Standards for Safeguarding Customer Information, 13158-13177 [2019-04981]
Download as PDFAgencies
[Federal Register Volume 84, Number 65 (Thursday, April 4, 2019)] [Proposed Rules] [Pages 13158-13177] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 2019-04981] ----------------------------------------------------------------------- FEDERAL TRADE COMMISSION 16 CFR Part 314 RIN 3084-AB35 Standards for Safeguarding Customer Information AGENCY: Federal Trade Commission. ACTION: Notice of proposed rulemaking; request for public comment. ----------------------------------------------------------------------- SUMMARY: The Federal Trade Commission (``FTC'' or ``Commission'') requests public comment on its proposal to amend the Standards for Safeguarding Customer Information (``Safeguards Rule'' or ``Rule''). The proposal contains five main modifications to the existing Rule. First, it adds provisions designed to provide covered financial institutions with more guidance on how to develop and implement specific aspects of an overall information security program. Second, it adds provisions designed to improve the accountability of financial institutions' information security programs. Third, it exempts small businesses from certain requirements. Fourth, it expands the definition of ``financial institution'' to include entities engaged in activities that the Federal Reserve Board determines to be incidental to financial activities. Finally, the Commission proposes to include the definition of ``financial institution'' and related examples in the Rule itself rather than cross-reference them from a related FTC rule, the Privacy of Consumer Financial Information Rule. DATES: Written comments must be received on or before June 3, 2019. ADDRESSES: Interested parties may file a comment online or on paper by following the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Write ``Safeguards Rule, 16 CFR part 314, Project No. P145407,'' on your comment and file your comment online at https://www.regulations.gov by following the instructions on the web-based form. If you prefer to file your comment on paper, mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex B), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex B), Washington, DC 20024. FOR FURTHER INFORMATION CONTACT: David Lincicum or Allison M. Lefrak, Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580, (202) 326-2773 or (202) 326-2804. SUPPLEMENTARY INFORMATION: I. Background The Gramm Leach Bliley Act (``GLB'' or ``GLBA'') was enacted in 1999.\1\ The GLBA provides a framework for regulating the privacy and data security practices of a broad range of financial institutions. Among other things, the GLBA requires financial institutions to provide customers with information about the institutions' privacy practices and about their opt-out rights, and to implement security safeguards for customer information. --------------------------------------------------------------------------- \1\ Public Law 106-102, 113 Stat. 1338 (1999). --------------------------------------------------------------------------- Subtitle A of Title V of the GLBA required the Commission and other federal agencies to establish standards for financial institutions relating to administrative, technical, and physical safeguards for certain information.\2\ Pursuant to the Act's directive, the Commission promulgated the Safeguards Rule in 2002. The Safeguards Rule became effective on May 23, 2003. --------------------------------------------------------------------------- \2\ See 15 U.S.C. 6801(b), 6805(b)(2). --------------------------------------------------------------------------- The Safeguards Rule requires a financial institution to develop, implement, and maintain a comprehensive information security program that consists of the administrative, technical, and physical safeguards the financial institution uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.\3\ The information security program must be written in one or more [[Page 13159]] readily accessible parts.\4\ The safeguards set forth in the program must be appropriate to the size and complexity of the financial institution, the nature and scope of its activities, and the sensitivity of any customer information at issue.\5\ The safeguards must also be reasonably designed to ensure the security and confidentiality of customer information, protect against any anticipated threats or hazards to the security or integrity of the information, and protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.\6\ --------------------------------------------------------------------------- \3\ 16 CFR 314.2(c). \4\ 16 CFR 314.3(a). \5\ 16 CFR 314.3(a), (b). \6\ 16 CFR 314.3(a), (b). --------------------------------------------------------------------------- In order to develop, implement, and maintain its information security program, a financial institution must identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, including in the areas of: 1. Employee training and management; 2. information systems, including network and software design, as well as information processing, storage, transmission, and disposal; and 3. detecting, preventing, and responding to attacks, intrusions, or other systems failures.\7\ The financial institution must then design and implement safeguards to control the risks identified through the risk assessment, and must regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures.\8\ The financial institution is also required to evaluate and adjust its information security program in light of the results of this testing and monitoring, as well as any material changes in its operations or business arrangements, or any other circumstances that it knows or has reason to know may have a material impact on its information security program.\9\ The financial institution must also designate an employee or employees to coordinate the information security program.\10\ --------------------------------------------------------------------------- \7\ 16 CFR 314.4(b). \8\ 16 CFR 314.4(c). \9\ 16 CFR 314.4(e). \10\ 16 CFR 314.4(a). --------------------------------------------------------------------------- Finally, the Safeguards Rule requires financial institutions to take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for customer information and require those service providers by contract to implement and maintain such safeguards.\11\ --------------------------------------------------------------------------- \11\ 16 CFR 314.4(d). --------------------------------------------------------------------------- When the Commission issued the Rule in 2002, it opted to provide general requirements and guidance for the required information security program, without providing detailed descriptions of what the information security program should contain.\12\ It took this approach in order to provide financial institutions with the flexibility to shape the information security programs to their particular business and to allow the programs to adapt to changes in technology and threats to the security and integrity of customer information.\13\ While the Commission believes the proposed amendments continue to provide companies with flexibility, they also attempt to provide more detailed guidance as to what an appropriate information security program entails. --------------------------------------------------------------------------- \12\ See Standards for Safeguarding Customer Information, Final Rule, 67 FR 36484 (May 23, 2002). \13\ Id. --------------------------------------------------------------------------- II. Regulatory Review of the Safeguards Rule On August 29, 2016, the Commission solicited comments on the Safeguards Rule as part of its periodic review of its rules and guides.\14\ The Commission sought comment on a number of general issues, including the economic impact and benefits of the Rule; possible conflicts between the Rule and state, local, or other federal laws or regulations; and the effect on the Rule of any technological, economic, or other industry changes. The Commission received 28 comments from individuals and entities representing a wide range of viewpoints.\15\ Most commenters agreed that there is a continuing need for the Rule and that it benefits consumers and competition.\16\ The Commission also generally asked commenters to weigh in on: 1. Whether the Commission should add more specific requirements for information security programs to the Rule; 2. whether the Rule should require the inclusion of an incident response plan; 3. whether the Rule should reference or incorporate any other information security standards or framework, such as the National Institute of Standards and Technology's Cybersecurity Framework or the Payment Card Industry Data Security Standard; 4. whether the Rule should contain its own definition of ``financial institution'' rather than cross-reference the definition set forth in the Privacy Rule; and 5. whether the definition of ``financial institution'' should be expanded. --------------------------------------------------------------------------- \14\ Safeguards Rule, Request for Comment, 81 FR 61632 (Sept. 7, 2016). \15\ The comments are posted at: https://www.ftc.gov/policy/public-comments/initiative-674. The Commission has assigned each comment a number appearing after the name of the commenter and the date of submission. This notice cites comments using the last name of the individual submitter or the name of the organization, followed by the number assigned by the Commission. \16\ See, e.g., Mortgage Bankers Association (Comment #39); National Automobile Dealers Association (Comment #40); Data & Marketing Association (Comment #38); Electronic Transactions Association (Comment #24); State Privacy & Security Coalition (Comment #26). --------------------------------------------------------------------------- 1. Whether the Safeguards Rule Should Include More Specific Requirements for Information Security Programs Several commenters urged the Commission not to add more specific and prescriptive requirements for information security programs.\17\ These commenters stated that financial institutions are familiar with the Rule in its current form and have established practices and policies in reliance on it; \18\ that preserving the Rule's flexible guidelines for information security plans enables financial institutions to adapt quickly to the rapidly changing cybersecurity landscape; \19\ and that additional prescriptive requirements for information security plans would negatively impact innovation.\20\ --------------------------------------------------------------------------- \17\ See, e.g., American Financial Services Association (Comment #42); Securities Industry and Financial Markets Association (Comment #25); State Privacy & Security Coalition (Comment #26); EDUCAUSE (Comment #17); Mortgage Bankers Association (Comment #39). \18\ National Automobile Dealers Association (Comment #40). \19\ See, e.g., American Financial Services Association (Comment #42); Securities Industry and Financial Markets Association (Comment #25); State Privacy & Security Coalition (Comment #26); EDUCAUSE (Comment #17); Mortgage Bankers Association (Comment #39). \20\ See, e.g., Data & Marketing Association (Comment #38); Electronic Transactions Association (Comment #24). --------------------------------------------------------------------------- Some commenters asserted that a more prescriptive regulatory approach for information security programs in the Rule would not necessarily make institutions more secure and cautioned that regulation that adopts a checklist approach to information security plans risks creating complacency among companies.\21\ A few commenters proposed that rather than amending the Rule to add more specific and prescriptive requirements for information security plans, the Commission should promote self-regulation as an appropriate tool to [[Page 13160]] effectively promote information security.\22\ --------------------------------------------------------------------------- \21\ See e.g., Software & Information Industry Association (Comment #23); Electronic Transactions Association (Comment #24). \22\ Data & Marketing Association (Comment #38); Electronic Transactions Association (Comment #24); State Privacy & Security Coalition (Comment #26). --------------------------------------------------------------------------- On the other hand, some commenters recommended that the FTC strengthen the Rule by including more detailed security requirements.\23\ The Clearing House Association LLC (``The Clearing House''), a banking association and payments company that is owned by the largest commercial banks, argued that the Rule's requirements, at least with respect to large financial technology (``Fintech'') companies, should be more akin to the rules applicable to banks under the Federal Financial Institutions Examination Council (``FFIEC'') Interagency Guidelines. Among other things, these guidelines specify elements that financial institutions should include in a risk assessment; areas a financial institution must consider--such as access controls, encryption, and incident response--in developing security controls; and provisions that financial institutions must include in contracts with service providers. The Electronic Privacy Information Center (``EPIC'') recommended that certain practices set forth in the FTC's Safeguards Rule Guidance, such as employee background checks, authentication requirements, and encryption, should be mandatory.\24\ --------------------------------------------------------------------------- \23\ The Clearing House Association LLC (Comment #35); Electronic Privacy Information Center (Comment #30). \24\ Electronic Privacy Information Center (Comment #30), citing Financial Institutions and Customer Information: Complying with the Safeguards Rule, FED. TRADE COMM'N (Apr. 2006), https://www.ftc.gov/tips-advice/business-center/guidance/financial-institutions-customer-information-complying [hereinafter ``Safeguards Rule Guidance'']. EPIC also urged the Commission to apply the Rule to all types of businesses, not just financial institutions, but the GLBA provides statutory authority only for requirements applicable to financial institutions. --------------------------------------------------------------------------- Having considered these comments, the Commission proposes to amend the Rule to include more specific security requirements. While the Commission agrees with those commenters that argued that the flexibility of the current Safeguards Rule is a strength that allows the Rule to adapt to changing technology and threats, the Commission believes that more specific requirements will benefit financial institutions by providing them more guidance and certainty in developing their information security programs, while largely preserving that flexibility. The Commission agrees that a checklist approach is not appropriate, which is why the proposed amendments retain the existing Rule's process-based approach, allowing companies to tailor their programs to their size and to the sensitivity and amount of customer information they collect. As to the commenters that stated that the current Rule works well and that companies have already developed compliance programs under it, the Commission does not believe the proposed new requirements would require an overhaul of existing compliance programs. Because the new requirements build on existing requirements, they will help companies benchmark and improve their current compliance programs, rather than having to start from scratch. Finally, the Commission recognizes that some of the financial institutions to which the Safeguards Rule applies--such as tax preparers or mortgage brokers--may be very small businesses with few customers. Accordingly, the proposed amendment would exempt smaller financial institutions from certain requirements of the amended Rule. The Commission also agrees that very specific requirements for information security programs could become outdated and require frequent amendments. Accordingly, the proposed amendments provide more detailed requirements as to the issues and threats that must be addressed by the information security program, but do not require specific solutions to those problems. Instead, the proposed amendments retain the process-based approach of the Rule, while providing a more detailed map of what information security plans must address. As discussed in detail below, information security programs under the proposed amendments would still be based on risk assessments performed by the covered financial institutions and would be developed to address the specific risks and needs of the financial institution. The Commission continues to believe that a flexible, non-prescriptive Rule enables covered organizations to use it to respond to the changing landscape of security threats, to allow for innovation in security practices, and to accommodate technological changes and advances. The proposed amendments are designed to preserve that flexibility while doing more to ensure that financial institutions develop information security plans that are appropriate, reasonable, and designed to protect customer information.\25\ Although the Commission believes the proposed approach is sufficiently flexible, it seeks comment on whether the approach creates unintended consequences for businesses, may be more stringent than necessary to achieve the objective, and/or unnecessarily modifies language without creating a material benefit to security. --------------------------------------------------------------------------- \25\ The Commission agrees with the Electronic Transactions Association (Comment #24) about the importance of self-regulation in this area and continues to work with industry groups to promote industry-specific guidance and training on security. --------------------------------------------------------------------------- 2. Whether the Rule Should Require the Inclusion of an Incident Response Plan The Commission sought comment on whether the Rule should require an incident response plan. Several commenters were opposed to adding such a requirement. Some of these commenters noted that states already require companies to notify consumers of a breach and that companies effectively must have some sort of incident response plan in place to meet this requirement, so there would be no need to add this requirement to the Rule.\26\ Some commenters argued that such a requirement would be burdensome for many businesses.\27\ Others stated that there is no need to add such a requirement because, for many financial institutions, in order to satisfy the Rule's current requirement to have a reasonable information security program, a financial institution would necessarily be required to have an incident response plan.\28\ On the other hand, The Clearing House noted that an incident response program is ``a crucial element of data security hygiene in the increasingly dangerous threat environment'' and urged that the Commission impose this requirement on FTC-regulated financial institutions, especially since this is already a requirement for banks under the FFIEC Interagency Guidelines.