October 8, 2001

Secretary
Federal Trade Commission
Room 159
600 Pennsylvania Avenue, NW
Washington, DC 20580

Dear Mr. Plummer:

I would like to comment on the proposed standards for safeguarding customer information.

The recent attacks on the United States in New York, Washington, D.C., and Pennsylvania were apparently accomplished partly by means of using the identities of U.S. citizens to establish operatives in local communities until they would be needed. Investigations subsequent to the events of September 11 by a number of authorities have revealed a separate plan to license operatives as commercial drivers who would be able to drive Class A tractor-trailers on the nation's highways. Several of the commercial licenses were endorsed for hazardous materials, which could include chemical and biological cargos. The licenses were apparently obtained fraudulently; that is by using the identities of others. After the financial markets opened on the Monday following the attacks, it was announced that certain parties seem to have traded in stocks of companies, notably American Airlines and United Airlines, which would be adversely affected in the aftermath. The object, of course, being to profit with the presumed end of financing yet more attacks.

I include the above synopsis of recent events to place the proposed rule for privacy safeguards by financial institutions in a larger context. Such safeguards may now be considered as a matter not only of personal privacy by consumers or customers of financial institutions, but as a matter affecting national security, or homeland security, as it is now styled. The protection of all nonpublic personal information within and without the financial arena will be more desirable than ever to prevent unauthorized persons from gaining access to identities, accounts, access codes, fund transfer histories, personal histories, buying habits, transmission paths, and any number of other useful data.

Following are suggestions regarding information security programs:

1) Best Practices. The financial institutions that will be affected by this rule are small entities with assets of $100 million or less. They may not have the resources to perform in depth studies of their operations or to commission outside consultants to do so for them. It is possible that they would overlook or misinterpret some operational element that could be important but that has never been of concern in the past. In order to prevent or minimize such occurrences, I suggest that the FTC formulate a "best practices" protocol that could be used by any size entity no matter what its business type to evaluate its program and bring it into compliance.

 

Best practices would be established as guidelines and could include a general checklist of items to be surveyed initially, such as security of stored data, including electronic and physical access to data; security of access to the physical plant; backup systems; emergency response protocols; disposal of sensitive waste material; employee matters, including background checks and training; encryption of data; electronic safeguards, such as firewalls and patches; etc.

 

After the survey is conducted, the best practices guidelines would provide avenues for follow-up, which could be utilized by a business that discovered a deficiency. The FTC could establish a list of resources, including itself, to be contacted by entities needing information to remedy such a situation.

 

In order to encourage financial institutions to use the best practices guidelines, the FTC could establish consequences for entities that do not comply. Considering the great variety in affected entities, all elements in the guidelines might not apply or apply equally to each institution; however, those that did apply would have to be complied with in an appropriate manner.

 

2) Records Retention. Disposal of information is as important as acquisition, storage, transmission and use of information. Unless an entity proposes to keep all of its records indefinitely, it must, at some time, dispose of them. In order to ensure the security of information after its business usefulness has passed, I suggest that each financial institution be required to have a written records retention schedule, which would detail the particulars of how and when it would dispose of records. The schedule could be revisited periodically as the entity rotated through its "continuous life cycle."

 

3) Oversight. I would expect that the FTC would put in place some mechanism for reviewing or auditing the security practices of each financial institution. Such audits could be pre-scheduled or be conducted randomly without notice. Institutions would be expected to supply such items as their written security policy, transaction logs, records retention schedule, employee training records, etc. to the auditor or examiner. In addition, at least one inspection of the physical premises per "continuous life cycle" could be performed.

Finally, I would like to express some reservation about controlling the actions of affiliates that are designated as service providers. Beyond "selecting and retaining service providers that are capable of maintaining appropriate safeguards for the customer information," the financial institution would require its service providers "by contract to implement and maintain such safeguards." The parties to the contract would both be private entities: the financial institution and its service provider. In the event of breach of contract, which in this case would be breach of the security requirements, the remedies available under contract law would be the only sanctions. This seems inadequate and misplaced. I would suggest that affiliates that are service providers be directly answerable to the FTC, not just to the financial institution with which they are contracted.

Thank you for providing this opportunity to comment,

Sincerely,

Sheila Musgrove