FTC Financial Information Safeguards Rule Takes Effect

The Federal Trade Commission's Safeguards Rule, which implements the security provisions of the Gramm-Leach-Bliley Act, becomes effective today. As of today, financial institutions subject to the Rule must have in place a comprehensive security program to ensure the security and confidentiality of customer information.

The Safeguards Rule was published in the Federal Register one year ago [67 Fed Reg 36484 (May 23, 2002)] and can be found on the Federal Trade Commission Web site at http://www.ftc.gov/privacy/privacyinitiatives/safeguards.html. Financial institutions covered by the newly-effective Rule include companies that engage in a wide variety of "financial activities," such as brokering or servicing consumer loans; transferring or safeguarding money; preparing individual tax returns; providing financial advice or credit counseling; providing residential real estate settlement services; collecting consumer debts; and an array of other activities that are deemed "financial" by pre-existing regulations. A list of the financial activities that trigger the Rule can be found on the FTC's Web site. The Safeguards Rule applies both to financial institutions that collect information from their customers and to financial institutions - such as credit reporting agencies, ATM operators, and check cashing services - that receive customer information from other financial institutions.

To implement its information security program, each financial institution must:

• Designate an employee or employees to coordinate the program;
• Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information and assess the sufficiency of any safeguards in place to control the risks;
• Design and implement safeguards to address the risks and monitor the effectiveness of these safeguards;
• Select and retain service providers that are capable of maintaining appropriate safeguards for the information and require them, by contract, to implement and maintain such safeguards; and
• Adjust the information security program in light of developments that may materially affect the program.

Although each information security program must include these basic elements, the Rule allows companies to select specific safeguards that are appropriate to their size and complexity, the nature and scope of their activities, and the sensitivity of the customer information they maintain.

To assist companies in complying with the Rule, the FTC's staff will offer a brief training program concerning the Rule's requirements. The training program will be offered on two alternative dates: June 9, from 10-11 a.m., and June 23, from 2-3 p.m. Both sessions will be held in Washington, DC, at 601 NJ Avenue NW, in the FTC Conference Center, Room A on the first floor. The sessions are open to the public, and there is no advance registration. Interested parties who cannot attend are encouraged to participate by telephone; instructions on how to dial in will be posted on the FTC's Web site at www.ftc.gov one day in advance of each presentation.

Although the Rule takes effect today, it allows financial institutions additional time to bring certain service provider contracts into compliance with the Rule: specifically, for any service provider contract entered into prior to June 24, 2002, the Rule allows financial institutions until May 24, 2004, to add appropriate contract provisions concerning safeguards.

Copies of the Federal Register Notice will be available from the FTC's web site at http://www.ftc.gov and also from the FTC's Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint, or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1-877-382-4357), or use the complaint form at http://www.ftc.gov. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.