\29\ --------------------------------------------------------------------------- \26\ See, e.g., Securities Industry and Financial Markets Association (Comment #25); National Automobile Dealers Association (Comment #40). \27\ See, e.g., National Automobile Dealers Association (Comment #40); Securities Industry and Financial Markets Association (Comment #25); \28\ See, e.g., Consumer Data Industry Association (Comment #36); EDUCAUSE (Comment #17); MasterCard Worldwide (Comment #14). \29\ The Clearing House (Comment #35). --------------------------------------------------------------------------- The Commission agrees that the current Rule already requires many financial institutions to develop an incident response plan as part of their information security program. However, the Commission believes there is value to making such a requirement explicit. Accordingly, the Commission proposes an amendment to the Rule to require covered financial institutions to develop an incident response plan as part of their information security program, as described in greater detail below. The [[Page 13161]] Commission does not agree that a process-based requirement that financial institutions plan for an incident encourages a ``check the box'' approach. Nor does the Commission agree that such an obligation is generally burdensome, particularly for businesses operating nationwide, given that many institutions already must develop a response plan to comply with state law.\30\ --------------------------------------------------------------------------- \30\ See e.g., n.26. --------------------------------------------------------------------------- The proposed amendment lists several general areas that the plan would need to address, as discussed in greater detail below. The Commission seeks comment about the potential costs and benefits of this proposal. In particular, the Commission is interested in any data, research or case studies that the Commission could use to analyze what commenters advocate. The proposed amendment is designed to ensure that covered financial institutions are prepared in the event of a cybersecurity event, while still giving them ample flexibility to adapt the plan to the needs and resources of their business. 3. Whether the Safeguards Rule should reference or incorporate any other information security standards or framework, such as the National Institute of Standards and Technology's Cybersecurity Framework or the Payment Card Industry Data Security Standard The Commission sought comment on whether the Rule should reference or incorporate any other information security standards or frameworks, such as the National Institute of Standards and Technology's (``NIST'') Cybersecurity Framework (the ``Framework'') or the Payment Card Industry Data Security Standard (``PCIDSS''). The majority of commenters advocated against referring to or incorporating any other information security standard or framework, such as the NIST Framework or PCIDSS, into the Rule.\31\ Some commenters argued that the FTC should not adopt the NIST Framework as a binding set of obligations because it would lead to a ``check the box'' security mandate, and would add a layer of complexity to an already complex regulatory environment where institutions have to comply with numerous preexisting federal and state requirements.\32\ The Electronic Transactions Association (``ETA'') argued that the Framework is ``not designed to replace an organization's cybersecurity risk management'' and that it is not intended to be a standard or checklist.\33\ --------------------------------------------------------------------------- \31\ See, e.g., U.S. Chamber of Commerce, Center for Capital Markets Competitiveness (Comment #22); Retail Industry Leaders Association (Comment #18); Electronic Transactions Association (Comment #24); EDUCAUSE (Comment #17). \32\ EDUCAUSE (Comment #17). \33\ Electronic Transactions Association (Comment #24). --------------------------------------------------------------------------- A few commenters wrote in support of incorporating a reference to the NIST Framework in the Rule, while not requiring compliance with the Framework.\34\ For example, the Financial Services Roundtable/BITS (``FSR/BITS'') argued that incorporating the NIST Framework in the Rule as an informative reference would help to address ``the growing thicket of cybersecurity compliance obligations that are spreading across the financial services sector.'' \35\ FSR/BITS recommended further that the Commission modify the Rule so that financial institutions that use the NIST Framework would be found in de facto compliance with the Rule.\36\ --------------------------------------------------------------------------- \34\ See, e.g., Financial Services Roundtable/BITS (Comment #21); Software & Information Industry Association (Comment #23). \35\ Financial Services Roundtable/BITS (Comment #21). \36\ Id. --------------------------------------------------------------------------- With respect to the PCIDSS, numerous commenters opposed the Rule's reference or incorporation of PCIDSS.\37\ Commenters argued such an amendment has the possibility of undermining the Rule's flexibility by imposing a ``one-size-fits-all'' approach.\38\ MasterCard Worldwide, a co-founder and developer of PCIDSS, opposed this amendment to the Rule, highlighting that the PCIDSS was created by major card networks for participants in the card industry.\39\ Whereas the PCIDSS may be appropriate for payment card issuers and acquirers, MasterCard argued, it would not necessarily apply well to other financial institutions.\40\ Other comments agreed that incorporating PCIDSS would be inappropriate.\41\ No commenters wrote in support of referencing or incorporating the PCIDSS into the Rule. Having considered these comments, the Commission declines to propose changing the Rule to incorporate or reference a particular security standard or framework. As noted above, for a variety of reasons, including questions about the applicability of the particular standards at issue to all financial institutions, the majority of commenters opposed referencing or incorporating any specific information security standard or framework into the Rule. Mandating that companies follow a particular security standard or framework would reduce the flexibility built into the current Rule. This proposal does not amend the Rule to allow compliance with such standards to serve as a safe harbor against Commission enforcement, as some commenters sought. The Commission seeks additional comment on how such a program could remain up to date and respond rapidly to changes in the security environment, and the workability of monitoring changing standards and adapting a safe harbor rule as needed. --------------------------------------------------------------------------- \37\ See, e.g., Electronic Transactions Association (Comment #24); MasterCard Worldwide (Comment #14); Retail Industry Leaders Association (Comment #18). \38\ Electronic Transactions Association (Comment #24); EDUCAUSE (Comment #17). \39\ MasterCard Worldwide (Comment #14). \40\ Id. \41\ See Securities Industry and Financial Markets Association (Comment #25) (arguing that there is insufficient overlap between payment card industry and covered financial institutions to justify adopting PCIDSS); Retail Industry Leaders Association (Comment #18) (arguing that adopting PCIDSS would not be an effective basis for a regulation); National Retail Federation (Comment #29) (noting that PCIDSS is a proprietary information security standard controlled by a single industry); State Privacy & Security Coalition (Comment #26) (arguing that adopting PCIDSS would amount to outsourcing federal rulemaking authority). --------------------------------------------------------------------------- 4. Whether the Safeguards Rule Should Contain its own Definition of ``Financial Institution'' Rather Than Cross-Reference the Definition set Forth in the Privacy Rule The Commission also asked whether the Rule should be revised to incorporate a definition of ``financial institution'' and related examples in the Rule itself, rather than cross-reference reference definitions and examples set forth in the Privacy Rule.\42\ --------------------------------------------------------------------------- \42\ Privacy of Consumer Financial Information Rule (``Privacy Rule''), 16 CFR part 313. --------------------------------------------------------------------------- The term ``financial institution'' is defined in the Privacy Rule, and that term is cross-referenced in the Safeguards Rule.\43\ Under the Dodd-Frank Act,\44\ the majority of the Commission's rulemaking authority for the Privacy Rule was transferred to the Consumer Financial Protection Bureau, with the exception of rulemaking authority pertaining to certain motor vehicle dealers.\45\ Accordingly, the Commission's Privacy Rule now applies only to certain motor vehicle dealers. The Safeguards Rule, however, still applies to all financial institutions within the FTC's general enforcement jurisdiction.\46\ Thus, currently, the [[Page 13162]] definition of ``financial institution'' in the Privacy Rule--which governs the scope of the Safeguards Rule--applies to all financial institutions within the Commission's jurisdiction, despite the fact that most types of financial institutions are no longer subject to the Privacy Rule. This creates a confusing situation where the Privacy Rule, on its face, appears to cover types of ``financial institutions'' that the Privacy Rule no longer covers. --------------------------------------------------------------------------- \43\ 16 CFR 313.3(k); 16 CFR 314.2(a). \44\ Public Law 111-203, 124 Stat. 1376 (2010). \45\ 15 U.S.C. 6804(a)(1)(C). \46\ 15 U.S.C. 6804(a)(1)(A). --------------------------------------------------------------------------- To address this issue, the Commission proposes incorporating the definition of ``financial institution'' and the accompanying examples from the Privacy Rule into the Safeguards Rule.\47\ None of the commenters voiced a view one way or the other on this issue. The Commission notes that this modification would have no substantive effect on the scope of the Rule or its enforcement.\48\ This change will only increase the clarity of the Rule. --------------------------------------------------------------------------- \47\ The Commission is releasing a NPRM that proposes parallel revisions to the Privacy Rule concurrently with this NRPM. \48\ Separately, as noted below, the Commission proposes to revise the definition of ``financial institution'' to cover finders. --------------------------------------------------------------------------- 5. Whether, if the Safeguards Rule is Amended To Include its own Definition of ``Financial Institution,'' That Definition Should be Expanded to Also Include (1) Entities That are Significantly Engaged in Activities That the Federal Reserve Board has Found To Be Incidental to Financial Activities and/or (2) Activities That Have Been Found To Be Closely Related to Banking or Incidental to Financial Activities by Regulation or Order in Effect After the Enactment of the GLBA Finally, the Commission asked about the scope of the definition of ``financial institution.'' When promulgating the Privacy Rule in 2000, the Commission determined that companies engaged in activities that are ``incidental to financial activities'' would not be considered ``financial institutions.'' \49\ The Commission was the only agency to adopt this restrictive definition in its Privacy Rule, while the other agencies included incidental activities.\50\ In addition, the Commission decided that activities that were determined to be financial in nature after the enactment of the GLBA would not be automatically included in its Privacy Rule; rather, the Commission would have to take additional action to include them.\51\ The effect of these two decisions was to limit the activities covered by the Commission's rules to those set out in 12 CFR 225.28 as it existed in 2000, and to exclude any activities later determined by the Federal Reserve Board to be financial activities or incidental to those activities.\52\ The definition from the Privacy Rule was incorporated into the Safeguards Rule.\53\ Thus, in the Request for Comment,\54\ the Commission sought comment on whether it should more closely align with other agencies and amend the Safeguards Rule to include ``incidental'' activities and activities determined to be financial or incidental after 1999. --------------------------------------------------------------------------- \49\ See 16 CFR 313.3(k); see also 65 FR 33646, 33654 (May 24, 2000). \50\ The Commission also added the requirement that an entity must be ``significantly engaged'' in the financial activity to be considered a financial institution under the Privacy Rule. 16 CFR 313.3(k). The Commission is not proposing to change this requirement. \51\ 65 FR 33646, 33654 n.23 (May 24, 2000). \52\ Id. \53\ 16 CFR 314.2(a). \54\ 81 FR 61632 (Sept. 7, 2016). --------------------------------------------------------------------------- In 2000, the Federal Reserve Board determined that acting as a ``finder'' is an activity that is ``incidental to a financial activity.'' \55\ The Federal Reserve Board defined ``finding'' as bringing together buyers and sellers of products or services for transactions that the buyers and sellers themselves negotiate and consummate. --------------------------------------------------------------------------- \55\ See 65 FR 80735 (Dec. 22, 2000); 12 CFR 225.86(d)(1). --------------------------------------------------------------------------- The majority of commenters who addressed the definition of ``financial institutions'' urged the Commission not to amend the definition to include more than those businesses that conduct traditional financial activities or to include activities determined to be financial in nature or incidental after the enactment of the GLBA.\56\ For example, the Software & Information Industry Association (``SIIA'') commented that the Rule already has an impact beyond financial institutions themselves in encouraging entities that receive customer information from financial institutions to take measures to secure that data, even though they may not be legally obligated to do so under the Rule.\57\ Per SIIA, this is because they are either contractually bound by partnerships with financial institutions, or compete for business on the ability to meet high security requirements.\58\ The Securities Industry and Financial Markets Association (``SIFMA'') also opposed this amendment, claiming that the securities industry makes a proactive, regular effort to familiarize itself with other regulatory frameworks' definitions in order to satisfy the Rule's ``reasonable'' standard.\59\ Thus, the Rule already implicitly requires their industry, SIFMA argues, ``to understand the Privacy Act, Federal Reserve Board guidance, and the [GLBA's] impact. Creating new, or modifying existing, definitions in the Rule would eliminate the Rule's flexibility in this regard.'' \60\ --------------------------------------------------------------------------- \56\ See, e.g., National Association of Convenience Stores (Comment #28); Software & Information Industry Association (Comment #23); Securities Industry and Financial Markets Association (Comment #25). \57\ Software & Information Industry Association (Comment #23). But see National Automobile Dealers Association (Comment #40) (supporting more specific requirements for service providers' security). \58\ Software & Information Industry Association (Comment #23). \59\ Securities Industry and Financial Markets Association (Comment #25). \60\ Id. --------------------------------------------------------------------------- In opposition to an expansion of the definition of financial institutions that might include incidental participants in financial transactions, the National Association of Convenience Stores (``NACS'') noted that some incidental participants--such as its members--do not store customer-identifying information, nor do they have continuing information-based relationships with consumers that would justify development and maintenance of a comprehensive security program.\61\ Further, according to NACS, its members do not handle some of the most sensitive personal information such as Social Security numbers and driver's license numbers that are more commonly associated with identity theft.\62\ Financial institutions, by contrast, do handle such sensitive personal consumer information.\63\ --------------------------------------------------------------------------- \61\ National Association of Convenience Stores (Comment #28). \62\ Id. \63\ Id. --------------------------------------------------------------------------- On the other hand, EPIC advocated that the Commission expand the scope of the Rule to include ``all organizations and companies that collect consumer data,'' such as educational institutions and commercial businesses that process student and consumer information.\64\ In underscoring the importance of doing so, EPIC noted that such organizations frequently collect the same sensitive information as traditional financial institutions and are subject to the same security threats.\65\ --------------------------------------------------------------------------- \64\ Electronic Privacy Information Center (Comment #30). \65\ Id. --------------------------------------------------------------------------- Having considered these comments, the Commission proposes amending the definition of ``financial institution'' to include ``incidental'' activities and activities determined to be financial or incidental after 1999. This change would bring ``finders'' within the scope of the Rule. The Commission recognizes that commenters generally opposed revising the definition, but notes that commenters' concerns generally related [[Page 13163]] to issues not presented by the proposed change (e.g., bringing such entities as convenience stores or securities firms within the Rule's ambit). The Commission is not proposing such a broad expansion, however. The only effect of this proposed amendment would be to cause finders, whose activities often involve collection of financially sensitive personal information, to be covered by the Rule. This modification would ensure that finders adequately protect that information. Because they collect, maintain, and store sensitive consumer information, it is important for them to be subject to requirements to safeguard it. If this sensitive information were to get into the wrong hands, consumers could suffer identity theft, fraud, and other harms. The Commission's proposed change would not bring any other activities under the coverage of the Rule because the Federal Reserve Board has not determined any activity other than finding to be financial in nature, or incidental to such activity, since the enactment of the GLBA. Further, it would harmonize the Commission's Rule with other regulators' Safeguards Rules--which already cover institutions engaged in activities incidental to financial activities-- as well as Regulation P, which applies to all other financial institutions that are not covered by the Privacy Rule.