The Federal Trade Commission announced on August 29 that it is seeking public comment on its Standards for Safeguarding Customer Information, commonly known as the Safeguards Rule, as part of the FTC’s periodic retrospective review of the rules.  The Safeguards Rule, effective May 23, 2003, was issued under the Gramm-Leach-Bliley Act and places certain requirements on financial institutions to safeguard their customer information.  Financial institutions are those entities significantly engaged in activities that the Federal Reserve Board has determined to be financial in nature, such as lending or investing money, providing financial advice, and brokering, underwriting, or servicing loans.  Financial activities do not include activities that the FRB determined to be incidental activities or activities that were determined to be financial in nature after enactment of the GLBA – two issues the FTC has suggested require reconsideration in requesting comments on whether the scope should be expanded.

The Safeguards Rule requires that a financial institution develop, implement, and maintain a comprehensive written information security program consisting of administrative, technical, and physical safeguards that the financial institution uses in all stages of the customer information lifecycle.  In developing a written information security program, financial institutions must inventory customer information in their possession and identify any reasonably foreseeable internal and external risks which could compromise the security, confidentiality, or integrity of the information.  Once the risks have been identified, a financial institution should then design and implement safeguards appropriate to the size and complexity of the financial institution, the nature and scope of its activities, and the sensitivity of the customer information at issue.  Financial institutions are required to test and monitor the effectiveness of implemented safeguards and make adjustments as necessary to continuously combat developing threats.

The FTC has asked for comment, and corresponding evidence, on several general and specific issues posed by the Safeguards Rule as provided in the Federal Register Notice.  There are two particularly interesting issues raised by the FTC.  First is continued consideration of the impact the Safeguards Rule has on small businesses.  Comments to the original Safeguards Rule suggested that it would create burdens, including financial, on small businesses that potentially lack the expertise needed to develop, implement, and maintain required safeguards – expertise that larger entities arguably have.  The FTC addressed these comments in 2003 by taking a flexible approach with the final Safeguards Rule, allowing businesses to implement safeguards appropriate to the size and complexity of the business.  It is clear from the questions posed in this periodic review that the FTC remains interested in how small businesses are coping with the requirements, from both financial and compliance perspectives.

The second issue is whether the Safeguards Rule should be modified to include more detailed requirements for information security programs.  Specifically, the FTC asked about whether the rule should require information security programs to include a response plan in the event of a breach to the security, integrity, or confidentiality of customer information, and whether the rule should rely on other information security standards or frameworks, such as the National Institute of Standards and Technology’s Cybersecurity Framework or the Payment Card Industry Data Security Standards.  The questions raised by the FTC account for the overall impact such prescriptive changes could have on the costs imposed on and benefits to consumers and businesses, including small businesses.  It is a logical question to then ask, if the rule is modified to contain more detailed requirements, whether the FTC might consider including a safe harbor under the rule to balance out any increase in cost to comply – a question that remains unanswered for now.

The FTC will be accepting public comment until November 7.

Troutman Sanders’ cybersecurity, information governance, and privacy team monitors developments in various information security standards, and advises clients on compliance with such standards and how to address new and emerging threats.