Texas Guaranteed Student Loan
October 9, 2001
sent via email: GLB501Rule@ftc.gov
RE: Gramm-Leach-Bliley Act Privacy Safeguards Rule, 16 CFR Part 314--Comment
Dear Mr. Secretary:
On behalf of the Texas Guaranteed Student Loan Corporation ("TG") I am pleased to provide comments regarding the Federal Trade Commission's (the "Commission") Notice of Proposed Rulemaking and Request for Comment, published on August 7, 2001, at 66 Fed. Reg. 41162 (2001), pursuant to Title V of the Gramm-Leach-Bliley Act (the "GLB Act" or "Act").
TG supports the Commission's endeavor to establish rules that seek to protect the privacy of, among others, those students receiving financial aid assistance. We also appreciate the opportunity to comment on the proposed Privacy Rule.
We offer the following comments where additional clarification of wording, intent, or further consideration of related issues, will strengthen the rule.
TG supports the establishment of safeguards designed to ensure the security and confidentiality of customer records and information. TG commends the Commission for drafting a Safeguards Rule that contains as much flexibility as possible, in order to accommodate the vast array of financial institutions subject to the Commission's jurisdiction. TG restates its earlier comments that implementing a Safeguards Rule that allows each financial institution to utilize pre-existing safeguarding processes and procedures and compliance measurement tools that meet current regulatory and statutory requirements unique to it and its business partners in the industry will help to lessen the compliance burdens, both financial and administrative, that could otherwise result from a Safeguards Rule that mandates detailed minimum processes and sets forth comprehensive definitions and procedures.
1. Inclusion of Recipient Financial Institutions
§314.1: TG agrees that "customer" information needs to remain protected regardless of which entity presently houses the information. TG also restates its position that to apply the Safeguard Rule to "consumer" information will have the effect of expanding the statutory mandate of the GLB Act and should not be included in the rule.
2. Elements of the Information Security Program
a) §314.4(c): TG agrees that the proposed rule should not require that particular audit procedures or tests be used, as this approach is consistent with the flexibility given throughout the rule to each entity to determine, within the mandates of the Act and rule, how it can best protect "customer" information.
b) §314.4(d): TG requests clarification of the definition of service provider. TG, as a guarantor of student loans under the FFELP, may transmit, receive or otherwise handle borrower information with several entities, sometimes simultaneously; however, TG does not do so "on behalf of" each of these entities (and vice versa). It is clear that the definition applies should an entity hire a company to perform services that the entity can perform for itself; however, it is less clear whether the sharing of information, (for example, such as a change in a borrower's name, address, balance, status, etc.) among interested parties, such as the applicable school, lender, collection agencies, guarantors, servicer, etc. is performed "on behalf of" those parties in interest.
c) §314.4(d): The Commission requests whether, for service providers that are themselves financial institutions or are subject to other safeguards standards, the rule should offer an exception to the contract requirement. TG requests the Commission to include such an exception, as it is consistent with the contract exceptions of the Act and Privacy Rule. All "customer" information transmitted and received by and between TG and the interested parties (lender, school, guarantor, servicer, collection agencies), in conjunction with a student loan is done so under the general exceptions of the Privacy Rule.
d) §314.4(d)(1): TG respectfully requests that the requirement that financial institutions oversee service providers, by 'selecting and retaining service providers that are capable of " be revised, as the currently proposed language seems to impose an obligation on the part of the financial institution that may be impossible or impracticable to meet. If there is no previous business relationship between the parties, how will the financial institution be sure that the service provider actually "is capable" of maintaining appropriate safeguards? We suggest that the language be rephrased to require the financial institution to utilize only those service providers it reasonably believes to be capable of maintaining appropriate safeguards.
e) §314.4(d): Concerning the Commission's request for comments regarding the potential difficulty for service providers to comply simultaneously with the Commission's rule and the Banking Agencies Guidelines, TG suggests that for financial institutions directly subject to the Commission's rule, such as guarantors, that the rule provides that such financial institutions cannot be contractually required to adhere to specific methods, technologies, or procedures that may be contained in the Banking Agencies Guidelines or other agency rules or guidelines. Rather, TG requests that in the event that the rule does not provide an exception to the contract requirement, that any contract required under the Commission's rule address the issue of the obligation to protect customer information, but not the specific manner in which such protection is afforded. To do otherwise could result in the contractual elimination of the flexibility afforded by the rule. Further, TG respectfully suggests the following language as sample "safe harbor" language for any such contract requirement: "The parties represent and agree that they will utilize the information exchanged hereunder, and implement appropriate physical, electronic, and procedural safeguards designed to maintain the security of all such information, in compliance with applicable provisions of the Gramm-Leach-Bliley Act ( 15 USC 6801 et seq.) and the applicable rules and regulations issued pursuant thereto."
3. Transition Period for Existing Contracts
§314.5 TG requests that in the event that the rule does not provide for an exception to the contract requirement, that it does provide for a transition period for the continuation of existing contracts. If there is no such transition period, those financial institutions subject to the rule that are required either by law or internal policy to competitively bid certain contracts, could be required to utilize their limited resources to rebid contracts, when we believe the intent of the rule would be better served by utilizing such resources to comply with the creation of an information security program.
Thank you for the opportunity to comment on the formulation of the proposed privacy Safeguards Rule.
Karen A. Hendershot