\66\ This harmonization will create a more consistent regulatory landscape that will help to treat businesses the same regardless of which agency is regulating them. Accordingly, the Commission's proposed amendment to section 314.1(b) indicates that the Rule's scope includes companies that engage in activities that are financial in nature or incidental to such financial activities. Likewise, the proposed definition of ``financial institution'' in proposed section 314.2(e)(1) also includes companies engaged in activities that are incidental to financial activities. --------------------------------------------------------------------------- \66\ As noted above, however, unlike other agencies' equivalent rules, the FTC Safeguards Rule limits financial institutions to those ``significantly engaged'' in the financial activity. The Commission is proposing to retain this limitation and extend it to activity incidental to financial activity. --------------------------------------------------------------------------- In connection with this proposal, the Commission requests comment on the impact of expanding the definition of ``financial institutions'' to include finders. Specifically, the Commission seeks information on 1. The number of finders in the marketplace that would be included in this definition; and 2. the costs and benefits, including the costs and benefits to finders and consumers, of this proposal. III. Section-by-Section Analysis As discussed above, the Commission proposes to amend the Safeguards Rule to include more detailed requirements for the development and establishment of the information security program required under the Rule. These amendments are based primarily on the cybersecurity regulations issued by the New York Department of Financial Services, 23 NYCRR 500 (``Cybersecurity Regulations''), and the insurance data security model law issued by the National Association of Insurance Commissioners (``Model Law'').\67\ The Cybersecurity Regulations were issued in February 2017 after two rounds of public comment. The Model Law was issued in October 2017. The Commission believes that both the Cybersecurity Regulations and the Model Law maintain the balance between providing detailed guidance and avoiding overly prescriptive requirements for information security programs. The proposed amendments do not adopt either law wholesale, instead taking portions from each and adapting others for the purposes of the Safeguards Rule.\68\ --------------------------------------------------------------------------- \67\ National Association of Insurance Commissioners, Insurance Data Security Model Law (2017), www.naic.org/store/free/MDL-668.pdf. South Carolina has enacted legislation based on the Model Law. 2017 S.C. Act No. 171, R. 184, H 4655. \68\ At the time the Commission issued its request for comments, neither the Cybersecurity Regulations nor the Model Law had been implemented, so the Commission did not seek comment on the more detailed approaches they adopted. The Commission is doing so through this NPRM. --------------------------------------------------------------------------- The Commission is interested in receiving data, research, case studies, or other evidence related to business efforts to comply with the Cybersecurity Regulations or state laws mirroring the Model Law. The Commission is also interested in receiving comments on the extent to which the proposal would preempt existing state laws. Section 507(a) of the GLBA, 15 U.S.C. 6807(a), preserves a state ``statute, regulation, order, or interpretation'' that is not ``inconsistent'' with the privacy and security provisions of the GLBA. The Commission is interested in hearing about the effect of the proposal on companies' compliance with state and federal law. Finally, in light of the proposed amendments and the existence of several cybersecurity frameworks that require processes similar to the Proposed Rule, the Commission additionally requests comments on the potential for safe harbors against Commission enforcement of the Safeguards Rule, including evidence on the efficacy and utility of safe harbors in other contexts and perspectives on the viability of a safe harbor in the present context, especially as safe harbors relate to small business. In addition to the amendments related to the requirements for information security programs, the Commission proposes amendments to the definition of ``financial institution'' and the addition of examples previously contained in the Privacy Rule, as discussed above. It also adds to the definition of ``financial institution'' entities that engage in activities incidental to financial activities. The following is a section-by-section analysis of the proposed amendments. The Commission seeks comments on the proposed amendments in general but also seeks comment on specific questions as set forth in the analysis below. Proposed Amendments to Section 314.1: Purpose and Scope The proposed amendment would add language from section 313.1(b) of the Privacy Rule, relating to the scope of the Rule and definition of financial institution, to section 314.1(b) of the Safeguards Rule. This addition would set forth the scope of the Safeguards Rule, which previously applied to the same entities as the Privacy Rule until the Dodd-Frank Act limited the scope of the Privacy Rule only to certain automobile dealers. As noted above, the Commission is proposing in a concurrent NPRM to amend the Privacy Rule to reflect the narrower scope of that regulation \69\ and, in turn, proposes to amend the Safeguards Rule to clarify that it retains its original scope. Section 314.1(b) states that the Safeguards Rule applies to the handling of customer information by all financial institutions over which the Commission has jurisdiction. The proposed amendment sets forth the general definition of ``financial institution'' and provides examples of financial institutions under the Commission's jurisdiction, such as finance companies and mortgage brokers. The added language is taken largely from the existing Privacy Rule. The new language is not meant to change the scope of the Safeguards Rule, other than to reflect the proposed addition of ``finders'' to the Rule's scope, as discussed below. --------------------------------------------------------------------------- \69\ A notice of proposed rulemaking relating to the Privacy Rule is published elsewhere in this issue of the Federal Register. --------------------------------------------------------------------------- [[Page 13164]] Proposed Amendment to Section 314.2: Definitions The proposed amendments to section 314.2 add definitions to terms introduced in the proposed amended Rule. The proposed amendments do not alter or remove any definitions in the existing Rule. Existing definitions are interspersed with new definitions in alphabetical order. The Commission is interested in hearing whether these updated definitions reflect current practices, or whether they need to be adjusted to avoid unintended consequences, modified or eliminated for smaller firms, or narrowed to avoid undue burden. Proposed paragraph (a), which states that terms used in the Safeguards Rule have the same meaning as set forth in the Privacy Rule, would be unchanged from the existing Rule. This provision will apply to terms defined in the Privacy Rule but not in the Safeguards Rule, such as ``customer'' and ``nonpublic personal information.'' Proposed paragraph (b) would define an ``authorized user'' of an information system as any employee, contractor, agent or other person that participates in the business operations of an entity and is authorized to access and use any of that financial institution's information systems and data.\70\ This term is used in proposed section 314.4(c)(10), which requires financial institutions to implement policies to monitor the activity of authorized users and detect unauthorized access to customer information. --------------------------------------------------------------------------- \70\ This definition is substantively identical to the definition found in 23 NYCRR 500.01(b). --------------------------------------------------------------------------- Proposed paragraph (c) would define a ``security event'' as ``an event resulting in unauthorized access to, or disruption or misuse of, an information system or information stored on such information system.''\71\ This term is used in proposed provisions requiring financial institutions to establish written incident response plans designed to respond to security events and to implement audit trails to detect and respond to security events. It also appears in a proposed provision requiring a financial institution's chief information security officer to provide an annual report to the financial institution's governing body, which must identify all security events that took place that year. --------------------------------------------------------------------------- \71\ This definition is based on the definition found in the Model Law, Section 3(D). The proposed amendment adopts the term ``security event'' in place of the Model Law's term ``cybersecurity event'' to clarify that an information security program encompasses information in both digital and paper form and that unauthorized access to paper files would also be a security event under the Rule. For this reason, throughout the proposed amendment, the Commission has proposed to replace the term ``cybersecurity'' from the Cybersecurity Regulations and Model Law with either ``information security'' or simply ``security.'' In addition, the proposed definition does not include the Model Law's exemption for the acquisition of encrypted information or events where the covered entity determines that the information accessed by an unauthorized person has not been used or released and has been returned or destroyed. In both instances, the Commission believes that a financial institution should still engage in its incident response procedures to address the failures in its information security that allowed such events to occur. --------------------------------------------------------------------------- Proposed paragraph (d) is the existing Rule's paragraph (b) and would not alter the definition of ``customer information.'' Proposed paragraph (e) would define ``encryption'' as ``the transformation of data into a form that results in a low probability of assigning meaning without the use of a protective process or key.'' This term is used in proposed section 314.4(c)(4), which generally requires financial institutions to encrypt customer information, with certain exceptions. This definition is adopted from the Model Law \72\ and is intended to define the process of encryption while not requiring any particular technology or technique for achieving the protection provided by encryption. The Commission seeks comment on this definition. --------------------------------------------------------------------------- \72\ Model Law, Section 3(F). --------------------------------------------------------------------------- As discussed above, proposed paragraph (f) would incorporate the definition of ``financial institution'' from the Privacy Rule. The Commission is proposing one substantive change to the definition of ``financial institution'' to include entities that are ``significantly engaged in activities that are incidental'' to financial activities as defined by the Bank Holding Company Act. As discussed above, this change would bring only one activity into the definition that was not covered before: The act of ``finding,'' as defined in 12 CFR 225.86(d)(1). The proposed revision to paragraph (f) would add an example of a financial institution acting as a finder by ``bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate.'' This example uses the language set forth in 12 CFR 225.86(d)(1), which defines finding as an activity that is incidental to a financial activity under the Bank Holding Company Act. Proposed paragraph (g) is the existing Rule's paragraph (c) and would not alter the definition of ``information security program.'' Proposed paragraph (h) would define ``information system'' as ``a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems.'' \73\ The term ``information system'' is used throughout the proposed amendments to designate the systems that must be covered by the information security program. This definition is designed to cover the systems, including hardware, software, and networks that financial institutions use to maintain, process, access and store customer information. It is meant to be a broad definition that covers any system that, if compromised, could result in unauthorized access to customer information. --------------------------------------------------------------------------- \73\ This definition is identical to the definition in 23 NYCRR 500.1(e). --------------------------------------------------------------------------- Proposed paragraph (i) would define ``multi-factor authentication'' as ``authentication through verification of at least two of the following types of authentication factors: 1. Knowledge factors, such as a password; 2. possession factors, such as a token; or 3. inherence factors, such as biometric characteristics.'' This term is used in proposed section 314.4(c)(6), which requires financial institutions to implement multi-factor authentication for individuals accessing internal networks that contain customer information. This definition comes from the Cybersecurity Regulations \74\ and is designed to conform to current understanding of what constitutes multi-factor authentication while still allowing financial institutions considerable flexibility in designing systems to protect their networks.\75\ Under this definition, a system of multi-factor authentication would need to verify at least two of the three types of factors, but has considerable flexibility in how to implement each factor. For example, under the knowledge factor, financial institutions are not limited to requiring passwords for access to systems, but might also use biographical information, or other knowledge that should be limited to the authorized user. The possession factor, could [[Page 13165]] include verifying that a recognized device is accessing the system, or the transmission of a one-time code to a device on file with the financial institution. For the inherence factors, fingerprints, retina scans, or voice prints can be used. The Commission seeks comment on whether this definition is sufficiently flexible, while still requiring the elements of meaningful multi-factor authentication. --------------------------------------------------------------------------- \74\ 23 NYCRR 500.01(f). The proposed amendment deviates from the language of the Cybersecurity Regulations in that it does not include text messages as an example of a possession factor. As NIST has noted, SMS text messages are vulnerable to compromise and may not be an appropriate means of verifying identity. See, e.g., NIST Special Publication 800-63B, Digital Identity Guidelines, 5.1.3.3 (restricting use of verification using the Public Switched Telephone Network (SMS or voice) as an ``out-of-band'' factor for multifactor authentication). \75\ See NIST, Glossary, ``Multifactor Authentication,'' https://csrc.nist.gov/glossary/term/Multi_Factor_Authentication. --------------------------------------------------------------------------- Proposed paragraph (j) would define ``penetration testing'' as a ``test methodology in which assessors attempt to circumvent or defeat the security features of an information system by attempting penetration of databases or controls from outside or inside your information systems.'' \76\ This term is used in proposed section 314.4(d)(2), which requires financial institutions to continually monitor the effectiveness of their safeguards or to engage in annual penetration testing. The primary example of penetration testing is where a security expert uses common techniques in an attempt to breach the security of a financial institution's information system. As set forth in the proposed definition, this includes attempts where the penetration tester is acting as an outsider who must penetrate the system without any initial access to the system, and attempts where the tester acts as someone with limited access to the system--such as a contractor or employee--and tries to access information that such an insider is not authorized to access. The Commission believes that there is currently a commonly understood definition of these services and that this definition provides sufficient guidance to understand the requirements of the proposed amendments. --------------------------------------------------------------------------- \76\ This definition is substantively identical to the definition found in 23 NYCRR 500.01(h). --------------------------------------------------------------------------- Proposed paragraph (k) is the existing Rule's paragraph (d) and would not alter the definition of ``service provider.'' Proposed Amendment to Section 314.3: Standards for Safeguarding Customer Information Current section 314.3 requires financial institutions to develop an information security program (subsection (a)) and sets forth the objectives of the Rule (subsection (b)). Proposed section 314.3 retains the current requirements of section 314.3 under subsection (a) and the existing statement of objectives under subsection (b). It would, however, change the requirement that ``safeguards'' be based on the elements set forth in section 314.4, by replacing ``safeguards'' with ``information security program.'' This change is proposed to clarify that the elements set forth in section 314.4 are parts of the information security plan. Proposed Amendments to Section 314.4: Elements The proposed amendments to section 314.4 would alter existing required elements of an information security program and adds several new elements. Although the Commission believes the proposed approach is sufficiently flexible, it seeks comment on whether it creates unintended consequences for businesses, may be more stringent than necessary to achieve the objective, and/or unnecessarily modifies the current rule without creating a material benefit to security. Proposed Paragraph (a) Amended paragraph (a) would expand the current requirement of designating an ``employee or employees to coordinate your information security program'' by requiring the designation of a single qualified individual responsible for overseeing and implementing the financial institution's security program and enforcing its information security program.