The Federal Trade Commission (FTC) has announced that it is seeking comment on proposed changes to rules promulgated under the Gramm-Leach-Bliley Act (GLB). GLB requires companies that offer consumer financial products or services, like loans, to explain their information sharing practices to their customers and to safeguard sensitive data. The FTC’s request for comments specifically affects two rules under the GLB: the Safeguards Rule and the Privacy Rule. Comments are due June 3, 2019.
The Safeguards Rule requires financial institutions to develop, implement, and maintain a comprehensive information security program. To keep the rule up to data, the FTC is now proposing changes to add more detailed requirements for what should be included in the comprehensive information security program mandated by the Rule.
For example, the proposal generally would require financial institutions to encrypt all customer data, designate a Chief Information Security Officer, conduct detailed risk assessments, and implement specific safeguards such as access controls and multi-factor authentication. While many of these have been captured in existing guidance, the proposed changes would create many new formal requirements.
The Privacy Rule requires a financial institution to inform customers about its information sharing practices and allow customers to opt out of having their information shared with certain third parties. The proposed changes to the Privacy Rule are modest, primarily seeking comment on whether or not the Privacy Rule should apply to “finders” that match potential borrowers and lenders in the motor vehicle finance space.
A Focus on Consumer Data Privacy and a Call to Action
The FTC’s actions are important indicators of its focus on data security issues. They mirror the concerns seen in many states and in Congress about similar issues and the discussion around the need for a federal privacy law in the U.S. The FTC is also set to hold a public hearing on Competition and Consumer protection in the 21st Century on April 9th & 10th. The goal of the hearing is to address the intersection between technology, data collection practices, and data aggregation as it affects modern consumers who are concerned by unregulated data collection practices. Topics to be discussed include the benefits and risks of information collection and the extent for which consumer privacy preferences should be safeguarded. In conjunction with the hearing, the FTC is requesting comments electronically until May 31, 2019.
These requests for comment by the FTC are an invitation to our clients and others to have their voices heard on these important issues. We encourage all interested parties to take advantage of this opportunity.
* Ali Najaf contributed to this post.