The Federal Trade Commission has issued a final rule governing the safeguarding of customer records and information for the financial institutions subject to its jurisdiction. The Rule will be published in the Federal Register shortly. The Rule implements the safeguards provisions of the Gramm-Leach-Bliley Act (GLB Act), which require the Commission and certain other federal agencies to establish standards for financial institutions relating to administrative, technical, and physical safeguards for customer information. The objectives of these standards are to: ensure the security and confidentiality of customer records and information; protect against any anticipated threats or hazards to the security or integrity of such records; and protect against unauthorized access to, or use of, such records or information that could result in substantial harm or inconvenience to any customer. On September 7, 2000, the Commission issued a Federal Register notice seeking comment on the scope and potential requirements of a safeguards rule. Based on the comments received, as well as the safeguards standards already issued by other GLB agencies, the Commission issued a Notice of Proposed Rulemaking on August 7, 2001 seeking comment from businesses, consumer organizations, and others. During the 60-day comment period, the FTC received 44 comments from the public.
In drafting the Final Rule, the Commission sought to ensure that the Rule's requirements would accommodate the diverse range of financial institutions that are subject to its jurisdiction. Thus, the Final Rule requires each of these financial institutions to implement an information security program that is appropriate to its size and complexity, the nature and scope of its activities, and the sensitivity of any customer information at issue. The Commission also carefully weighed the comments, including concerns expressed about the ability of smaller and less-sophisticated financial institutions to meet the Rule's requirements. As stated in the Federal Register notice, the Commission believes that the Final Rule strikes an appropriate balance between allowing flexibility to financial institutions and establishing standards for safeguarding customer information that are consistent with the Act's goals.
The Rule will require financial institutions over which the FTC has jurisdiction to develop, implement, and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards. As part of its program, each financial institution must:
- Designate an employee or employees to coordinate its information security program.
- Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of information and assess the sufficiency of any safeguards in place to control the risks.
- Assure that contractors or service providers are capable of maintaining appropriate safeguards for the customer information and requiring them, by contract, to implement and maintain such safeguards.
- Adjust the information security program in light of developments that may materially affect the entity's safeguards.
The Commission vote to publish the Rule was 5-0. It will become effective one year from publication in the Federal Register, with additional time before compliance is required for contracts with service providers.
Copies of the Federal Register notice and a business alert, "Safeguarding Customers Personal Information: A Requirement for Financial Institutions," are available from the FTC's Web site at http://www.ftc.gov and also from the FTC's Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC works for the consumer to prevent fraudulent, deceptive and unfair business practices in the marketplace and to provide information to help consumers spot, stop and avoid them. To file a complaint, or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1-877-382-4357), or use the complaint form at http://www.ftc.gov The FTC enters Internet, telemarketing, identity theft and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.
- Media Contact:
- Claudia Bourne Farrell
Office of Public Affairs
- Staff Contact:
- Jessica Rich or Laura Berger
Bureau of Consumer Protection
202-326-2148 or 202-326-2471