\77\ This individual is referenced in the Rule as a Chief Information Security Officer or ``CISO.'' This title is for clarity in the proposed Rule; financial institutions would not be required to actually grant that title to the designated individual. The proposed amendment would no longer allow financial institutions to designate more than one employee to coordinate the information security program. The Commission is interested in hearing about the potential costs and benefits of this proposal. In particular, the Commission is interested in any data, research or case studies that the Commission could use to analyze whether this is the best approach. This proposed change is intended to ensure that a single individual is accountable for overseeing the entire information security program and to lessen the possibility that there will be gaps in responsibility between individuals. The Commission believes that requiring a single responsible individual will increase accountability for the security of financial institutions' information systems. --------------------------------------------------------------------------- \77\ Proposed 16 CFR 314.4(a). This amendment is based on 23 NYCRR 500.04(a) and is functionally identical. --------------------------------------------------------------------------- Under the proposed amendment, the CISO need not be an employee of the financial institution, but can be an employee of an affiliate or a service provider. This proposed change is meant to accommodate financial institutions that may prefer to retain an outside expert, lack the resources to employ their own information security staff qualified to oversee a program, or decide to pool resources with affiliates to share staff to manage information security. To the extent a financial institution meets this requirement by using a service provider or affiliate, however, the proposed amendment would require that the financial institution still: 1. Retain responsibility for compliance with the Rule; 2. designate a senior member of its personnel to be responsible for direction and oversight of the CISO; and 3. require the service provider or affiliate to maintain an information security program that protects the financial institution in accordance with the Rule. These proposed amendments are designed to ensure that, even when the financial institution outsources the CISO function, the financial institution retains responsibility for its own information security. Proposed Paragraph (b) The proposed amendments to paragraph (b) clarify that a financial institution must base its information security program on the findings of its risk assessment by changing the first sentence of existing paragraph (b) to read that financial institutions' ``information security program shall be based on a risk assessment. . . .'' \78\ This is intended to emphasize this requirement, which is already required under the existing Rule.\79\ In addition, the proposed amendment removes existing section 314.4(b)'s requirement that the risk assessment must include consideration of specific risks \80\ because these specific risks are set forth elsewhere in the proposed amendments.\81\ --------------------------------------------------------------------------- \78\ Proposed 16 CFR 314.4(b). \79\ 16 CFR 314.4(b). \80\ 16 CFR 314.4(b)(1), (b)(2), and (b)(3). \81\ See, e.g., Proposed 16 CFR 314.4(c)(2), (c)(10), and (e). --------------------------------------------------------------------------- Proposed section 314.4(b)(1) would require that the risk assessments be written and based on criteria for evaluating the risks the institutions face based on their particular information systems and the customer information they hold.\82\ In addition, revised paragraph (b)(1) would require that the risk assessment describe how the financial institution will mitigate or [[Page 13166]] accept any identified risks and how the financial institution's information security program will address those risks.\83\ The Commission is proposing these requirements in order to encourage financial institutions to perform thorough and complete risk assessments. The proposed amendment would allow financial institutions to develop their own criteria suited to their needs, but generally the criteria should address the sensitivity and value of customer information collected, maintained or transmitted by the financial institution and possible vectors through which the security, confidentiality, and integrity of that information could be threatened. --------------------------------------------------------------------------- \82\ Proposed 16 CFR 314.4(b)(1). This proposed amendment is based on 23 NYCRR 500.09(b). Proposed 16 CFR 314.4(b)(1) retains the requirement from the Cybersecurity Regulations that the risk assessment be written, but deviates from the Cybersecurity Regulations in that it does not require that the criteria for the risk assessment be written. \83\ Proposed 16 CFR 314.4(b)(1)(iii). --------------------------------------------------------------------------- The proposed amendment to section 314.4(b) would also add a requirement that financial institutions ``periodically perform additional risk assessments that reexamine the reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and reassess the sufficiency of any safeguards in place to control these risks.'' \84\ The Commission believes that in order to be effective, a risk assessment must be subject to periodic reevaluation to adapt to changes in both financial institutions' information systems and changes in threats to the security of those systems. The proposed amendment would not set forth a prescriptive schedule for the periodic risk assessment, but would require financial institutions to set their own schedule based on the needs and resources of their institution. --------------------------------------------------------------------------- \84\ Proposed 16 CFR 314.4(b)(2). --------------------------------------------------------------------------- Proposed Paragraph (c) Proposed paragraph (c) retains the existing Rule's requirement for financial institutions to design and implement safeguards to control the risks identified in the risk assessment. It also adds more detailed requirements for what these safeguards must include. The Commission believes that most financial institutions already implement such measures as part of their comprehensive information security programs under the existing Rule. The proposed amendment simply makes these requirements explicit in order to clarify the Rule and ensure that financial institutions understand their obligations under the Rule. Amended paragraph (c)(1) would require financial institutions to place access controls on information systems, designed to authenticate users and permit access only to authorized individuals in order to protect customer information from unauthorized acquisition.\85\ The Commission views this as a fundamental requirement of all information security programs,\86\ which certainly would have been a part of any program that met the requirements of the existing Rule. --------------------------------------------------------------------------- \85\ Proposed 16 CFR 314.4(c)(1). This proposed amendment is based primarily on the Model Law, Section 4(D)(2)(a), though it adds the Cybersecurity Regulations' requirement that such controls be periodically reviewed. 23 NYCRR 500.07. The proposed amendments use the Model Law, as opposed to the Cybersecurity Regulations, where, as here, the format is more easily integrated into the current Rule. \86\ See, e.g., Complaint, Uber Technologies, Inc., No. 152 3054 (October 26, 2018) (alleging that company failed to implement reasonable access controls). --------------------------------------------------------------------------- Proposed paragraph (c)(2) would require financial institutions to ``[i]dentify and manage the data, personnel, devices, systems, and facilities that enable [the financial institution] to achieve business purposes in accordance with their relative importance to business objectives and [the financial institution's] risk strategy.'' \87\ This requirement is designed to ensure that the financial institution inventories the data in its possession, inventories the systems on which that data is collected, stored or transmitted, and has a full understanding of the relevant portions of its information systems and their relative importance.\88\ For example, it would require a company to understand which devices and networks contain customer information, who has access to them, and how those systems are connected to each other and to external networks. --------------------------------------------------------------------------- \87\ Proposed 16 CFR 314.4(c)(2). This proposed amendment is based on the Model Law, Section 4(D)(2)(b), and is functionally identical to it. \88\ See, e.g., Complaint, FTC v. Wyndham Worldwide Corp., No. CV 12-1365-PHX-PGR (D. Ariz. August 8, 2012) (alleging that company failed to provide reasonable security by, among other things, failing to inventory computers connected to its network). --------------------------------------------------------------------------- Proposed paragraph (c)(3) would require that financial institutions restrict access to physical locations containing customer information only to authorized individuals.\89\ This element would require financial institutions to protect physical locations, as opposed to networks, that contain customer information and is designed to address the threat to physical copies of records.\90\ This would require financial institutions to protect paper files and control access to areas in which such files are stored. This may include restricting access to work areas where personnel are using hard copies of customer information or requiring physical locks on filing cabinets containing customer information and similar protections. It would also include policies for securing physical devices that contain personal information, such as laptops, tablets, phones, and thumb drives. --------------------------------------------------------------------------- \89\ Proposed 16 CFR 314.4(c)(3). This proposed amendment is based on Model Law, Section 4(D)(2)(c) and is functionally identical to it. \90\ See, e.g., Complaint, FTC v. LifeLock, Inc., No. 2:10-cv- 00530-MHM (D. Ariz. March 9, 2010) (alleging that company failed to provide reasonable security where it received customers' personal information by facsimile in an open and easily accessible area). --------------------------------------------------------------------------- Proposed paragraph (c)(4) would generally require financial institutions to encrypt all customer information, both in transit and at rest.\91\ The Commission believes that in most circumstances encryption is an appropriate and important way to protect customer information from unauthorized use and access.\92\ Recognizing that companies may need flexibility in certain unforeseen circumstances, the proposed amendment does, however, permit financial institutions to use alternative means to protect customer information, subject to review and approval by the CISO. This is similar to the approach taken by the Health Insurance Portability and Accountability Act Security Rule, which permits a covered entity to use an alternative to encryption if it determines that encryption is not reasonable and documents an equivalent alternative measure.\93\ The Commission seeks comment on this approach. --------------------------------------------------------------------------- \91\ Proposed 16 CFR 314.4(c)(4). This proposed amendment is based on both 23 NYCRR 500.15 and Model Law Section 4(D)(2)(d). It takes the general format from the Model Law but integrates the requirement that any alternative measures must be approved by the CISO from the Cybersecurity Regulations. \92\ See, e.g., Complaint, Uber Technologies, Inc., FTC No. 152 3054 (October 26, 2018) (alleging that company failed to provide reasonable security when it stored sensitive personal information in plain text rather than encrypting it). \93\ See 45 CFR 164.306(d)(3); id. 164.312(a)(2)(iv) (making encryption an addressable specification). --------------------------------------------------------------------------- Proposed paragraph (c)(5) would establish a requirement that financial institutions ``[a]dopt secure development practices for in- house developed applications utilized'' for ``transmitting, accessing, or storing customer information.'' \94\ This proposed amendment is designed to ensure that financial institutions address the security of software they develop to handle customer information, as distinct from the security of their networks that contain [[Page 13167]] customer information.\95\ Financial institutions would be required to adopt practices designed to develop applications that do not subject customer information to unacceptable risk of unauthorized access. In addition, this amendment would require financial institutions to develop ``procedures for evaluating, assessing, or testing the security of externally developed applications [they] utilize to transmit, access, or store customer information.'' This proposed provision is designed to ensure that financial institutions take steps to verify that applications they use to handle customer information are secure.\96\ Under this amendment, financial institutions would be required to take reasonable steps to assure themselves that applications they use to handle customer information are secure and will not expose customer information. --------------------------------------------------------------------------- \94\ Proposed 16 CFR 314.4(c)(5). \95\ See, e.g., Complaint, FTC v. D-Link Systems, Inc., No. 3:17-CV-00039-JD (N.D. Cal. March 20, 2017) (alleging that company failed to provide reasonable security when it failed to adequately test the software on its devices). \96\ See, e.g., Complaint, Lenovo, FTC No. 152-3134 (January 2, 2018) (alleging that company failed to provide reasonable security by failing to properly assess and address security risks caused by third-party software). --------------------------------------------------------------------------- Amended paragraph (c)(6) would require financial institutions to ``implement multi-factor authentication for any individual accessing customer information'' or ``internal networks that contain customer information.'' \97\ The Commission views multi-factor authentication as a minimum standard to allowing access to customer information for most financial institutions.\98\ As discussed above, the Commission believes that the definition of multi-factor authentication is sufficiently flexible to allow most financial institutions to develop a system that is suited to their needs. Currently used forms of multifactor authentication, such as requiring both a password and the receipt of a one-time passcode on a registered device, would meet this proposed requirement. To the extent that a financial institution finds that a method other than multi-factor authentication offers reasonably equivalent or more secure access controls, the institution may adopt that method with the written permission of its CISO. The Commission seeks comment on this approach. --------------------------------------------------------------------------- \97\ Proposed 16 CFR 314.4(c)(6). This proposed amendment is based on 23 NYCRR 500.12, although it has been limited to requiring multifactor authentication only for accessing customer information. \98\ See, e.g., Federal Financial Institutions Examinations Council, ``Authentication in an Electronic Banking Environment,'' (August 8, 2001) (``In general, multi-factor authentication should be used on higher risk systems.''); see also Complaint, TaxSlayer, FTC No. 1623063 (November 8, 2017) (alleging that company failed to provide reasonable security when it used single factor authentication). --------------------------------------------------------------------------- Amended paragraph (c)(7) would require information systems under the Rule to include audit trails designed to detect and respond to security events.\99\ Audit trails are chronological logs that show who has accessed an information system and what activities the user engaged in during a given period.\100\ The proposed Rule does not require any specific type of audit trail, nor does it require that every transaction be recorded in its entirety. However, the audit trail must be designed to allow the financial institution to detect when the system has been compromised or when an attempt to compromise has been made. It must also provide sufficient information for the financial institution to reasonably respond to the event. The proposed amendment does not require that the audit trails be retained for any particular period, but the Commission believes that in order to allow the financial institution to detect and respond to security events, the audit trails will usually have to be maintained for some reasonable length of time. Financial institutions would need to determine the appropriate retention period for their operations. The Commission seeks comment on whether this requirement needs to be modified or eliminated for smaller firms, or narrowed to avoid undue burden. --------------------------------------------------------------------------- \99\ Proposed 16 CFR 314.4(c)(7). This proposed amendment is based on Model Law, Section 4(D)(2)(i), but removes the requirement that the audit trail be able to reconstruct material financial transactions. The proposed amendment requires only that the audit trail be designed to detect and respond to security events. \100\ See Computer Security Resource Center, Glossary, ``Audit Trail,'' https://csrc.nist.gov/glossary/term/audit-trail. --------------------------------------------------------------------------- Amended paragraph (c)(8) would require financial institutions to develop procedures for the secure disposal of customer information in any format that is no longer necessary for their business operations or other legitimate business purposes.\101\ The proposed amendment allows the retention of information when retaining the information is required by law or where targeted disposal is not feasible due to the manner in which the information is maintained, such as when the information is on paper records that cannot be destroyed without also destroying other information which is still necessary for business operations. The disposal of records, both physical and digital, can result in exposure of customer information if not performed properly.\102\ Similarly, if records are retained when they are no longer necessary, there is a risk that those records will be subject to unauthorized access. This amendment would require financial institutions to reduce both of those risks by designing procedures to dispose of records that are no longer necessary and to do so securely and in a timely manner. The proposed amendment does not define ``legitimate business purposes,'' as the Commission feels that the wide array of business models of financial institutions under its jurisdiction defies any such attempt. --------------------------------------------------------------------------- \101\ Proposed 16 CFR 314.4(c)(8). This proposed amendment is based on Model Law, Section D(2)(k), but adds additional language from 23 NYCRR 500.13, which requires disposal of information that is no longer necessary for business operation or other legitimate business purposes, but provides an exception where disposal is not feasible. \102\ See, e.g., Rite Aid Corp., FTC No. 072-3121 (November 22, 2010) (alleging that company failed to provide reasonable data security when it failed to implement policies and procedures to dispose securely of personal information). --------------------------------------------------------------------------- The Commission seeks comment on whether the Rule should define legitimate business purposes to exclude certain uses of customer information, require the destruction of certain types of data after a fixed period, or require financial institutions to affirmatively demonstrate a current need for customer information that is retained. The Commission also seeks comment on whether the proposed amendment should include a requirement to develop procedures to limit the collection of customer information that is not necessary for business operation or other legitimate business purposes. Proposed paragraph (c)(9) would require financial institutions to adopt procedures for change management.