Hogan Lovells 2024 Election Impact and Congressional Outlook Report
The Federal Trade Commission (“FTC”) issued notices on March 5 seeking public comment on proposed amendments to the regulations implementing the Gramm-Leach-Bliley Act (“GLBA”), commonly known as the Safeguards Rule and Privacy Rule. Once the notices are published in the Federal Register comments must be received within 60 days. The proposed changes to the Safeguards Rule add a number of more detailed security requirements, whereas the proposed changes to the Privacy Rule are more focused on technical changes to align the Rule with changes in law over the past decade.
The Safeguards Rule requires financial institutions (“FIs”) to maintain the security of customer information by maintaining a comprehensive written information security program (“WISP”) detailing the administrative, technical, and physical safeguards that the financial institution uses to collect, process, protect, store, transmit, dispose of, or otherwise handle customer information. The Safeguards Rule, which originally went into effect in 2003, is process-oriented. It includes general, high level elements of a security program, but lacks detailed security steps.
The Director of the FTC’s Bureau of Consumer Protection, Andrew Smith, stated that the “proposed changes are informed by the FTC’s almost 20 years of enforcement experience” and are designed to “keep up with marketplace trends and respond to technological developments.” The proposed amendments follow the FTC’s receipt of public comments in 2016 regarding the Safeguards Rule as part of the FTC’s regular review cycle.
The FTC, influenced by more detailed financial industry state regulatory developments such as the New York Department of Financial Services (“NYDFS”) Cybersecurity Regulation and the National Association of Insurance Commissioners (“NAIC”) Insurance Data Security Model Law, both finalized in 2017, proposes to maintain a process-oriented approach, but modify the Safeguards Rule with additional mandates such as requiring:
The FTC with its proposed Rule is seeking to refrain from being overly prescriptive about security requirements while adding elements that are included in other regulatory regimes and that it believes most FIs with reasonable data security practices should already be following. While recognizing that several cybersecurity frameworks with similar requirements to the proposed Rule already exist, the FTC declined to propose a safe harbor for FIs complying with existing frameworks, such as the NIST Cybersecurity Framework, and is seeking comment on the viability of a safe harbor.
Although the FTC proposes to exempt small businesses from some of the requirements, two of the five Commissioners disagreed with the proposed Rule’s more prescriptive approach. In their dissenting statement to the proposed Rule, the Commissioners note that the current proposal “trades flexibility for a more prescriptive approach, potentially handicapping smaller players or newer entrants.”
In a separate notice, the FTC is seeking public comment on proposed changes to the Privacy Rule. When the GLBA was enacted in 1999, the FTC was one of several federal regulators with rulemaking authority, and the FTC’s Privacy Rule applied to a broad range of non-bank financial institutions, such as payday lenders, mortgage brokers, check cashers, and debt collectors. The Dodd-Frank Act, enacted in 2010, transferred rulemaking authority under the GLBA’s privacy provisions to the CFPB for most non-bank financial institutions. The FTC retained authority over certain motor vehicle dealers only.
Pursuant to its rulemaking authority, the CFPB enacted its own version of the Privacy Rule, Regulation P, which it amended in 2018 to implement provisions in the Fixing America’s Surface Transportation Act (“FAST Act”), which simplified the delivery of annual GLBA notices. The CFPB’s amended Regulation P provides that FIs that meet certain conditions are exempt from the GLBA requirement to deliver an annual privacy notice.
The FTC’s proposed changes to the Privacy Rule would include (1) technical changes corresponding to the reduced scope of its Privacy Rule due to Dodd-Frank Act changes, which primarily consist of removing references that do not apply to motor vehicle dealers; (2) modifications to the annual privacy notice requirements to reflect the changes made to the GLBA by the FAST Act; and (3) a modification to the scope and definition of “financial institution” to include entities engaged in activities that are incidental to financial activities. The proposed Rule would expand the definition of “financial institutions” to include “finders,” meaning those who charge a fee to connect consumers who are looking for a loan to a lender, which would bring the Rule into accord with the CFPB’s Regulation P.
Authored by Timothy Tobin, Paul Otto and Roshni Patel