Federal Trade Commission
600 Pennsylvania Avenue, N.W.
Washington, D.C. 20580.
RE: FTC Rules on [Security] Standards For Safeguarding Customer Information Under Gramm-Leach-Blilely
VeriSign is the largest provider of managed security services on the Internet. As one of its three primary lines of business, (along with domain name registry services and related registration of Internet names, and on-line payment processing) this activity represents an element of providing commercial and government users around the world the necessary trust services--in the form of identity authentication and content security--to engage in e-commerce transactions with confidence.
As a service provider to many entities subject to the requirements of this regulation in the financial services industry, VeriSign welcomes the opportunity to submit this letter in response to the FTC's proposed "Standards for Safeguarding Customer Information," published in the Federal Register on August 7, 2001. (66 FR 41162). The architecture of the Gramm-Leach-Bliley Act ("GLB") (Public Law 106-102) and these rules rely on a fundamental principle that VeriSign finds inescapable: while it is possible to have security without privacy, it is not possible to offer on-line privacy without adequate security.
VeriSign supports the FTC's proposed rules, as examples of a regulatory scheme consistent with three important principles: flexibility; technologically neutral, and reasonableness in light of the character of the information being held by the regulated entity.
Every regulated business subject to GLB's requirements is answerable ultimately not only to the regulators, but to its customers. The care and appropriateness of treatment accorded customers' personally identifiable information (PII) will in our view become a key competitive differentiator in the future. So, at the outset, VeriSign believes an important metric of the proposed regulations is the degree to which they will satisfy customer demands for protection of their own PII, independent of any evaluation made by Congress, the FTC, the banking regulators or we in the vendor community. This credibility threshold--very likely the subject of eventual media critique, must, in our view, be borne in mind throughout this exercise.
VeriSign agrees with the FTC's proposal that individual institutions with relationships with customers bear responsibility for compliance with security requirements. This responsibility carries several specific additional burdens:
The technology vendor community has become a close partner with financial institutions, and our services are extensively represented in the business practices of the industry. Indeed, the continuing and rapid growth of outsourcing and other reliance on technology services will likely increase as these institutions seek to control costs and increase efficiencies. While the security services provider community will inevitably evolve "smaller/faster/cheaper" solutions, the utilization of these services to achieve security objectives, including those directed by GLB are ultimately the choice of the financial institution. Accordingly, the responsibility for the selection of those third party services which impact customer PII must be unambiguously understood to be the responsibility of the acquiring financial institution.
Finally, VeriSign must suggest that technology solutions DO exist now which are capable of providing solutions contemplated by GLB and the regulations, while at the same time meeting the most extreme examples of individual customer demand for protection of PII. While we can expect some acceleration of deployment of these technologies directly as a result of compliance with these privacy objectives, we believe, however, that in a somewhat chicken-egg construction, a very great deal of individual customer desire for PII protection, and indeed, the very need for this regulatory system could have been obviated by the broader utilization of security technologies like PKI by financial institutions in the past.
In conclusion, VeriSign believes GLB and the proposed rules give regulated financial institutions and their suppliers appropriate flexibility to address rapidly evolving business models while providing appropriate protection for customers' PII. In our view the FTC's proposed rule 16 CFR 314.4(d) provides a workable system of addressing institutions' use of security services to address customer privacy requirements, and, in particular, appropriately allocates responsibility related to institution's use of privacy-related security services from services providers to the financial institution.
5 October 2001