\103\ Change management procedures govern the addition, removal, or modification of elements of an information system.\104\ Under the proposed amendment, financial institutions would need to develop procedures to assess the security of devices, networks, and other items to be added to their information system or the effect of removing such items or otherwise modifying the information system. For example, a financial institution that acquired a new subsidiary and wished to combine the new subsidiary's network with its own would be required to assess the security of the new network and the effect of adding it to the existing network. Although the Commission believes the proposed approach is sufficiently balanced, it seeks comment on whether the proposal may be more stringent than [[Page 13168]] necessary to achieve the objective, or unnecessarily modifies the current rule without creating a material benefit to security. --------------------------------------------------------------------------- \103\ Proposed 16 CFR 314.4(c)(9). This proposed amendment is unique to this proposal and is not based on the Cybersecurity Regulations or the Model Law. \104\ See, e.g., Rutgers Information Security, Change Management, https://rusecure.rutgers.edu/content/change-management. --------------------------------------------------------------------------- Proposed paragraph (c)(10) would require financial institutions to implement policies and procedures designed ``to monitor the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users.'' \105\ In addition to threats posed by outside actors, authorized users such as employees and contractors can pose a substantial risk to the security of customer information.\106\ This amendment would require financial institutions to take steps to monitor those users and their activities related to customer information in a manner adapted to the financial institution's particular operations and needs. The monitoring should allow financial institutions to identify inappropriate use of customer information by authorized users, such as transferring large amounts of data or accessing information for which the user has no legitimate use. This requirement is separate from the requirement to maintain ``audit trails,'' which would require logging of unusual events. --------------------------------------------------------------------------- \105\ Proposed 16 CFR 314.4(c)(10). This proposed amendment is based on 23 NYCRR 500.14(a) and is functionally identical. \106\ See, e.g., Complaint, U.S. v. ChoicePoint Inc., No. 1:06- cv-00198-GET (N.D. Ga. January 30, 2006) (alleging that company failed to provide reasonable security when it failed to monitor the activities of authorized users). --------------------------------------------------------------------------- Proposed Paragraph (d) Proposed paragraph (d)(1) would retain the current Rule's requirement that financial institutions ``[r]egularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures, including those to detect actual and attempted attacks on, or intrusions into, information systems.'' \107\ The Commission views testing and monitoring as an integral part of any information security program.\108\ Proposed paragraph (d)(2) provides further guidance noting that the monitoring should take the form of either ``continuous monitoring'' or ``periodic penetration testing and vulnerability assessments.'' Continuous monitoring is any system that allows real- time, ongoing monitoring of an information system's security, including monitoring for security threats, misconfigured systems, and other vulnerabilities.\109\ The Commission seeks comment on whether these required enhancements are appropriate, as well as information about the potential costs or unintended consequences of this proposal. --------------------------------------------------------------------------- \107\ Proposed 16 CFR 314.4(d). This language is based on the current rule's requirement for regular testing, 16 CFR 314.4(c), but adds the requirement for either continuous monitoring or regular penetration testing and vulnerability assessments from 23 NYCRR 500.05. \108\ See, e.g., U.S. v. VTech Electronics Limited, No. 1:18-cv- 00114 (N.D. Ill. Jan. 8, 2018) (alleging that company failed to provide reasonable information security when it failed to monitor its network and failed to perform vulnerability and penetration testing). \109\ Financial institutions that choose the option of continuous monitoring would also be satisfying 314.4(c)(10). --------------------------------------------------------------------------- If a financial institution does not adopt effective continuous monitoring, under the proposed amendments it would be required to engage in periodic penetration testing and vulnerability assessment consisting of no less than annual penetration testing based on the financial institution's risk assessment and biannual vulnerability assessments designed to detect publicly known vulnerabilities.\110\ These tests may be performed directly by the financial institution or by third-party assessors, as long as they are designed to assess the systems that contain or can be used to access customer information and are performed effectively. The schedule of this required testing aligns with the requirements of the Cybersecurity Regulations. The Commission seeks comment on whether this schedule of penetration testing and vulnerability assessment is appropriate or whether the Rule should require these tasks to be performed more or less frequently. In particular, the Commission is interested in any data, research or case studies that the Commission could use to analyze what commenters advocate. --------------------------------------------------------------------------- \110\ Proposed 16 CFR 314.4(d)(1) and (2). --------------------------------------------------------------------------- Proposed Paragraph (e) Proposed paragraph (e) would require financial institutions to implement policies and procedures ``to ensure that personnel are able to enact [the financial institution's] information security program'' through various forms of training and education.\111\ Training of employees is a critical part of information security, as employees will be the ones enforcing and implementing any information security program.\112\ First, financial institutions would be required to provide their personnel with ``security awareness training that is updated to reflect risks identified by the risk assessment.'' \113\ This requirement would apply to all personnel that have the ability to handle, access, or dispose of customer information. The training would be designed to inform personnel of the risks to customer information and the financial institution's policies and procedures to minimize those risks.\114\ --------------------------------------------------------------------------- \111\ Proposed 16 CFR 314.4(e). \112\ See, e.g., Complaint, Lenovo, FTC No. 152-3134 (January 2, 2018) (alleging that company failed to provide reasonable security by failing to provide adequate data security training for employees responsible for testing third-party software); Complaint, HTC America Inc., FTC No. 122 3049 (July 2, 2013) (alleging that company failed to implement adequate privacy and security guidance or training for its engineering staff). \113\ Proposed 16 CFR 314.4(e)(1). This proposed amendment is based on 23 NYCRR 500.14(b) and is functionally identical. \114\ The Commission offers educational material on data security that can aid financial institutions in developing training materials for their employees. See, e.g., FTC Business Center, Data Security, https://www.ftc.gov/tips-advice/business-center/privacy-and-security/data-security. --------------------------------------------------------------------------- Second, financial institutions would be required to ``[u]tiliz[e] qualified information security personnel,'' employed either by them or by affiliates or service providers, ``to manage [their] information security risks and to perform or oversee the information security program.'' \115\ This amendment is designed to ensure that information security personnel used by financial institutions are qualified for their positions and that sufficient personnel are used. --------------------------------------------------------------------------- \115\ Proposed 16 CFR 314.4(e)(2). This proposed amendment is based on 23 NYCRR 500.10(a)(1) and is functionally identical. --------------------------------------------------------------------------- Third, financial institutions would be required to ``[p]rovid[e] information security personnel with security updates and training sufficient to address relevant security risks.'' \116\ Maintaining awareness of emerging threats and vulnerabilities is a critical aspect of information security that the Commission believes was already a part of any information security program that complies with the existing Safeguards Rule. This amendment formalizes the requirement that financial institutions provide information security personnel with ongoing training to stay abreast of such developments. It is separate from the requirement to train all personnel generally, reflected in paragraph (e)(1). --------------------------------------------------------------------------- \116\ Proposed 16 CFR 314.4(e)(3). This proposed amendment is based on 23 NYCRR 500.10(a)(2) and is functionally identical. --------------------------------------------------------------------------- Fourth, financial institutions would be required to ``[v]erify[ ] that key information security personnel take steps to maintain current knowledge of changing cybersecurity threats and countermeasures.'' \117\ For example, a financial institution could offer incentives or funds for key personnel to undertake continuing education that addresses recent developments, include a requirement to stay abreast of security [[Page 13169]] research as part of their performance metrics, or conduct an annual assessment of key personnel's knowledge of threats related to their information system. This requirement would be in addition to the proposed requirement that data security personnel be provided ongoing training. The proposed amendment does not define ``key personnel'' as the Commission believes that which personnel are ``key'' will vary considerably from entity to entity and that each financial institution will need to determine which employees must maintain this knowledge based on their structure and risk assessments. In most cases, though, the Commission believes that at a minimum the CISO and senior cybersecurity personnel would be covered by this amendment. Although the Commission believes the proposed approach is sufficiently flexible, it seeks comment on whether these proposals create unintended consequences for businesses, may be more stringent than necessary to achieve the objective, and/or unnecessarily modifies the current rule without creating a material benefit to security. In particular, the Commission is interested in any data, research or case studies that the Commission could use to analyze what commenters advocate. --------------------------------------------------------------------------- \117\ Proposed 16 CFR 314.4(e)(4). This proposed amendment is based on 23 NYCRR 500.10(a)(3) and is functionally identical. --------------------------------------------------------------------------- Proposed Paragraph (f) Proposed paragraph (f) would retain the current Rule's requirement in existing paragraph (d) regarding the oversight of service providers, and add a requirement that financial institutions periodically assess service providers ``based on the risk they present and the continued adequacy of their safeguards.'' \118\ The current Rule requires an assessment of service providers' safeguards only at the onboarding stage; the proposed addition is designed to require financial institutions to monitor their service providers on an ongoing basis to ensure that they are maintaining adequate safeguards to protect customer information that they possess or access.\119\ This ongoing oversight could include investigating red flags raised by service providers' practices or conducting periodic assessments of service provider practices, depending on the circumstances. --------------------------------------------------------------------------- \118\ Proposed 16 CFR 314.4(g). \119\ The proposed addition is based on a similar provision in the Cybersecurity Regulations. 23 NYCRR 500.11(a)(4). --------------------------------------------------------------------------- Proposed Paragraph (g) Proposed paragraph (g) would retain the language of existing paragraph (e) in the current Rule, which would continue to require financial institutions to evaluate and adjust their information security programs in light of the result of testing required by this section, material changes to their operations or business arrangements, or any other circumstances that they know or have reason to know may have a material impact on their information security program.\120\ While proposed paragraph (d) would amplify the testing required under the current Rule, the requirement to evaluate and adjust the program in light of such testing remains the same. --------------------------------------------------------------------------- \120\ Proposed 16 CFR 314.4(g). --------------------------------------------------------------------------- Proposed Paragraph (h) Proposed paragraph (h) would require financial institutions to establish incident response plans.\121\ The written response plans would be required to be ``designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information'' in the financial institution's possession. The amendment would require the incident response plans to address the following areas: 1. The goals of the incident response plan; 2. the internal processes for responding to a security event; 3. the definition of clear roles, responsibilities and levels of decision-making authority; 4. external and internal communications and information sharing; 5. identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; 6. documentation and reporting regarding security events and related incident response activities; and 7. the evaluation and revision as necessary of the incident response plan following a security event. The proposed incident response plan requirement focuses on preparing financial institutions to respond promptly and appropriately to security events and to mitigate any weaknesses in their information systems accordingly. It is not intended to create any independent reporting or notification requirements, nor to conflict with any such requirements to which financial institutions are already subject. The proposed requirement regarding ``documentation and reporting regarding security events and related incident response activities'' would require incident response plans to document any notification or reporting requirements imposed by other federal or state laws, but does not in itself impose any such requirement. --------------------------------------------------------------------------- \121\ Proposed 16 CFR 314.4(h). This proposed amendment is based on 23 NYCRR 500.16. The proposed amendment, however, requires the plan to address situations when customer information has been compromised, rather than a portion of the financial institution's information system. In addition, proposed section 314.4(h) does not require the incident response plan to address the continuing functionality of any aspect of the financial institution's business or operations, as continuity of operations is not relevant to Congress' mandate under the GLBA, which is to protect customer information. --------------------------------------------------------------------------- The Commission seeks comment on whether the proposed amendment should require that financial institutions report security events to the Commission. The Cybersecurity Regulations require covered entities to report security events to the superintendent of the Department of Financial Services, but the proposed rule does not have a similar provision. The Commission seeks comment on whether such a provision should be added and, if so, what the elements of such a provision should be. Specifically, the Commission seeks comment on 1. the appropriate deadline for reporting security events after discovery; 2. whether all security events should require notification or whether notification should be required only under certain circumstances, such as a determination of a likelihood of harm to customers or that the event affects a certain number of customers; 3. whether such reports should be made public; 4. whether the events involving encrypted information should be included in the requirement; and 5. whether the requirement should allow law enforcement agencies to prevent or delay notification if notification would affect law-enforcement investigations. In addition to seeking comment on the content of the plan, the Commission seeks comment on whether the proposed amendment would conflict with breach notification or reporting laws already in existence. Some states have enacted breach notification laws that exempt companies that maintain breach response procedures that are compliant with certain federal regulations from having to meet the requirements of the state's breach notification law. For example, Delaware's breach notification law states: A person that is regulated by state or federal law, including . . . the Gramm Leach Bliley Act . . . and that maintains procedures for a breach of security pursuant to the laws, rules, regulations, guidance, or guidelines established by its primary or functional state or federal regulator is deemed to be in compliance with this chapter if the person notifies affected Delaware residents in accordance with the [[Page 13170]] maintained procedures when a breach of security occurs.\122\ --------------------------------------------------------------------------- \122\ Del. Code tit. 6, section 12B-103(b). The Commission seeks comment on whether the introduction of the proposed requirement for an incident response plan would cause financial institutions to be exempt from this, or similar, state breach notification laws, and if so, how this should affect the Commission's decision about whether to require an incident response plan in the Rule.