FTC Proposes Amendments to Safeguards and Privacy Rules under the GLBA

On March 5, 2019, the FTC announced separate notices of proposed rulemaking and requests for comment on proposed amendments to its Safeguards and Privacy Rules under the GLBA.

The Safeguards Rule, which took effect in 2003, requires financial institutions subject to the FTC’s jurisdiction to develop, implement, and maintain a comprehensive information security program.  The proposed amendments to this rule follow from an earlier public comment period in 2016, and are based primarily on the cybersecurity regulations issued by the NY DFS and the insurance data security model law issued by the NAIC.  While the rule, as amended, would retain a flexible “process-based” approach allowing financial institutions to develop security plans based on their specific risks and needs, the proposed amendments would provide a more detailed “map” of what information must be addressed.  For example, under the proposed amendments, covered financial institutions must, among other things: (i) encrypt all customer data; (ii) implement access controls to prevent unauthorized users from accessing customer information; (iii) implement multifactor authentication to access customer data; and (iv) submit periodic compliance reports to their boards of directors.  Small businesses maintaining information concerning fewer than 5,000 customers would be exempt from certain of the rule’s requirements.

The Privacy Rule, which took effect in 2000, requires a financial institution subject to the FTC’s jurisdiction to inform customers about its information-sharing practices and allow customers to opt out of having their information shared with certain third parties.  The proposed amendments to this rule would conform the rule to the GLBA, as amended by the Dodd-Frank and the FAST Acts.  The Dodd-Frank Act transferred most of the FTC’s rulemaking authority under the Privacy Rule to the CFPB, leaving the FTC with rulemaking authority only over certain motor vehicle dealers, while the FAST Act amended the GLBA’s annual privacy notice requirement.  To address these changes, the proposed amendments provide: (i) technical changes to the rule to correspond to the reduced scope of the FTC’s rulemaking authority, which primarily consist of removing references, including examples, that do not apply to motor vehicle dealers; and (ii) modifications to the annual privacy notice requirements to reflect changes made by the FAST Act, including an exception under which financial institutions that meet certain conditions are not required to provide annual privacy notices to customers.

The proposed amendments would also expand the definition of “financial institution” in both rules to include entities engaged in activities that are incidental to financial activities, such as “finders” who charge a fee to connect a consumer looking for a loan to a lender.  This change would bring the rules into accord with the CFPB’s Regulation P. 

The FTC has indicated that it will accept comments up to 60 days following the date the notices are published in the Federal Register.