The FTC issued a press release last week seeking comment on proposed changes to two rules under the Gramm-Leach-Bliley Act of 1999 (the “GLBA Act”) to increase data security for financial institutions and better protect consumers. 

The Commission has sought comment on the Safeguards Rule and the Privacy Rule under the GLBA Act. The Safeguards Rule, which went into effect in 2003, requires financial institutions to develop and maintain a comprehensive data security program. The FTC’s proposed amendment to this Rule will require U.S. financial institutions to encrypt all customer data. It will also require financial institutions to use multifactor authentication to access customer data and implement controls to prevent unauthorized access to customer information. To encourage compliance, the amendment will require companies to submit periodic reports to their board of directors regarding the fulfillment of these directives. 

Under the Privacy Rule, which went into effect in 2000, financial institutions are required to inform customers about their information-sharing practices and allow customers the right to opt out of the sharing of their information with third parties. The passage of the Dodd-Frank Act in 2010 transferred the majority of the FTC’s rulemaking authority for the Privacy Rule to the Consumer Financial Protection Bureau, leaving the FTC authority over certain motor vehicle dealers. The FTC’s proposed amendment to the Privacy Rule includes clarification about the application of the Rule’s privacy notice requirements to motor vehicle dealers. 

The FTC has also sought to increase the scope of the definition of “financial institution” in both Rules to include so called “finders” – entities that charge a fee to connect consumers who are looking for loans to lenders. The director of the FTC’s Bureau of Consumer Protection, Andrew Smith, commented that these proposals “are informed by the FTC’s almost 20 years of enforcement experience” and reflect the Commission’s desire to exercise rulemaking authority “to keep up with marketplace trends and respond to technological advancements.” 

The FTC will soon publish notices seeking comment on these proposed changes in the Federal Register, with comments to be received for 60 days after publication. 

Troutman Sanders will continue to monitor the FTC’s proposed amendments to the Gramm-Leach-Bliley Act and other issues related to data security for financial institutions.