\123\ --------------------------------------------------------------------------- \123\ The Commission is not proposing adding an independent breach notification to the Rule. A federal standard under GLB would be largely redundant because of state breach notification laws and because a requirement under the Rule would have limited effect, because the Commission cannot obtain civil penalties for violations of the Rule. The Commission, however, seeks comments on whether adding a breach notification requirement to the Rule would benefit consumers. --------------------------------------------------------------------------- Proposed Paragraph (i) Proposed paragraph (i) would require a financial institution's CISO to ``report in writing, at least annually, to [the financial institution's] board of directors or equivalent governing body'' regarding the following information: 1. The overall status of the information security program and financial institution's compliance with the Safeguards Rule; and 2. material matters related to the information security program, addressing issues such as risk assessment, risk management and control decisions, service provider arrangements, results of testing, security events or violations and management's responses thereto, and recommendations for changes in the information security program.\124\ For financial institutions that do not have a board of directors or equivalent, the CISO must make the report to a senior officer responsible for the financial institution's information security program. This amendment is designed to ensure that the governing body of the financial institution is engaged with and informed about the state of the financial institution's information security program. Likewise, an annual written report may create accountability for the CISO by requiring the CISO to set forth the status of information security program for the governing body. The Commission requests comment on whether the burden of a required annual report would outweigh the benefits, whether the report should have other required components, or whether particular components are unnecessary. --------------------------------------------------------------------------- \124\ Proposed 16 CFR 314.4(i). This proposed amendment is based on 23 NYCRR 500.04(b), but borrows from the Model Law the requirements for the contents of the annual report. Model Law, Section E(2). The Commission believes the language from the Model Law is clearer and tied more directly to the requirements of the proposed amendments. --------------------------------------------------------------------------- In addition, the Commission requests comments on whether the proposed rule should also require the Board or equivalent governing body to certify compliance with the Rule. The Commission seeks comment on whether such a requirement would appropriately increase the engagement of the governing body of the financial institution in the information security program or whether it would create too much burden on financial institutions to independently assess the program. The Commission also requests comment on how such a requirement would impact corporate governance; what precedents exist for federally- mandated board reporting on specific management issues, and analyses of their efficacy; and what effect requiring reporting to the board or certification by it would have. Proposed Amendments to Section 314.5: Effective Date This proposed amendment replaces the existing effective date of the Rule. In its place, this amendment provides that certain elements of the information security program would not be required until six months after the publication of a final rule rather than immediately upon publication. The paragraphs that would have a delayed effective date are: 314.4(a), related to the appointment of a CISO; 314.4(b)(1), relating to conducting a written risk assessment; 314.4(c)(1)-(10), setting forth the new elements of the information security program; 314.4(d)(2), requiring continuous monitoring or annual penetration testing and biannual vulnerability assessment; 314.4(e), requiring training for personnel; 314.4(f)(3), requiring periodic assessment of service providers; 314.4(h), requiring a written incident response plan; and 314.4(i), requiring annual written reports from the CISO. The effective date of these elements would be delayed because financial institutions may need to take steps to bring their information security programs into compliance with these new requirements. All other requirements under the Safeguards Rule would remain in effect during this six-month period. The elements that would be required immediately upon publication are ones that are already required under the current Rule, such as the requirement to have a written security program (314.3(a)); to conduct a risk assessment (314.4(b)); to design and implement safeguards to control the risks identified in the risk assessment (314.4(c)); to regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures (314.4(d)(1)); to oversee service providers at the onboarding stage (314.4(f)); and to evaluate and adjust the security program in light of the results of testing and monitoring (314.4(g)). These remaining requirements largely mirror the requirements of the existing Rule. The Commission requests comment on this approach. Proposed Section 314.6: Exceptions Proposed section 314.6 is a new section that would exempt financial institutions that maintain relatively small amounts of customer information from certain requirements of the amended Safeguards Rule. The exceptions would apply to financial institutions that maintain customer information concerning fewer than five thousand consumers.\125\ Such financial institutions would not be required to comply with the following subsections: 314.4(b)(1), requiring a written risk assessment; 314.4(d)(2), requiring continuous monitoring or annual penetration testing and biannual vulnerability assessment; 314.4(h), requiring a written incident response plan; and 314.4(i), requiring an annual written report by the CISO. This proposed section is intended to reduce the burden on smaller financial institutions. The Commission believes that the paragraphs subject to this exemption are the ones that are most likely to cause undue burden on smaller financial institutions. For example, requiring continuous monitoring or a set schedule of testing might be too expensive, depending on the circumstances. --------------------------------------------------------------------------- \125\ Proposed 16 CFR 314.6. --------------------------------------------------------------------------- The remaining sections of the amended Safeguards Rule would apply to these smaller financial institutions in the same way as other financial institutions. Exempted financial institutions would still need to conduct risk assessments (314.4(b)), design and implement a written information security program with the required elements (314.3 and 314.4(c)), utilize qualified information security personnel and train employees (314.4(e)), monitor activity of authorized users (314.4(c)(10)), oversee service providers (314.4(f)), and evaluate and adjust their information security program (314.4(g)). The Commission seeks comment on whether such exceptions are appropriate or whether all financial institutions should be required to comply with all of the proposed amendments. The Commission also [[Page 13171]] seeks comment on whether the exempted paragraphs are appropriate. Finally, the Commission seeks comment on whether the use of the number of customers concerning whom the financial institution retains customer information is the most effective way to determine which financial institutions should be exempted and if so, whether five thousand is an appropriate number. IV. Request for Comment You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before June 3, 2019. Write ``Safeguards Rule, 16 CFR part 314, Project No. 145407'' on the comment. Your comment, including your name and your state, will be placed on the public record of this proceeding, including the https://www.regulations.gov website. Postal mail addressed to the Commission is subject to delay due to heightened security screening. As a result, we encourage you to submit your comment online. To make sure that the Commission considers your online comment, you must file it at https://www.regulations.gov by following the instructions on the web-based form. If you file your comment on paper, write ``Safeguards Rule, 16 CFR part 314, Project No. P145407'' on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex B), Washington, DC 20580; or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex B), Washington, DC 20024. If possible, please submit your paper comment to the Commission by courier or overnight service. Because your comment will be placed on the publicly accessible website, https://www.regulations.gov, you are solely responsible for making sure that your comment does not include any sensitive or confidential information. In particular, your comment should not include any sensitive personal information, such as your or anyone else's Social Security number, date of birth, driver's license number or other state identification number or foreign country equivalent, passport number, financial account number, or credit or debit card number. You are also solely responsible for making sure that your comment does not include any sensitive health information, such as medical records or other individually identifiable health information. In addition, your comment should not include any ``trade secret or any commercial or financial information which . . . is privileged or confidential,'' as provided by section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2), including in particular, competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names. Comments containing material for which confidential treatment is requested must be filed in paper form, must be clearly labeled ``Confidential,'' and must comply with FTC Rule 4.9(c). In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request, and must identify the specific portions of the comments to be withheld from the public record.\126\ Your comment will be kept confidential only if the FTC General Counsel grants your request in accordance with the law and the public interest. Once your comment has been posted on the www.regulations.gov website, we cannot redact or remove your comment from the FTC website, unless you submit a confidentiality request that meets the requirements for such treatment under FTC Rule 4.9(c), and the General Counsel grants that request. --------------------------------------------------------------------------- \126\ See 16 CFR 4.9(c). --------------------------------------------------------------------------- Visit the Commission website at https://www.ftc.gov to read this document and the news release describing it. The FTC Act and other laws that the Commission administers permit the collection of public comments to consider and use in this proceeding as appropriate. The Commission will consider all timely and responsive public comments that it receives on or before June 3, 2019. For information on the Commission's privacy policy, including routine uses permitted by the Privacy Act, see https://www.ftc.gov/site-information/privacy-policy. IV. Communications by Outside Parties to the Commissioners or Their Advisors Written communications and summaries or transcripts of oral communications respecting the merits of this proceeding, from any outside party to any Commissioner or Commissioner's advisor, will be placed on the public record.\127\ --------------------------------------------------------------------------- \127\ See 16 CFR 1.26(b)(5). --------------------------------------------------------------------------- V. Paperwork Reduction Act The Paperwork Reduction Act (``PRA''), 44 U.S.C. chapter 35, requires federal agencies to seek and obtain OMB approval before undertaking a collection of information directed to ten or more persons.\128\ A ``collection of information'' occurs when ten or more persons are asked to report, provide, disclose, or record information in response to ``identical questions.'' \129\ Applying these standards, neither the Safeguards Rule nor the proposed amendments constitute a ``collection of information.'' \130\ The Rule calls upon affected financial institutions to develop or strengthen their information security programs in order to provide reasonable safeguards. Under the Rule, each financial institution's safeguards will vary according to its size and complexity, the nature and scope of its activities, and the sensitivity of the information involved. For example, a financial institution with numerous employees would develop and implement employee training and management procedures beyond those that would be appropriate or reasonable for a sole proprietorship, such as an individual tax preparer or mortgage broker. Similarly, a financial institution that shares customer information with numerous service providers would need to take steps to ensure that such information remains protected, while a financial institution with no service providers would not need to address this issue. Thus, although each financial institution must summarize its compliance efforts in one or more written documents, the discretionary balancing of factors and circumstances that the Rule allows--including the myriad operational differences among businesses that it contemplated--does not require entities to answer ``identical questions'' and therefore does not trigger the PRA's requirements. --------------------------------------------------------------------------- \128\ 44 U.S.C. 3502(3)(A)(i). \129\ See 44 U.S.C. 3502(3)(A). \130\ See 67 FR 36484, 36491 (May 23, 2002). --------------------------------------------------------------------------- The proposed amendments would not change this analysis because they would retain the existing Rule's process-based approach, allowing financial institutions to tailor their programs to reflect the financial institutions' size, complexity, and operations, and to the sensitivity and amount of customer information they collect. For example, the proposed amendment to section 314.4(b) would require a written risk assessment, but each risk assessment will reflect the particular structure and operation of the financial institution and, though each assessment must include certain criteria, these are only general guidelines and do not consist of ``identical questions.'' Similarly, the proposed amendment to section 314.4(h), which would require a written [[Page 13172]] incident response plan, is only an extension of the preexisting requirement of a written information security plan and would necessarily vary significantly based on factors such as the financial institution's internal procedures, which officials within the financial institution have decision-making authority, how the financial institution communicates internally and externally, and the structure of the financial institution's information systems. Likewise, the proposed requirement for CISOs to produce annual reports under proposed section 314.4(i) does not consist of answers to identical questions, as the content of these reports would vary considerably between financial institutions and CISOs are given flexibility in deciding what to include in the reports. Finally, the proposed amendments that would modify the definition of ``financial institution'' to include ``activities incidental to financial activities'' and therefore bring finders under the scope of the Rule do not constitute a ``collection of information,'' and therefore would not trigger the PRA's requirements. VI. Regulatory Flexibility Act The Regulatory Flexibility Act (RFA), as amended by the Small Business Regulatory Enforcement Fairness Act of 1996, requires an agency to either provide an Initial Regulatory Flexibility Analysis with a proposed rule, or certify that the proposed rule will not have a significant impact on a substantial number of small entities.\131\ The Commission does not expect that this Rule, if adopted, would have the threshold impact on small entities. First, most of the burdens flow from the mandates of the Act, not from the specific provisions of the proposed Rule. Second, the proposed Rule imposes requirements that are scalable according to the size and complexity of each institution, the nature and scope of its activities, and the sensitivity of its information. Thus, the burden is likely to be less on small institutions, to the extent that their operations are smaller or less complex. In addition, smaller entities are exempted from many requirements of the proposed amendments. Nonetheless, the Commission has determined that it is appropriate to publish an Initial Regulatory Flexibility Analysis in order to inquire into the impact of the proposed Rule on small entities. The Commission invites comment on the burden on any small entities that would now be covered, but previously were not covered, if the definition of ``financial institution'' is modified as proposed, and the burden on small entities created by the other proposed amendments. The Commission has prepared the following analysis. --------------------------------------------------------------------------- \131\ 5 U.S.C. 603 et seq. --------------------------------------------------------------------------- 1. Reasons for the Proposed Rule The Commission proposes to make the rule clearer by including a definition of ``financial institution'' and related examples in the Safeguards Rule rather than cross-referencing them from the Privacy Rule. The Commission also proposes expanding the definition of ``financial institution'' in the Rule to include entities that are engaged in activities that are incidental to financial activities. This change would bring ``finders'' within the scope of the Rule. This change would harmonize the Rule with other agencies' rules and would require finders that collect consumers' sensitive financial information to comply with the Safeguards Rule's process-based approach to protect that data. In addition, the Commission proposes to modify the Safeguards Rule to include more detailed requirements for the information security program required by the Rule. The Rule would continue to be process- based and flexible based on the financial institution's size and complexity. The Commission does propose to exempt smaller institutions from certain requirements that require additional written product and might pose a greater burden on smaller entities. 