On March 5, the Federal Trade Commission announced that it will soon publish notices in the Federal Register seeking comments on proposed changes to the Safeguards Rule and the Privacy Rule under the Gramm-Leach-Bliley Act. The proposed changes seek to align the rules with changes implemented by Congress through the Dodd-Frank Act in 2010 and the FAST Act in 2015.
Enacted in 2003, the Safeguards Rule requires a financial institution to develop, implement and maintain a comprehensive information security program. Enacted three years earlier in 2000, the Privacy Rule requires a financial institution to inform customers about its information-sharing practices and to afford opt-out rights to prevent information sharing with certain third parties. The FTC voted 3–2 to publish the proposed amendments to the Safeguards Rule, while the proposals relating to the Privacy Rule passed by a unanimous 5–0 vote.
The proposed changes to the Safeguards Rule seek to add more detailed requirements for the contents of a comprehensive information security program. For example, financial institutions would be required to encrypt all customer data, implement access controls to prevent unauthorized users from accessing customer information and use multifactor authentication access to customer data.
The enactment of the Dodd-Frank Act narrowed the scope of the Privacy Rule, transferring the majority of the FTC’s rulemaking authority to the Consumer Financial Protection Bureau, leaving the FTC with rulemaking authority over certain motor vehicle dealers. The FTC has proposed to remove from the Privacy Rule examples of financial institutions that do not apply to motor vehicle dealers.
Copies of the notices and proposed changes may be viewed on the FTC’s website at www.ftc.gov. Comments must be received within sixty days after publication in the Federal Register and will be posted on Regulations.gov. We will monitor the comments and the course of the proposed regulatory amendments.