Public Workshop Examining Information Security for Financial Institutions and Information Related to Changes to the Safeguards Rule, 13082-13086 [2020-04610]
Download as PDF
<![CDATA[
13082
Federal Register / Vol. 85, No. 45 / Friday, March 6, 2020 / Proposed Rules
which is incorporated by reference in 14
CFR 71.1. The Class E airspace
designations listed in this document
will be published subsequently in the
Order.
FAA Order 7400.11, Airspace
Designations and Reporting Points, is
published yearly and effective on
September 15.
Regulatory Notices and Analyses
The FAA has determined that this
regulation only involves an established
body of technical regulations for which
frequent and routine amendments are
necessary to keep them operationally
current, is non-controversial and
unlikely to result in adverse or negative
comments. It, therefore: (1) Is not a
‘‘significant regulatory action’’ under
Executive Order 12866; (2) is not a
‘‘significant rule’’ under DOT
Regulatory Policies and Procedures (44
FR 11034; February 26, 1979); and (3)
does not warrant preparation of a
regulatory evaluation as the anticipated
impact is so minimal. Since this is a
routine matter that will only affect air
traffic procedures and air navigation, it
is certified that this rule, when
promulgated, would not have a
significant economic impact on a
substantial number of small entities
under the criteria of the Regulatory
Flexibility Act.
Environmental Review
This proposal will be subject to an
environmental analysis in accordance
with FAA Order 1050.1F,
‘‘Environmental Impacts: Policies and
Procedures’’ prior to any FAA final
regulatory action.
lotter on DSKBCFDHB2PROD with PROPOSALS
Authority: 49 U.S.C. 106(f), 106(g), 40103,
40113, 40120; E.O. 10854, 24 FR 9565, 3 CFR,
1959–1963 Comp., p. 389.
18:04 Mar 05, 2020
Jkt 250001
*
*
ANM MT E2 Dillon, MT [Amended]
Dillon Airport, MT
(Lat. 45°15′19″ N, long. 112°33′09″ W)
That airspace extending upward from the
surface within a 5.2-mile radius of the
airport, and within 2.4 miles each side of the
026° bearing from the airport, extending from
the 5.2-mile radius to 6.8 miles northeast of
the Dillon Airport.
Paragraph 6005 Class E Airspace Areas
Extending Upward From 700 Feet or More
Above the Surface of the Earth.
*
*
*
*
*
ANM MT E5 Dillon, MT [Amended]
Dillon Airport, MT
(Lat. 45°15′19″ N, long. 112°33′09″ W)
That airspace extending upward from 700
feet above the surface within a 5.2-mile
radius of the airport, and within 3 miles each
side of the 205° bearing from the airport,
extending from the 5.2-mile radius to 9.9
miles southwest of the airport, and that
airspace within 8 miles west and 4 miles east
of the 005° bearing from the airport,
extending from the 5.2-mile radius to 16
miles north of the airport; and that airspace
extending upward from 1,200 feet above the
surface within a 8-mile radius of the Dillon
Airport.
FEDERAL TRADE COMMISSION
Public Workshop Examining
Information Security for Financial
Institutions and Information Related to
Changes to the Safeguards Rule
1. The authority citation for 14 CFR
part 71 continues to read as follows:
VerDate Sep<11>2014
*
16 CFR Part 314
■
[Amended]
*
BILLING CODE 4910–13–P
PART 71—DESIGNATION OF CLASS A,
B, C, D, AND E AIRSPACE AREAS; AIR
TRAFFIC SERVICE ROUTES; AND
REPORTING POINTS
2. The incorporation by reference in
14 CFR 71.1 of FAA Order 7400.11D,
Airspace Designations and Reporting
Points, dated August 8, 2019, and
*
[FR Doc. 2020–04409 Filed 3–5–20; 8:45 am]
The Proposed Amendment
Accordingly, pursuant to the
authority delegated to me, the Federal
Aviation Administration proposes to
amend 14 CFR part 71 as follows:
■
Paragraph 6002 Class E Airspace Areas
Designated as Surface Areas.
Issued in Seattle, Washington, on February
26, 2020.
Shawn M. Kozica,
Group Manager, Operations Support Group,
Western Service Center.
List of Subjects in 14 CFR Part 71
Airspace, Incorporation by reference,
Navigation (air).
§ 71.1
effective September 15, 2019, is
amended as follows:
Federal Trade Commission.
Public workshop and request for
public comment.
