FTC Seeks To Update Its Safeguards And Privacy Rules

On March 5, 2019, the Federal Trade Commission (FTC) published notices of proposed rulemaking to amend the existing standards for the safeguarding of consumer information, 16 C.F.R. Part 314 (the Safeguards Rule) (available here), and the privacy of consumer financial information, 16 C.F.R. Part 313 (the Privacy Rule) (available here), applicable under Title V of the Gramm-Leach-Bliley Act (GLBA) to financial institutions within the FTC's jurisdiction, which would include entities that are "engaged in activities that are incidental to financial activities," such as non-bank financial institutions that are not otherwise subject to the enforcement authority of another regulator. If adopted, the proposed rules will have a significant impact on the operations of covered financial institutions.

Specifically, the proposed amendments would significantly enhance the Safeguards Rule and make less extensive, but nonetheless notable changes to the Privacy Rule. Both rules have remained largely unchanged since their adoption roughly two decades ago, while during those decades, technological advancements have substantially altered the ways in which financial institutions obtain, use, transmit, and manage consumer information. In addition, shifts in consumer expectations regarding the privacy and security of their personal information, coupled with more aggressive rulemaking and enforcement activity by state regulatory authorities, has highlighted the need for robust information security and privacy controls and risk management processes. The FTC's proposed amendments would bring the agency's GLBA rules more into alignment with these recent developments. Interested parties may submit comments to the FTC in response to the proposals within 60 days of their publication in the Federal Register.

The Current Safeguards and Privacy Rules

In brief, the existing Safeguards Rule requires financial institutions to develop, implement, and maintain information security programs that consist of the administrative, technical, and physical safeguards that a financial institution uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information. Financial institutions' information security programs are intended to be risk-based and reasonably designed in accordance with the size and complexity of the institution and the nature of its activities. The Safeguards Rule was designed to be flexible and non-prescriptive in order to allow financial institutions to adapt to technological changes and innovations in security practices within the requirements of the Safeguards Rule. According to the FTC, the proposed amendments to the Safeguards Rule do not seek to upend this approach, but do provide more detailed guidance for financial institutions regarding the essential components of a compliant information security program.

The Privacy Rule requires financial institutions to provide consumers with notice of their privacy practices and to limit their use and disclosure of "nonpublic personal information" (NPI) as prescribed by the Privacy Rule. When originally adopted, the Privacy Rule applied to a wide range of nonbank financial institutions under...