect but also the data they receive from other financial institutions.
The Council appreciates this opportunity to comment on the Proposed Rule. As a general matter, the Council believes that the Proposed Rule reflects the purpose and intent of the GLBA data security and integrity requirements and supports its promulgation as a final rule. These comments are focused exclusively on two issues. The first issue is whether compliance with alternative data security standards (such as those issued under GLBA by the States or the Securities and Exchange Commission (SEC), or those issued under other laws such as the Health Insurance Portability and Accountability Act (HIPAA)) should constitute compliance with the Proposed Rule. The Commission specifically requested input on this issue. 3 The second issue concerns the contracting requirement for service providers’ implementation of data safeguards. These issues and the Council’s comments are addressed below.
1. Compliance with Alternative Standards
The Council strongly encourages the Commission to issue a clear statement that compliance with alternative standards constitutes compliance with the Proposed Rule. The importance of a statement to this effect is twofold. First, it will promote consistency among financial institutions that are affiliates or business partners of each other, but that are subject to different functional regulators under the GLBA. Similarly, it will facilitate transactions between FTC-regulated institutions and non FTC-regulated institutions, because it will provide a basis on which the FTC-regulated financial institution may rely in terms of its evaluation of its affiliate or business partner’s data safeguards. This is particularly important in light of the fact that the Proposed Rule covers not only the collection of information from an FTC-regulated financial institution’s own customers but that institution’s receipt of information from other non FTC-regulated financial institutions. 4
Second, a clear statement to this effect will reduce the risk of dual regulatory oversight in that compliance by an FTC-regulated institution – e.g., state investment advisors – with another agency’s rule – e.g., the SEC Rule – would constitute compliance with the Proposed Rule. Similarly, compliance with the detailed standards for protecting medical information under HIPAA should be deemed to satisfy the Proposed Rule. The benefits of having a clear statement to this effect outweigh any risk to the safety or security of a customer’s information, because every financial institution still will be required to implement and maintain administrative, technical and physical safeguards to protect customer information and still will be subject to the enforcement jurisdiction of the appropriate functional regulator.
In terms of how compliance with these other laws and rules relating to information security should be addressed, the Council recommends that the Commission add a subsection to proposed § 314.3, Standards for Safeguarding Customer Information, stating that compliance with the data safeguards set forth by, inter alia, any of the other GLBA functional regulators or the Department of Health and Human Services under HIPAA shall be deemed to constitute compliance with the Proposed Rule.
2. Service Provider Contracting Requirement
The second issue on which the Council believes comments are warranted is the service provider contracting requirement. Under the Proposed Rule, financial institutions must select service providers carefully and require them by contract to implement and maintain appropriate data safeguards. 5 There is, however, no active monitoring requirement. The Council strongly supports the Commission’s approach. The contracting requirement is reasonable and practical from a compliance standpoint and easily able to be implemented by institutions of all sizes. As a result, the contracting requirement will achieve its intended purpose – to ensure that data remains protected when it is shared with another entity to carry out processing, servicing and similar functions. Any additional monitoring requirement, in contrast, would be very unworkable, especially for smaller institutions. The Council thus strongly encourages the Commission to adopt its current approach in the final rule.
If the Commission has any questions regarding these comments, I can be reached via email at