Comments of the
IN RE: Gramm-Leach-Bliley Act Privacy Safeguards Rule, 16 CFR Part 314--Comment
October 9, 2001
We very much appreciate the opportunity to respond to your request for comments to the Proposed Rule captioned above.
The Software & Information Industry Association (SIIA) is the principal trade association of the software code and content industry with 1,000 members operating globally. Our members develop and market software and electronic content for business, education, consumers and the Internet. SIIA's membership is comprised of large and small software companies, e-businesses, and information companies, as well as many other large and small traditional and electronic commerce companies.
SIIA and its member companies have played a leadership role in promoting effective privacy protections for many years, and were one of the earliest industry leaders to recognize the importance of adopting effective privacy policies and privacy enhancing technological tools. As early on 1997, SIIA sent its issue brief to members, encouraging companies to adopt privacy policies that inform and respect consumer preferences. Since these early steps, SIIA has, through technical assistance and privacy seminars, worked with hundreds of companies to develop, write and implement effective, consumer-friendly privacy policies. In the U.S., we actively monitor developments at the Federal Trade Commission with regard to its Section 5 actions and in the legal frameworks of the Children's On-Line Privacy Protection Act (COPPA), Gramm-Leach-Bliley Act (G-L-B Act), and the Health Information Portability and Accountability Act (HIPAA). At the international level, SIIA is working to encourage company participation in the "safe harbor agreement" negotiated between the Department of Commerce and the European Union. SIIA continues to advise the Organization for Economic Cooperation and Development (OECD) on privacy enhancing technologies.
After carefully reviewing the Proposed Rule (published August 7, 2001), the prior Notice and Request for Comment (published September 7, 2000), and the comments received to the latter, SIIA commends the Federal Trade Commission (FTC) for incorporating many of the specific recommendations made during the prior comment period. In short, it is our view that the Proposed Rule achieves the objectives mandated in the G-L-B Act to: insure the security and confidentiality of customer records and information; protect against any anticipated threats or hazards to the security or integrity of such records; and protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer.
Consistent with all of the comments received, the Proposed Rule accomplishes these objectives with standards that appear to follow private sector developed guidelines. The standards found in the Proposed Rule are flexible and maintain technology and business model neutrality. Significantly, the proposed rule provides that each information security program required under the G-L-B Act should be "appropriate to the size and complexity of the financial institution, the nature and scope of its activities, and the sensitivity of the customer information at issue."(1)
Drawing on private sector approaches in this area, the Proposed Rule requires that certain basic elements be included in each program. Thus, each financial institution must: (1) designate an employee or employees to coordinate its program; (2) assess risks in each area of its operations; (3) design and implement an information security program to control these risks; (4) require service providers (by contract) to implement appropriate safeguards for the customer information at issue; and (5) adapt its program in light of material changes to its business that may affect its safeguards.
Specific Comments Requested by the FTC
314.1 (Purpose and Scope). In its discussion, the FTC requested additional comment on whether and how compliance with other laws and regulations should be addressed in the regulation. We note that there is no simple answer to this question. We point out that the FTC in any enforcement action should take such facts into account, and, wherever possible, the FTC should work with other agencies of relevant jurisdiction to seek consistent definitions and approaches. We note the FTC's conclusion that financial institutions must also comply with the Privacy Rule (adopted May 12, 2000) as of July 1, 2001, as well as section 5 of the FTC Act, which prohibits unfair or deceptive acts and practices. (See footnote 25).
Section 314.2 (Definitions). We are pleased to see that the Commission "does not intend to duplicate existing requirements for affiliates that are financial institutions directly subject to safeguards standards." Rather, we understand that "the proposed requirement is designed to ensure that safeguards are not lost in the event that customer information is disclosed to an affiliate that is not a financial institution, or that is not required to safeguard information about another financial institution's customers." In our view, this requirement's benefit outweighs the burden and is consistent with private sector principles for the protection of personally identifiable information. We do not believe that any additional guidance is needed on what safeguards are appropriate for affiliates.
Section 314.3 (Standards for Safeguarding Customer Information). As noted in our General Comments, we are pleased to see the approach taken by the FTC achieves both the objectives of the G-L-B Act and is consistent with private sector approaches. We do not believe that the approach is overly burdensome; nonetheless, we will work with the FTC to address any issues that may arise in this regard.
Section 314.4 (Elements). As noted in our General Comments, we are pleased to see the approach taken by the FTC achieves both the objectives of the G-L-B Act and is consistent with private sector approaches. With regard to proposed paragraphs (a), (b) and (c), it is our view that the benefits are appropriate relative to the burdens imposed and that no further guidance is necessary. With regard to proposed paragraph (d), it is our view that contracts between financial institutions and their service providers should be the primary means of implementing the Proposed Rules' obligations. It is not clear to us that additional guidance is necessary in this area. The FTC should be cognizant that the transactional process of reaching agreement on a contract is a case-by-case experience, reflecting various degrees of "service" and obligations that both parties must ultimately agree to. With regard to paragraph (e), the requirement to evaluate and adjust an information security program in light of any material changes to Financial Institution's business is reasonable.
314.5 (Effective Date). A one-year implementation date, from the time of issuing a Final rule, is reasonable. We appreciate the FTC's recognition that some existing contracts with service providers may need to be grandfathered into the Final Rule. The suggestion in the relevant portion of the "Section-by-Section" analysis of the Proposed Rule for a provision paralleling section 313.18(c) is an appropriate step.
SIIA commends the FTC for incorporating into the Proposed Rule so many of the comments made last year. We look forward to working with the FTC as it continues to work in this area.
1. We note that this approach is also consistent with the findings found in the Final Report that was issued by the Federal Trade Commission Advisory Committee on Online Access and Security on May 15, 2000 that security is ``contextual'' and that a security program should have a ``continuous life cycle designed to meet the needs of the particular organization or industry.'' (p. 18)