|From: Norm Post
Sent: Friday, October 05, 2001 7:08 PM
Subject: "Graham-Leach-Bliley Act Privacy Safeguards Rule, 16 CFR Part 314---Comment."
My name is Norm Post. I work in the auto finance industry. I disagree with section D of your proposed rule, request for comments, specifically titled "Paperwork Reduction Act". Under the Code, asking and collecting information from 10 or more persons, responding to an identical question triggers the Act. The question posed is "Who/what/where/when and how will you complete the requirements imposed by GLB records safekeeping. Quoting from the Question "Proposed section 314.3: Standards for ..." it goes on to say " ...a financial institution must meet to comply with the rule, namely to "develop, implement, and maintain a comprehensive written information security program that contains ....".
By that language, I believe the written policy , et al, to be a "collection of information", certainly by more than 10 persons, to the same question (above) as an audit or inspection will certainly include a request to review said policies. The disclamation given that the answers will be different do not change the question of the rule being asked or the requirement of us to compile and save the answers.
Under Section E of the same request for commentary, the Regulatory Flexibility Act, which requires agency review as to the economic impact does not state or give what the threshold is, nor enumerate what numbers determine the size of "small institutions". How can one respond? Additionally, under paragraph 5 of Section E, Identification of Duplicative, etc ..., you ask commentary from us about the subject. Shouldn't that question have been part of the research that went into drafting the legislation and/or posed to the other federal, state or local agencies themselves?
Lastly, as an opinion of mine, alone, I beleive this legislation was simply "feel-good" mumbo jumbo. The amount of extra work we have to do now, to insure compliance on a day to day basis, is enormous. The restrictions placed on each of us companies (affiliated or non-) from exchanging data with each other is horrific. My firm alone will probably have to hire 2-3 people to ensure compliance. Most of the data your are restricting and having us guard like so many "Crown Jewels" is readily given, daily, by the populace to whomever asks for it, or readily accessible through hundreds of shared, for-pay, databases.
You cracked down on the wrong people. Now the general public will pay for it in higher costs and slower service.