|October 9, 2001
Re: FTC's Standards For Safeguarding Customer Information
Dear Sir or Madam:
The Ohio Credit Union League appreciates the opportunity to file comments regarding the Federal Trade Commission's ("FTC") proposed rule on safeguarding information. The Ohio Credit Union League ("OCUL") is the trade association for credit unions in the State of Ohio representing approximately 500 credit unions, both federal and state chartered. More importantly, approximately 120 of these credit unions are state chartered and privately insured.
Credit unions are non-profit member-owned financial cooperatives governed by unpaid volunteer boards of directors that predominantly engage in and provide various financial services to their members, particularly in making available loans and credit. As members and owners, credit union members can participate in the credit union as both users and customers as well as in the governance of the credit union through the election of the directors of the credit union under the democratic process of one member - one vote.
The proposed FTC rule would apply to financial institutions that are subject to its jurisdiction (i.e., non-federally insured credit unions) and credit union service organizations ("CUSOs"), which are credit union-owned subsidiaries or affiliates.
The proposed rule follows the general approach of the Banking Agency Guidelines, and contains flexible requirements wherever feasible. To ensure flexibility, the proposed rule provides that each information security program should be appropriate to the size and complexity of the financial institution, the nature and scope of its activities, and the sensitivity of the customer information at issue. At the same time, consistent with the Banking Agency Guidelines, the proposed rule requires that certain basic elements that the FTC believes are important to information security be included in each program. Thus, each financial institution must: 1) designate an employee or employees to coordinate its program; 2) assess risks in each area of its operations; 3) design and implement an information security program to control these risks; 4) require service providers (by contract) to implement appropriate safeguards for the customer information at issue; and 5) adapt its program in light of material changes to its business that may affect its safeguards. These elements create a general procedural framework, so that each financial institution can develop, implement, and maintain appropriate safeguards even as its circumstances change over time.
An information security program must be established and include administrative, technical, and physical safeguards appropriate to the size and complexity of the financial institution, the nature and scope of its activities, and the sensitivity of the information. The objectives of the program are to ensure the safety and confidentiality of member records, protect against anticipated threats or hazards to the security or integrity of such records, and protect against unauthorized access to or use of such records that could result in substantial harm or inconvenience to a member.
Requirements regarding the information security program are:
In reviewing this proposed rule, OCUL is generally in support of the FTC's efforts to promulgate regulations that are consistent with the other respective federal agencies as required by the Gramm-Leach-Bliley Act ("G-L-B Act"); however, it offers the following comments, opinions recommendations as requested by the FTC.
The FTC has drafted its rules to be consistent with the Banking Agency Guidelines. However the rules do not specifically permit a financial institution to defer to the legislation and regulations adopted by the respective "Banking" agency.
In reviewing these proposed rules OCUL recommends that the FTC include in its proposal that compliance with the respective agencies safeguard regulations would apply to credit unions not regulated by the National Credit Union Administration ("NCUA") and would constitute compliance with the FTC regulations provided that these regulations are no less stringent than the FTC regulations. By doing so, credit unions, not covered by the relevant NCUA regulations, and the credit union subsidiaries, (i.e., credit union service organizations) would be able to take advantage of the additional provisions provided under its rules, particularly the detailed guidelines set forth in the appendix to the respective NCUA regulations.
The FTC recognizes that certain entities (e.g., banks) that meet the proposed rule's definition of "affiliate" simultaneously may be covered by another agency's safeguard standards. In response, the FTC notes that it does not intend to duplicate existing requirements for affiliates that are financial institutions directly subject to safeguard standards. Instead, the proposed requirement is designed to ensure that safeguards are not lost in the event that customer information is disclosed to an affiliate that is not a financial institution, or that is not required to safeguard information about another financial institution's customers. The FTC requests comment on 1) the benefits and burdens of this proposal, including any compliance burdens imposed on entities already covered by the safeguards standards of other Agencies; 2) whether any additional guidance is needed on what safeguards are appropriate for affiliates; and 3) other issues or concerns raised by this requirement. The FTC also requests comment on whether information shared with affiliates already is protected adequately by other provisions of the proposed rule.
In reviewing the issues of "affiliate" and the existing safeguard standards, it is OCUL's suggestion that the FTC should consider deferring to the safeguard standards of other relevant agencies in which the entities would fall when sharing information with affiliates. It is OCUL's opinion that where inconsistencies appear between regulations of the respective governmental agencies, determining the difference and resolution of each in order to meet compliance would be both difficult and burdensome. The intent of the drafting of the relevant privacy regulations by the financial institution regulators and other applicable agencies is to issue "similar" rules including the appropriate standards relating to the administrative, technical, and physical safeguards for consumer records and information.
The FTC sets forth the general standards that a financial institution must meet to comply with the rule, namely to "develop, implement, and maintain a comprehensive written information security program that contains administrative, technical, and physical safeguards" that are appropriate to the size and complexity of the entity, the nature and scope of its activities, and the sensitivity of any customer information at issue. This standard is highly flexible, consistent with the comments and the Banking Agency Guidelines. It is also consistent with the Advisory Committee's Report, which concluded that a business should develop "a program that has a continuous life cycle designed to meet the needs of a particular organization or industry" and that "different types of data warrant different levels of protection
The FTC requests comment on the benefits and burdens of this requirement and/or other issues or concerns that it raises; whether any burden is disproportionate for smaller entities; and how any burden can be lessened while still ensuring that each financial institution develops an effective program for which it is accountable.
OCUL is pleased that the FTC recognizes that different entities should take safeguards appropriate to their size and complexity. However, under the current proposal, these requirements could be burdensome to many of the smaller credit unions. Therefore, it is OCUL's recommendation that the FTC permit all credit unions to defer to the guidelines set forth by the NCUA which requires the security programs of the credit union to include administrative, technical and physical safeguards appropriate to the size and complexity of the credit union and the nature and scope of its activities.
Proposed section 314.5 requires each financial institution to implement an information security program not later than one-year from the date on which a final rule is issued. The FTC requests comment on whether one-year is an appropriate amount of time for covered entities to come into compliance with the rule. It also requests comment on whether the rule should contain a transition period to allow the continuation of existing contracts with service providers, even if they would not satisfy the rule's requirements. Such a provision could parallel section 313.18(c) of the Privacy Rule, which provides a two-year period for grandfathering existing contracts.
OCUL believes that setting an effective date of one-year from the date that there final rule is issued should be sufficient time for the credit unions to comply provided that the FTC include in its rule the provisions that "for purposes of these regulations, all credit unions charted under federal or state law will be deemed to be in compliance with the provisions of the regulations if they comply with the provisions of the NCUA's Regulations and Guidelines for Safeguarding Information as set forth in 12 CFR Part 748."
Finally, OCUL supports a transition period to allow the continuation of existing contracts with service providers similar to the Privacy Rules, which provides a two-year period for grandfathering existing contracts.
The above represents the comments of the Ohio Credit Union League and OCUL appreciates the opportunity to provide comments to the Federal Trade Commission regarding its proposed rule regarding information security programs in financial institutions subject to FTC jurisdiction. Moreover, OCUL would also be willing to provide additional comments, if requested.
If you have any questions, comments or if I can be of further assistance please do not hesitate to contact me at (800) 486-2917.
John F. Kozlowski, General Counsel
cc: Paul L. Mercer