AGENCY:
ACTION:
The Federal Trade
Commission (‘‘FTC’’ or ‘‘Commission’’)
is holding a public workshop relating to
its April 4, 2019, Notice of Proposed
Rulemaking (‘‘NPRM’’) announcing
proposed changes to the Commission’s
Safeguards Rule. The workshop will
explore information concerning the cost
of information security for financial
institutions, the availability of
information security services for smaller
financial institutions, and other issues
SUMMARY:
PO 00000
Frm 00007
Fmt 4702
Sfmt 4702
raised in comments received in
response to the NPRM.
DATES: The public workshop will be
held on May 13, 2020, from 9:00 a.m.
until 4:30 p.m., at the Constitution
Center Conference Center, located at 400
7th Street SW, Washington, DC.
Requests to participate as a panelist
must be received by March 13, 2020.
Any written comments related to agenda
topics or the issues discussed by the
panelists at the workshop must be
received by June 12, 2020.
ADDRESSES: Interested parties may file a
comment or a request to participate as
a panelist online or on paper, by
following the instructions in the Filing
Comments and Requests to Participate
as a Panelist part of the SUPPLEMENTARY
INFORMATION section below. Write
‘‘Safeguards Rule, 16 CFR part 314,
Project No. P145407,’’ on your comment
and file your comment online at https://
www.regulations.gov by following the
instructions on the web-based form. If
you prefer to file your comment on
paper, mail your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
600 Pennsylvania Avenue NW, Suite
CC–5610 (Annex B), Washington, DC
20580, or deliver your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW,
5th Floor, Suite 5610 (Annex B),
Washington, DC 20024.
FOR FURTHER INFORMATION CONTACT:
David Lincicum (202–326–2773),
Division of Privacy and Identity
Protection, Bureau of Consumer
Protection, Federal Trade Commission,
600 Pennsylvania Avenue NW,
Washington, DC 20580.
SUPPLEMENTARY INFORMATION:
I. Introduction
In 1999,1 Congress enacted the
Gramm Leach Bliley Act (‘‘GLB’’ or
‘‘GLBA’’). The GLBA provides a
framework for regulating the privacy
and data security practices of a broad
range of financial institutions. Among
other things, the GLBA requires
financial institutions to implement
security safeguards for customer
information. Pursuant to the GLBA, the
Commission promulgated the
Safeguards Rule in 2002. The
Safeguards Rule became effective on
May 23, 2003.
The Safeguards Rule requires a
financial institution to develop,
implement, and maintain a
comprehensive information security
program that consists of the
1 Public
E:\FR\FM\06MRP1.SGM
Law 106–102, 113 Stat. 1338 (1999).
06MRP1
lotter on DSKBCFDHB2PROD with PROPOSALS
Federal Register / Vol. 85, No. 45 / Friday, March 6, 2020 / Proposed Rules
administrative, technical, and physical
safeguards the financial institution uses
to access, collect, distribute, process,
protect, store, use, transmit, dispose of,
or otherwise handle customer
information.2 The information security
program must be written in one or more
readily accessible parts.3 The safeguards
set forth in the program must be
appropriate to the size and complexity
of the financial institution, the nature
and scope of its activities, and the
sensitivity of any customer information
at issue.4 The safeguards must also be
reasonably designed to ensure the
security and confidentiality of customer
information, protect against any
anticipated threats or hazards to the
security or integrity of the information,
and protect against unauthorized access
to or use of such information that could
result in substantial harm or
inconvenience to any customer.5
In order to develop, implement, and
maintain its information security
program, a financial institution must
identify reasonably foreseeable internal
and external risks to the security,
confidentiality, and integrity of
customer information that could result
in the unauthorized disclosure, misuse,
alteration, destruction, or other
compromise of such information,
including in the areas of: (1) Employee
training and management; (2)
information systems, including network
and software design, as well as
information processing, storage,
transmission, and disposal; and (3)
detecting, preventing, and responding to
attacks, intrusions, or other systems
failures.6 The financial institution must
then design and implement safeguards
to control the risks identified through
the risk assessment, and must regularly
test or otherwise monitor the
effectiveness of the safeguards’ key
controls, systems, and procedures.7 The
financial institution is also required to
evaluate and adjust its information
security program in light of the results
of this testing and monitoring, as well
as any material changes in its operations
or business arrangements, or any other
circumstances that it knows or has
reason to know may have a material
impact on its information security
program.8 The financial institution must
also designate an employee or
2 16
CFR 314.2(c).
CFR 314.3(a).
4 16 CFR 314.3(a), (b).
5 16 CFR 314.3(a), (b).
6 16 CFR 314.4(b).
7 16 CFR 314.4(c).
8 16 CFR 314.4(e).
