FTC Privacy "Safeguards" Rule Effective May 23, 2003

May 16, 2003

The Federal Trade Commission (FTC) final rule on Safeguarding Customer information is effective on May 23, 2003. The "Safeguards" Rule requires each financial institution to develop a "written information security program that is appropriate to its size and complexity, the nature and scope of its activities, and the sensitivity of the customer information at issue." This means that each real estate settlement service provider must prepare and retain in its files such a written information security program.

The rule implements section 501(b) of the Gramm-Leach-Bliley Act, which requires the FTC to establish standards for financial institutions relating to administrative, technical, and physical safeguards for certain information. See 67 Fed. Reg. 36483 [pdf] (May 23, 2002). This "Safeguards" Rule, is effective on May 23, 2003. For purposes of the Safeguards Rule, the term "financial institution" is explicitly defined to include an entity that provides real estate settlement services. See 16 C.F.R. § 314.2(a)(incorporating 16 C.F.R. § 313(k)(2)(x)). The FTC website contains a definition of real estate settlement services. Click Here [pdf] or see http://www.ftc.gov/privacy/glbact/ress.htm.

The FTC website contains a publication providing guidance on how to comply with this requirement - Click Here [pdf] or see http://www.ftc.gov/bcp/conline/pubs/buspubs/safeguards.htm.

The Safeguards Rule is primarily designed to protect customer information from unauthorized access and misuse, such as from identity theft or computer hacking. For that reason the Rule directs that the information security program specifically consider risks in each relevant area of operations, "including (1) Employee training and management; (2) Information systems, including network software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing, and responding to attacks, intrusions, or other systems failures."

Section 505(b) of the Gramm-Leach-Bliley Act provides that section 501 is to be enforced by state insurance regulators and the FTC, when appropriate. The FTC has asserted its authority to enforce the privacy requirements of the Gramm-Leach-Bliley Act with respect to providers of real estate settlement services. See, e.g., How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act. The FTC may bring enforcement actions to enforce the privacy rules in federal district court, where it may seek the full scope of injunctive and ancillary equitable relief. The FTC also has authority under section 5 of the FTC Act to examine privacy policies and practices for deception and unfairness.