2. Statement of Objectives and Legal Basis The objectives of the proposed Rule are discussed above. The legal basis for the proposed rule is section 501(b) of the GLBA. 3. Description of Small Entities to Which the Rule Will Apply Determining a precise estimate of the number of small entities \132\--including newly covered entities under the modified definition of financial institution--is not readily feasible. Financial institutions already covered by the existing Rule include lenders, financial advisors, loan brokers and servicers, collection agencies, financial advisors, tax preparers, and real estate settlement services, to the extent that they have ``customer information'' within the meaning of the Rule. If the proposed Rule is finalized, finders will also be covered. However, it is not known whether any finders are small entities, and if so, how many there are. The Commission requests comment and information on the number of ``finders'' that would be covered by the Rule's modified definition of ``financial institution,'' and how many of those finders, if any, are small entities. --------------------------------------------------------------------------- \132\ The U.S. Small Business Administration Table of Small Business Size Standards Matched to North American Industry Classification System Codes (``NAICS'') are generally expressed in either millions of dollars or number of employees. A size standard is the largest that a business can be and still qualify as a small business for Federal Government programs. For the most part, size standards are the annual receipts or the average employment of a firm. Depending on the nature of the financial services an institution provides, the size standard varies. By way of example, mortgage and nonmortgage loan brokers (NAICS code 522310) are classified as small if their annual receipts are $7.5 million or less. Consumer lending institutions (NAICS code 52291) are classified as small if their annual receipts are $38.5 million or less. Commercial banking and savings institutions (NAICS codes 522110 and 522120) are classified as small if their assets are $550 million or less. Assets are determined by averaging the assets reported on its four quarterly financial statements for the preceding year. The 2017 Table of Small Business Size Standards is available at https://www.sba.gov/sites/default/files/files/Size_Standards_Table_2017.pdf. --------------------------------------------------------------------------- 4. Projected Reporting, Recordkeeping, and Other Compliance Requirements The proposed Rule does not impose any reporting or any specific recordkeeping requirements within the meaning of the PRA, as discussed herein. With regard to other compliance requirements, the proposed addition of definitions and examples from the Privacy Rule is not expected to have an impact on covered financial institutions, including those that may be small entities, if any. (The preceding section of this analysis discusses classes of covered financial institutions that may qualify as small entities.) The proposed addition of ``finders'' to the definition of financial institutions will impose the obligations of the Rule on entities that engage in ``finding'' activity and also collect customer information. The proposed addition of more detailed requirements may require some financial institutions to perform additional risk assessments, monitoring, or to create additional safeguards as set forth in the proposed Rule. These obligations will require employees or third-party service providers with skills in information security, but the Commission believes that most financial institutions will have already complied with many parts of the proposed rule as part of their information security programs already required under the existing Rule. There may be additional related compliance costs (e.g., legal, new equipment or systems, modifications to policies or procedures), but in the absence of supporting data, [[Page 13173]] the Commission is unable to provide a complete or specific cost estimate. The Commission invites comment on the costs of the amended Rule for small entities to comply and to newly covered financial institutions (finders) of establishing and operating an information security program for such entities, to the extent, if any, they are small entities. 5. Identification of Duplicative, Overlapping, or Conflicting Federal Rules As mentioned above, the Commission is proposing to incorporate the definition of ``financial institution'' and the accompanying examples from the Privacy Rule to the Safeguards Rule. This modification will have no substantive effect on the scope of the Rule or its enforcement. The change is designed only to increase the clarity of the Rule. The Commission believes that incorporating this definition will not cause any additional burden on covered entities. Separately, as also noted above, the Commission proposes to revise the definition of ``financial institution'' to cover finders. The Commission is requesting comment on the extent to which other federal standards involving privacy or security or information may duplicate and/or satisfy or possibly conflict with the Rule's requirements for newly covered financial institutions. The Commission is also proposing amending the Rule to include more detailed requirements for the written information security plan required by the Rule. The Commission does not believe that the proposed amendments would conflict with any existing data security regulations, such as the Health Insurance Portability and Accountability Act Security Rule.\133\ The Commission is requesting comment on the extent to which other federal standards involving privacy or security or information may duplicate and/or satisfy or possibly conflict with the proposed amendments to the Rule. --------------------------------------------------------------------------- \133\ 45 CFR part 160; 45 CFR part 164, subparts A and C. --------------------------------------------------------------------------- 6. Discussion of Significant Alternatives The standards in the proposed Rule allow a small financial institution to develop an information security program that is appropriate to its size and complexity, the nature and scope of its activities, and the sensitivity of any customer information at issue. The Commission is proposing to include certain design standards (e.g., a company must implement encryption, authentication, incident response) in the Rule, in addition to the performance standards (reasonable security) that the Rule currently uses. As discussed, while these design standards may introduce some additional burden, the Commission believes that the additional burden will be minimal, as most information security programs under the Rule already meet most of these requirements. In addition, the proposed requirements are still designed to allow financial institutions flexibility in how and whether they should be implemented. For example, the requirement that encryption be used to protect customer information in transit and at rest may be met with effective alternative compensating controls if they are infeasible for a given financial institution. In addition, the Proposed Rule exempts financial institutions that maintain relatively small amounts of customer information from certain requirements of the amended Safeguards Rule. The exceptions would apply to financial institutions that maintain customer information concerning fewer than five thousand consumers. The Commission believes that exempted financial institutions will generally be small entities. Such financial institutions would not be required to perform a written risk assessment, conduct continuous monitoring or annual penetration testing and biannual vulnerability assessment, prepare a written incident response plan, or prepare an annual written report by the CISO. These proposed exemptions are intended to reduce the burden on smaller financial institutions. The Commission believes that the obligations subject to this exemption are the ones that are most likely to cause undue burden on smaller financial institutions. Exempted financial institutions will still need to conduct risk assessments, design and implement a written information security program with the required elements, utilize qualified information security personnel and train employee, monitor activity of authorized users, oversee service providers, and evaluate and adjust their information security program. These are core obligations under the Rule that any financial institution that collects customer information must meet, regardless of size. The Commission welcomes comment on any significant alternative consistent with the GLBA that would minimize the impact on small entities of these proposed amendments, including institutions that would be newly covered under the amended definition of ``financial institution.'' List of Subjects in 16 CFR Part 314 Consumer protection, Credit, Data protection, Privacy, Trade practices. For the reasons stated above, the Federal Trade Commission proposes to amend 16 CFR part 314 as follows: PART 314--STANDARDS FOR SAFEGUARDING CUSTOMER INFORMATION 0 1. The authority citation for part 314 continues to read as follows: Authority: 15 U.S.C. 6801(b), 6805(b)(2). 0 2. Revise Sec. 314.1(b) to read as follows: Sec. 314.1 Purpose and scope. * * * * * (b) Scope. This part applies to the handling of customer information by all financial institutions over which the Federal Trade Commission (``FTC'' or ``Commission'') has jurisdiction. Namely, this part applies to those ``financial institutions'' over which the Commission has rulemaking authority pursuant to section 501(b) of the Gramm-Leach-Bliley Act. An entity is a ``financial institution'' if its business is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k), which cross- references activities enumerated by the Federal Reserve Board in 12 CFR 225.28 and 12 CFR 225.86. The ``financial institutions'' subject to the Commission's enforcement authority are those that are not otherwise subject to the enforcement authority of another regulator under Section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. 6805. More specifically, those entities include, but are not limited to, mortgage lenders, ``pay day'' lenders, finance companies, mortgage brokers, account servicers, check cashers, wire transferors, travel agencies operated in connection with financial services, collection agencies, credit counselors and other financial advisors, tax preparation firms, non-federally insured credit unions, investment advisors that are not required to register with the Securities and Exchange Commission, and entities acting as finders. They are referred to in this part as ``You.'' This part applies to all customer information in your possession, regardless of whether such information pertains to individuals with whom you have a customer relationship, or pertains to the customers of other financial institutions that have provided such information to you. 0 3. Revise Sec. 314.2 to read as follows: [[Page 13174]] Sec. 314.2 Definitions. (a) In general. Except as modified by this part or unless the context otherwise requires, the terms used in this part have the same meaning as set forth in the Commission's rule governing the Privacy of Consumer Financial Information, 16 CFR part 313. (b) Authorized user means any employee, contractor, agent, or other person that participates in your business operations and is authorized to access and use any of your information systems and data. (c) Security event means an event resulting in unauthorized access to, or disruption or misuse of, an information system or information stored on such information system. (d) Customer information means any record containing nonpublic personal information, as defined in 16 CFR 313.3(n), about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates. (e) Encryption means the transformation of data into a form that results in a low probability of assigning meaning without the use of a protective process or key. (f)(1) Financial institution means any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. 1843(k). An institution that is significantly engaged in financial activities, or significantly engaged in activities incidental to such financial activities, is a financial institution. (2) Examples of financial institutions. (i) A retailer that extends credit by issuing its own credit card directly to consumers is a financial institution because extending credit is a financial activity listed in 12 CFR 225.28(b)(1) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(F), and issuing that extension of credit through a proprietary credit card demonstrates that a retailer is significantly engaged in extending credit. (ii) An automobile dealership that, as a usual part of its business, leases automobiles on a nonoperating basis for longer than 90 days is a financial institution with respect to its leasing business because leasing personal property on a nonoperating basis where the initial term of the lease is at least 90 days is a financial activity listed in 12 CFR 225.28(b)(3) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(F). (iii) A personal property or real estate appraiser is a financial institution because real and personal property appraisal is a financial activity listed in 12 CFR 225.28(b)(2)(i) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(F). (iv) A career counselor that specializes in providing career counseling services to individuals currently employed by or recently displaced from a financial organization, individuals who are seeking employment with a financial organization, or individuals who are currently employed by or seeking placement with the finance, accounting or audit departments of any company is a financial institution because such career counseling activities are financial activities listed in 12 CFR 225.28(b)(9)(iii) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(F). (v) A business that prints and sells checks for consumers, either as its sole business or as one of its product lines, is a financial institution because printing and selling checks is a financial activity that is listed in 12 CFR 225.28(b)(10)(ii) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(F). (vi) A business that regularly wires money to and from consumers is a financial institution because transferring money is a financial activity referenced in section 4(k)(4)(A) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(A), and regularly providing that service demonstrates that the business is significantly engaged in that activity. (vii) A check cashing business is a financial institution because cashing a check is exchanging money, which is a financial activity listed in section 4(k)(4)(A) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(A). (viii) An accountant or other tax preparation service that is in the business of completing income tax returns is a financial institution because tax preparation services is a financial activity listed in 12 CFR 225.28(b)(6)(vi) and referenced in section 4(k)(4)(G) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(G). (ix) A business that operates a travel agency in connection with financial services is a financial institution because operating a travel agency in connection with financial services is a financial activity listed in 12 CFR 225.86(b)(2) and referenced in section 4(k)(4)(G) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(G). (x) An entity that provides real estate settlement services is a financial institution because providing real estate settlement services is a financial activity listed in 12 CFR 225.28(b)(2)(viii) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(F). (xi) A mortgage broker is a financial institution because brokering loans is a financial activity listed in 12 CFR 225.28(b)(1) and referenced in section 4(k)(4)(F) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(F). (xii) An investment advisory company and a credit counseling service are each financial institutions because providing financial and investment advisory services are financial activities referenced in section 4(k)(4)(C) of the Bank Holding Company Act, 12 U.S.C. 1843(k)(4)(C). (xiii) A company acting as a finder in bringing together one or more buyers and sellers of any product or service for transactions that the parties themselves negotiate and consummate is a financial institution because acting as a finder is an activity that is financial in nature or incidental to a financial activity listed in 12 CFR 225.86(d)(1). (3) Financial institution does not include: (i) Any person or entity with respect to any financial activity that is subject to the jurisdiction of the Commodity Futures Trading Commission under the Commodity Exchange Act (7 U.S.C. 1 et seq.); (ii) The Federal Agricultural Mortgage Corporation or any entity chartered and operating under the Farm Credit Act of 1971 (12 U.S.C. 2001 et seq.); (iii) Institutions chartered by Congress specifically to engage in securitizations, secondary market sales (including sales of servicing rights) or similar transactions related to a transaction of a consumer, as long as such institutions do not sell or transfer nonpublic personal information to a nonaffiliated third party other than as permitted by sections 313.14 and 313.15; or (iv) Entities that engage in financial activities but that are not significantly engaged in those financial activities, and entities that engage in activities incidental to financial activities but that are not significantly engaged in activities incidental to financial activities. (4) Examples of entities that are not significantly engaged in financial activities. (i) A retailer is not a financial institution if its only means of extending credit are occasional ``lay away'' and deferred payment plans or accepting payment by means of credit cards issued by others. [[Page 13175]] (ii) A retailer is not a financial institution merely because it accepts payment in the form of cash, checks, or credit cards that it did not issue. (iii) A merchant is not a financial institution merely because it allows an individual to ``run a tab.'' (iv) A grocery store is not a financial institution merely because it allows individuals to whom it sells groceries to cash a check, or write a check for a higher amount than the grocery purchase and obtain cash in return. (g) Information security program means the administrative, technical, or physical safeguards you use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information. (h) Information system means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/ process controls systems, telephone switching and private branch exchange systems, and environmental controls systems. (i) Multi-factor authentication means authentication through verification of at least two of the following types of authentication factors: (1) Knowledge factors, such as a password; (2) Possession factors, such as a token; or (3) Inherence factors, such as biometric characteristics. (j) Penetration testing means a test methodology in which assessors attempt to circumvent or defeat the security features of an information system by attempting penetration of databases or controls from outside or inside your information systems. (k) Service provider means any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a financial institution that is subject to this part. 0 4. Revise Sec. 314.3(a) as follows: Sec. 314.3 Standards for safeguarding customer information. (a) Information security program. You shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue. The information security program shall include the elements set forth in section 314.4 and shall be reasonably designed to achieve the objectives of this part, as set forth in paragraph (b) of this section. * * * * * 0 5. Revise Sec. 314.4 as follows: Sec. 314.4 Elements. In order to develop, implement, and maintain your information security program, you shall: (a) Designate a qualified individual responsible for overseeing and implementing your information security program and enforcing your information security program (for purposes of this part, ``Chief Information Security Officer'' or ``CISO''). The CISO may be employed by you, an affiliate, or a service provider. To the extent this requirement is met using a service provider or an affiliate, you shall: (1) Retain responsibility for compliance with this part; (2) Designate a senior member of your personnel responsible for direction and oversight of the CISO; and (3) Require the service provider or affiliate to maintain