Collier Shannon Scott
October 9, 2001
Via Electronic Mail
Re: GLBA Standards for Safeguarding Customer Information Proposed 16 C.F.R. Part 314 – Comment
On behalf of the Independent Insurance Agents of America (IIAA), the National Association of Insurance and Financial Advisors (NAIFA) (formerly NALU), and the National Association of Professional Insurance Agents, Inc. (PIA) (collectively "Insurance Agents"), we submit these comments to assist the Commission in its consideration of the rules that it has proposed under the Gramm-Leach-Bliley Act (GLBA) 1 to establish standards for financial institutions relating to administrative, technical and physical information safeguards (Proposed Rule).2 The Insurance Agents are non-profit trade associations that represent almost one million insurance agents and their employees throughout the United States. Their members are independent agents who work at all levels of the insurance market and sell a full range of insurance products, including annuities. Although the Insurance Agents are regulated by the States under the GLBA and not subject directly to the Proposed Rule, many of the financial institutions with which they do business on a regular basis, such as consumer reporting agencies, are subject to FTC jurisdiction. The Insurance Agents thus are affected indirectly by the Proposed Rule because, under its terms, these institutions must ensure the safety and security not only of the data they collect but also the data they receive from other financial institutions.
As a general matter, the Insurance Agents believe that the Proposed Rule reflects the purpose and intent of the GLBA data security and integrity requirements and support its promulgation as a final rule. These comments are focused exclusively on two issues. The first issue is whether compliance with alternative data security standards (such as those issued under GLBA by the States or the Securities and Exchange Commission (SEC), or those issued under other laws such as the Health Insurance Portability and Accountability Act (HIPAA)) should constitute compliance with the Proposed Rule. The Commission specifically requested input on this issue. 3 The second issue concerns the contracting requirement for service providers’ implementation of data safeguards. These issues and the Insurance Agents ’ comments are addressed below.
1. Compliance with Alternative Standards
The Insurance Agents strongly encourage the Commission to issue a clear statement that compliance with alternative standards constitutes compliance with the Proposed Rule. The importance of a statement to this effect is twofold. First, it will promote consistency among financial institutions that are affiliates or business partners of each other, but that are subject to different functional regulators under the GLBA. Similarly, it will facilitate transactions between FTC-regulated institutions and non FTC-regulated institutions, because it will provide a basis on which the FTC-regulated financial institution may rely in terms of its evaluation of its affiliate or business partner’s data safeguards. This is particularly important in light of the fact that the Proposed Rule covers not only the collection of information from an FTC-regulated financial institution’s own customers but that institution’s receipt of information from other non FTC-regulated financial institutions. 4
Second, a clear statement to this effect will reduce the risk of dual regulatory oversight in that compliance by an FTC-regulated institution – e.g., state investment advisors – with another agency’s rule – e.g., the SEC Rule – would constitute compliance with the Proposed Rule. Similarly, compliance with the detailed standards for protecting medical information under HIPAA should be deemed to satisfy the Proposed Rule. The benefits of having a clear statement to this effect outweigh any risk to the safety or security of a customer’s information, because every financial institution still will be required to implement and maintain administrative, technical and physical safeguards to protect customer information and still will be subject to the enforcement jurisdiction of the appropriate functional regulator.
In terms of how compliance with these other laws and rules relating to information security should be addressed, the Insurance Agents recommend that the Commission add a subsection to proposed § 314.3, Standards for Safeguarding Customer Information, stating that compliance with the data safeguards set forth by, inter alia, another GLBA functional regulator or the Department of Health and Human Services under HIPAA shall be deemed to constitute compliance with the Proposed Rule.
2. Service Provider Contracting Requirement
The second issue on which the Insurance Agents believe comments are warranted is the service provider contracting requirement. Under the Proposed Rule, financial institutions must select service providers carefully and require them by contract to implement and maintain appropriate data safeguards. 5 There is, however, no active monitoring requirement. The Insurance Agents strongly support the Commission’s approach. The contracting requirement is reasonable and practical from a compliance standpoint and easily able to be implemented by institutions of all sizes. As a result, the contracting requirement will achieve its intended purpose – to ensure that data remains protected when it is shared with another entity to carry out processing, servicing and similar functions. Any additional monitoring requirement, in contrast, would be very unworkable, especially for smaller institutions. The Insurance Agents thus strongly encourage the Commission to adopt its current approach in the final rule.
The Insurance Agents appreciate this opportunity to comment on the Proposed Rule. If the Commission has any questions, please contact Scott Sinder or Christy Hallam DeSanctis at Collier Shannon Scott, PLLC.
Scott A. Sinder
Counsel to the Insurance Agents