FTC Seeks Comments on Safeguards Rule

September 6, 2016

The Federal Trade Commission (FTC) is accepting public comments on whether to update its 2003 Standards for Safeguarding Customer Information (Safeguards Rule) as part of the review of all FTC rules. 

The rule, which was created by the Gramm-Leach-Bliley Act, requires financial companies (including title insurance and settlement service companies) to protect customer information.

The current Safeguards Rule says:

You shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue. Such safeguards shall include the elements set forth in § 314.4 and shall be reasonably designed to achieve the objectives of this part, as set forth in paragraph (b) of this section. 16 CFR 314.3

This rule is the basis for most of the information security protocols in the ALTA Best Practices.

The notice requests comment on a variety of general issues, including the costs and benefits of the Safeguards Rule, what modifications, if any, should be made to the rule, and if the rule conflicts with other laws. In addition to general issues for comment, the FTC has published a list of five specific issues on which they request comment:

  1. Should the elements of an information security program include a response plan in the event of a breach that affects the security, integrity, or confidentiality of customer information? Why or why not? If so, what should such a plan contain?
  2. Should the Rule be modified to include more specific and prescriptive requirements for information security plans? Why or why not? If so, what requirements should be included and what sources should they be drawn from?
  3. Should the Rule be modified to reference or incorporate any other information security standards or frameworks, such as the National Institute of Standards and Technology’s Cybersecurity Framework or the Payment Card Industry Data Security Standards? If so, which standards should be incorporated or referenced and how should they by referenced or incorporated by the Rule?
  4. For the purpose of clarity, should the Rule be modified to include its own definitions of terms, such as “financial institution”, rather than incorporating the definitions found in the Privacy Rule?
  5. The current Safeguards Rule incorporates the Privacy Rule’s definition of “financial institutions” as entities that are significantly engaged in financial activities, including activities found to be closely related to banking by regulation or order in effect at the time of enactment of the GLB Act. Should the Safeguards Rule’s definition of “financial institution” be modified to also include entities that are significantly engaged in activities that the Federal Reserve Board has found to be incidental to financial activities? Should it also include activities that have been found to be closely related to banking or incidental to financial activities by regulation or order in effect after the enactment of the GLB Act? If so, should all such activities be included in the modified definition? What evidence supports such a modification?

Comments may be filed online and follow the instructions on the web-based form. Click here for  Instructions to submit comments by paper. Comments are due on or before Nov. 7, 2016.

Questions may be emailed to Steve Gottheim, ALTA’s senior counsel.

Contact ALTA at 202-296-3671 or communications@alta.org.