an information security program that protects you in accordance with the requirements of this Part. (b) Base your information security program on a risk assessment that identifies reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assesses the sufficiency of any safeguards in place to control these risks. (1) The risk assessment shall be written and shall include: (i) Criteria for the evaluation and categorization of identified security risks or threats you face; (ii) Criteria for the assessment of the confidentiality, integrity, and availability of your information systems and customer information, including the adequacy of the existing controls in the context of the identified risks or threats you face; and (iii) Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the information security program will address the risks. (2) You shall periodically perform additional risk assessments that reexamine the reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and reassess the sufficiency of any safeguards in place to control these risks. (c) Design and implement safeguards to control the risks you identity through risk assessment, including: (1) Place access controls on information systems, including controls to authenticate and permit access only to authorized individuals to protect against the unauthorized acquisition of customer information and to periodically review such access controls; (2) Identify and manage the data, personnel, devices, systems, and facilities that enable you to achieve business purposes in accordance with their relative importance to business objectives and your risk strategy; (3) Restrict access at physical locations containing customer information only to authorized individuals; (4) Protect by encryption all customer information held or transmitted by you both in transit over external networks and at rest. To the extent you determine that encryption of customer information, either in transit over external networks or at rest, is infeasible, you may instead secure such customer information using effective alternative compensating controls reviewed and approved by your CISO; (5) Adopt secure development practices for in-house developed applications utilized by you for transmitting, accessing, or storing customer information and procedures for evaluating, assessing, or testing the security of externally developed applications you utilize to transmit, access, or store customer information; (6) Implement multi-factor authentication for any individual accessing customer information. Multi-factor authentication shall be utilized for any individual accessing your internal networks that contain customer information, unless your CISO has approved in writing the use of reasonably equivalent or more secure access controls; (7) Include audit trails within the information security program designed to detect and respond to security events; (8) Develop, implement, and maintain procedures for the secure disposal of customer information in any format that is no longer necessary for business operations or for other legitimate business purposes, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably [[Page 13176]] feasible due to the manner in which the information is maintained; (9) Adopt procedures for change management; and (10) Implement policies, procedures and controls designed to monitor the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information by such users. (d)(1) Regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures, including those to detect actual and attempted attacks on, or intrusions into, information systems. (2) The monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessments. Absent effective continuous monitoring or other systems to detect, on an ongoing basis, changes in information systems that may create vulnerabilities, you shall conduct: (i) Annual penetration testing of your information systems determined each given year based on relevant identified risks in accordance with the risk assessment; and (ii) Biannual vulnerability assessments, including any systemic scans or reviews of information systems reasonably designed to identify publicly known security vulnerabilities in your information systems based on the risk assessment. (e) Implement policies and procedures to ensure that personnel are able to enact your information security program by: (1) Providing your personnel with security awareness training that is updated to reflect risks identified by the risk assessment; (2) Utilizing qualified information security personnel employed by you or an affiliate or service provider sufficient to manage your information security risks and to perform or oversee the information security program; (3) Providing information security personnel with security updates and training sufficient to address relevant security risks; and (4) Verifying that key information security personnel take steps to maintain current knowledge of changing information security threats and countermeasures. (f) Oversee service providers, by: (1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; (2) Requiring your service providers by contract to implement and maintain such safeguards; and (3) Periodically assessing your service providers based on the risk they present and the continued adequacy of their safeguards. (g) Evaluate and adjust your information security program in light of the results of the testing and monitoring required by paragraph (d) of this section; any material changes to your operations or business arrangements; the results of risk assessments performed under paragraph (b)(2) of this section; or any other circumstances that you know or have reason to know may have a material impact on your information security program; (h) Establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information in your possession. Such incident response plan shall address the following areas: (1) The goals of the incident response plan; (2) The internal processes for responding to a security event; (3) The definition of clear roles, responsibilities and levels of decision-making authority; (4) External and internal communications and information sharing; (5) Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; (6) Documentation and reporting regarding security events and related incident response activities; and (7) The evaluation and revision as necessary of the incident response plan following a security event. (i) Require your CISO to report in writing, at least annually, to your board of directors or equivalent governing body. If no such board of directors or equivalent governing body exists, such report shall be timely presented to a senior officer responsible for your information security program. The report shall include the following information: (1) The overall status of the information security program and your compliance with this Rule; and (2) Material matters related to the information security program, addressing issues such as risk assessment, risk management and control decisions, service provider arrangements, results of testing, security events or violations and management's responses thereto, and recommendations for changes in the information security program. 0 6. Revise Sec. 314.5 to read as follows: Sec. 314.5 Effective date. Sections 314.4(a), 314.4(b)(1), 314.4(c)(1)-(10), 314.4(d)(2), 314.4(e), 314.4(f)(3), 314.4(h), and 314.4(i) are effective as of [six months after publication of the final rule]. 0 7. Add Sec. 314.6, to read as follows: Sec. 314.6 Exceptions. Sections 314.4(b)(1), 314.4(d)(2), 314.4(h), and 314.4(i) do not apply to financial institutions that maintain customer information concerning fewer than five thousand consumers. By direction of the Commission, Commissioner Phillips and Commissioner Wilson dissenting. April J. Tabor, Acting Secretary. [Note: The following Dissenting Statement of Commissioner Noah Joshua Phillips and Commissioner Christine S. Wilson will not appear in the Code of Federal Regulations.] Dissenting Statement of Commissioner Noah Joshua Phillips and Commissioner Christine S. Wilson March 5, 2019 Today the Commission seeks public comment on a notice of proposed rulemaking (``NPRM'') to change the Standards for Safeguarding Customer Information (``Safeguards Rule'' or ``Rule'') under the Gramm-Leach-Bliley Act (``GLBA''). Recent high-profile data breaches underscore the importance of effective data security, which is why we strongly support the Commission's renewed calls for federal data security legislation.\1\ We also share this Administration's goal of reducing regulation and controlling compliance costs. Any new regulation, even regarding a critical issue like data security, must be handled with care to avoid stifling innovation or entrenching incumbents. --------------------------------------------------------------------------- \1\ See Oversight of the Federal Trade Commission: Hearing Before the Subcomm. on Consumer Protection, Product Safety, Insurance, and Data Security of the S. Comm. on Commerce, Science, and Transportation, 115th Cong. 7 (2018) (statement of the Federal Trade Commission) (``The Commission continues to reiterate its longstanding bipartisan call for comprehensive data security legislation.''); Federal Trade Commission Staff, Comment to the National Telecommunications and Information Administration on Developing the Administration's Approach to Consumer Privacy (Nov. 9, 2018), https://www.ftc.gov/policy/advocacy/advocacy-filings/2018/11/ftc-staff-comment-ntia-developing-administrations-approach. --------------------------------------------------------------------------- Congress mandated data security and privacy for financial institutions in the GLBA and, for the past two decades, it has been the Commission's responsibility to set forth the regulations implementing those requirements. The Rule as written provides direction to financial institutions on how to protect data security--importantly, while not being overly prescriptive--in an area where standards continuously evolve. The current proposal, however, trades flexibility for a more prescriptive approach, potentially [[Page 13177]] handicapping smaller players or newer entrants.\2\ --------------------------------------------------------------------------- \2\ See, e.g., William A. Brock & David S. Evans, The Economics of Regulatory Tiering, 16 Rand J. Econ. 398, 399 (1985) (``[I]mposing uniform regulatory requirements across all types of businesses has a disparate impact on smaller businesses because there are scale economies in regulatory compliance. Scale economies may arise because there are fixed costs of complying with regulations. Larger businesses can average these fixed costs over a larger quantity of output and thereby achieve a competitive advantage over their smaller rivals. [] ] There is evidence that scale economies in compliance are quite extensive for some regulatory requirements.'') (citations omitted). --------------------------------------------------------------------------- As part of our regular process of regulatory review, the Commission first sought comments on updating the Safeguards Rule in September 2016.\3\ When asked about the need for more specific requirements, commenters generally asked to leave the Rule in place, and to avoid more prescriptive regulation. Privacy advocates and an association owned by the largest commercial banks sought more detailed requirements.\4\ Based on that record, and the adoption of several new state laws and regulations regarding data security of financial institutions, the Commission today proposes the latter course. --------------------------------------------------------------------------- \3\ Standards for Safeguarding Customer Information, 81 FR 61632 (Sept. 7, 2016) (to be codified at 16 CFR part 314). Comments are posted at https://www.ftc.gov/policy/public-comments/2016/10/initiative-674. The Commission has assigned each comment a number. \4\ Electronic Privacy Information Center, Comment Letter #30 on the Standards for Safeguarding Customer Information (Nov. 7, 2016); The Clearing House Association LLC, Comment Letter #35 on the Standards for Safeguarding Customer Information (Nov. 21, 2016). --------------------------------------------------------------------------- This approach concerns us for several reasons. First, some of the specific proposals track shortcomings the Commission has identified in its data security enforcement cases and investigations. Not all of these shortcomings concern firms covered by the Safeguards Rule and, in any event, they may not represent a broader trend that warrants a regulatory response. Therefore, it may not be appropriate to mandate such prescriptive standards for all market participants. To the extent that the Commission thinks it is appropriate to elucidate the regulation's reasonable care requirements, we have tools at our disposal--including speeches, testimony, analyses to aid public comment, information about the factors the Commission considered when closing investigations, and reports. Commentary like this can help financial institutions weigh whether precautions are reasonable based on the risks associated with how they use, collect, and store data, without imposing a one- size-fits-all approach. The question to be answered here is whether the existing Safeguards Rule, which addresses the protection of financial information, is inadequate to that purpose. Also important is the question of how firms governed by the Rule operate relative to ones in sectors that are not so governed. Second, the proposed regulations may be premature for two reasons. They are based in substantial part on regulations promulgated two years ago by the New York State Department of Financial Services.\5\ We do not have data about the impact and efficacy of those regulations, so whether to adopt a version of them at the federal level and whether that version should be a floor for or should preempt state-level rules seem like questions worthy of more study. Right now, Congress and the Executive Branch, including the leadership of the Senate committee with jurisdiction over financial institutions, are discussing potential privacy and data security legislation. The NPRM seeks comment on issues that are implicated in this debate, as well as issues not addressed in the New York rule, like data minimization/elimination and requiring a legitimate business justification for collecting data in the first instance. These topics in particular take us into a broader debate that belongs--and is being had--in Congress.5 6 --------------------------------------------------------------------------- \5\ Cybersecurity Requirements for Financial Services Companies, 23 NYCRR 500, et seq. (2016). \6\ Press Release, S. Comm. on Banking Housing, and Urban Affairs, Crapo, Brown Invite Feedback on Data Privacy, Protection and Collection (Feb 13, 2019), https://www.banking.senate.gov/newsroom/majority/crapo-brown-invite-feedback-on-data-privacy-protection-and-collection. --------------------------------------------------------------------------- Third, the Safeguards Rule today is a flexible approach, appropriate to a company's size and complexity. This proposal would move us away from that approach. There are direct costs for enhanced precautions, but this record does not demonstrate that those costs will significantly reduce data security risks or significantly increase consumer benefits. The expansion of the Rule could create traps for the unwary, especially small and innovative businesses. Further, large incumbents can often absorb regulatory compliance costs more effectively than new entrants or smaller players, potentially decreasing competition. The proposed precautions, either individually or in the aggregate, may constitute best practices for certain firms. But the proliferation of procedural, technical, and governance requirements may have the unintended consequence of diluting core data security measures undertaken pursuant to the existing Safeguards Rule. --------------------------------------------------------------------------- \7\ See Brock and Evans, supra note 2. \8\ Standards for Safeguarding Customer Information (proposed Mar. 5, 2019) (16 CFR part 314.4(i)) (requiring that Chief Information Security Officer (``CISO'') report in writing, at least annually, to board of directors or equivalent about the overall status and material matters related to the information security program based on the assumption that ``such reports will not be overly burdensome [because] . . . required information can be gathered throughout the year as part of managing the information security program and satisfying the other requirements of the proposed amendments.'') (quoting proposed NPRM). \9\ Id. at 314.4(e) (requiring the hiring of qualified and sufficient personnel, continuous training for key personnel, and verification of training). \10\ Id. at 314.4(a)(1) (prohibiting companies from designating more than one employee to coordinate information security programs and instead requiring the designation of ``a single qualified individual'' (CISO)); Id. at 314.4(a)(2) (requiring oversight of CISO by appropriate senior member of personnel); Id. at 314.4(h) (requiring a written incident response plan). --------------------------------------------------------------------------- Finally, the NPRM proposes that the Commission substitute its own judgment for a private firm's governance decisions, including but not limited to the appropriate level of board engagement, hiring and training requirements, and program accountability structures. Data security is important, without doubt. In our enforcement and legislative advocacy, we focus a great deal on it. But take, for example, board engagement on data security. Whether and to what extent it should command the regular attention and personal liability of a company's board is precisely the kind of question firms are in a better position to evaluate than federal regulators. Other matters may be more important, including to the nation at large. A decade ago, our economy was brought low by what many view as improper risk assessment by financial institutions of their assets and liabilities. Maybe we want boards of financial institutions to spend more time assessing those risks. The point isn't that the answer is easy--the point is that we may not be the best qualified to supply it. This is an NPRM, and the Commission is merely proposing new regulation and soliciting views on its impact. But we are also aware that the momentum behind an NPRM regularly results in the promulgation of new or revised rules. While the Commission is not making a final determination today, we are concerned that the specific suggestions herein will frame the debate so as to take the Commission in a direction that may be unwarranted (particularly given the prospect of legislation), and which may have negative repercussions. A review of the Safeguards Rule, especially in light of new legal developments, is warranted. But we should go where the evidence today leads us. We would strongly encourage those in industry, academia, and civil society with expertise in these areas to comment and provide evidence on this proposal. For these reasons, we dissent. [FR Doc. 2019-04981 Filed 4-3-19; 8:45 am] BILLING CODE 6750-01-P
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
