|October 9, 2001
Via E-mail Only at GLB501Rule@ftc.gov
Re: Gramm-Leach-Bliley Act Privacy Safeguards Rule, 16 CFR Part 314 - Comment
Dear Mr. Secretary:
This comment letter is filed on behalf of Household Finance Corporation ("Household") in response to the proposed rule (the "Notice") published by the Federal Trade Commission (the "Commission") requesting comment on standards for safeguarding customer information.
Household is a subsidiary of Household International, Inc., and is part of a family of financial institutions whose major products include real estate secured and unsecured consumer loans, automobile loans and credit cards. The primary customers of Household Companies are middle-market Americans, a core consumer base that it has been serving for over 120 years.
Household commends the Commission for building flexibility into its proposed safeguards rule, and respectfully requests the Commission to exercise additional flexibility in the following two areas.
1. The Commission proposes to include information handled or maintained by or on behalf of affiliated companies in the definition of "customer information." In this way, a financial institution would be required to ensure that affiliated companies maintain appropriate safeguards for customer information. All of Household's affiliated companies that have access to records on customer information are financial institutions, and covered by another agency's rules on safeguards for customer information. Consequently, Household is working with its affiliated companies to ensure compliance with such safeguarding rules. These affiliated companies are required to implement a comprehensive written information security program that includes administrative, technical, and physical safeguards to ensure the security and confidentiality of customer information. The board of directors of the financial institution must approve the program, and management must report annually to the board on the status of the program, including compliance with guidelines. Such affiliated companies are required to perform due diligence in selecting service providers, to monitor those service providers, and to require by contract that those service providers "implement appropriate measures designed to meet the objectives of [the] guidelines." In fact, Household has begun developing its own program for safeguarding information that mirrors the programs of its affiliated companies. Any additional regulation of these affiliates would be duplicative and unnecessary.
Household recognizes that some companies covered by the Commission's rule may have affiliated companies that are not covered by another agency's regulations on safeguarding of customer information. In such a case, the Commission may have an interest in extending its safeguarding rule to cover such affiliates. However, where the affiliated company is a financial institution or covered by another agency's safeguarding rules, additional regulations would only increase the burdens on a financial institution with very little additional protection for customers. Consequently, Household urges the Commission to provide in an exemption for affiliated companies that are financial institutions or subject to another agency's safeguard rules.
2. With respect to Section 314.4(d), Household requests that the Commission qualify the standard for overseeing service providers by requiring the financial institution to "exercise due diligence" in selecting and retaining service providers that are capable of maintaining appropriate safeguards for the customer information at issue. The "due diligence" standard is required by the interagency guidelines on the safeguarding of customer information, and acknowledges that different levels of review are appropriate for different types of companies. Household also urges the Commission to exclude service providers who are financial institutions covered by other safeguard requirements or who are service providers subject to the general exemptions in Sections 313.14 and 313.15 of the privacy regulations. This approach avoids duplicative regulatory requirements, and is consistent with the intent of the privacy regulations.
Household greatly appreciates the opportunity to provide comments. If you have any questions, or if we may otherwise be of assistance in connection with this issue, please do not hesitate to call me at 847/564-6071.
Donna L. Radzik