3 16
VerDate Sep<11>2014
18:04 Mar 05, 2020
Jkt 250001
employees to coordinate the information
security program.9
Finally, the Safeguards Rule requires
financial institutions to take reasonable
steps to select and retain service
providers that are capable of
maintaining appropriate safeguards for
customer information and require those
service providers by contract to
implement and maintain such
safeguards.10
On August 29, 2016, the Commission
solicited comments on the Safeguards
Rule as part of its periodic review of its
rules and guides.11 The Commission
sought comment on a number of general
issues, including the economic impact
and benefits of the Rule; possible
conflicts between the Rule and state,
local, or other federal laws or
regulations; and the effect on the Rule
of any technological, economic, or other
industry changes. The Commission
received 28 comments from individuals
and entities representing a wide range of
viewpoints.12 Most commenters agreed
that there is a continuing need for the
Rule and that it benefits consumers and
competition.13
After reviewing the comments, the
Commission published a Notice of
Proposed Rulemaking (‘‘NPRM’’)
proposing to amend the Rule to include
more detailed requirements for the
development and establishment of the
information security program required
under the Rule, including requirements
for encrypting financial information, the
use of multifactor authentication, a
written incident response plan, and the
creation of periodic reports for the
financial institution’s board of
directors.14 In addition, the Commission
proposed amendments to the definition
of ‘‘financial institution’’ and the
addition of examples previously
contained in the Privacy Rule to clarify
the Safeguards Rule.15 The Commission
sought public comment on these
proposed amendments as well as
requesting information about the cost,
9 16
CFR 314.4(a).
CFR 314.4(d).
11 Safeguards Rule, Request for Comment, 81 FR
61632 (Sept. 7, 2016).
12 The comments are posted at: https://
www.ftc.gov/policy/public-comments/initiative-674.
The Commission has assigned each comment a
number appearing after the name of the commenter
and the date of submission. This notice cites
comments using the last name of the individual
submitter or the name of the organization, followed
by the number assigned by the Commission.
13 See, e.g., Mortgage Bankers Association
(Comment #39); National Automobile Dealers
Association (Comment #40); Data & Marketing
Association (Comment #38); Electronic
Transactions Association (Comment #24); State
Privacy & Security Coalition (Comment #26).
14 84 FR 13158 (April 4, 2019).
15 Id.
10 16
PO 00000
Frm 00008
Fmt 4702
Sfmt 4702
13083
benefits and options for information
security for financial institutions,
particularly smaller institutions. The
Commission received 48 comments.16
Thirteen comments from consumer
groups, individuals, academic
institutions, and government groups
generally supported the addition of
more detailed requirements as
proposed. Twenty-four comments from
industry groups and individuals
generally opposed the addition, on the
grounds that they would impose
unwarranted costs on financial
institutions.
II. Issues for Discussion at the
Workshop
As part of the Safeguards Rule
rulemaking, the FTC has decided to seek
additional information about the costs
and benefits of the proposed rule
changes and the ability of financial
institutions to comply with them. The
workshop will seek information,
empirical data, and testimony from
security professionals who have worked
with financial services companies, and
will cover such topics as:
(1) Price models for specific elements
of information security programs;
(2) Industry standards for security in
various industries;
(3) How risks of cybersecurity events
change based on the size of the financial
institutions;
(4) Availability of third party
information security services aimed at
different sized institutions;
(5) Different methods of achieving
continuous monitoring of information
security systems;
(6) Costs and optimal frequency of
penetration and vulnerability testing
and the factors that affect that
determination;
(7) Best uses for security logs and
audit trails;
(8) The advantages and disadvantages
of having a single person responsible for
the information security program;
(9) How different corporate
governance structures can affect
performance of information security
programs;
(10) Costs of encryption and
multifactor authentication, and possible
alternatives to these technologies
(11) Whether SMS is an appropriate
factor for multifactor authentication;
(12) The optimal balance between
documentation and implementation of
security measures.
A more detailed agenda will be
published at a later date, in advance of
the scheduled workshop.
16 The comments are posted at https://
www.regulations.gov/document?D=FTC-2019-00190011.
E:\FR\FM\06MRP1.SGM
06MRP1
13084
Federal Register / Vol. 85, No. 45 / Friday, March 6, 2020 / Proposed Rules
III. Public Participation Information
A. Workshop Attendance
The workshop is free and open to the
public, and will be held at the
Constitution Center, 400 7th Street SW,
Washington, DC. It will be webcast live
on the FTC’s website. For admittance to
the Constitution Center, all attendees
must show valid government-issued
photo identification, such as a driver’s
license. Please arrive early enough to
allow adequate time for this process.
This event may be photographed,
videotaped, webcast, or otherwise
recorded. By participating in this event,
you are agreeing that your image—and
anything you say or submit—may be
posted indefinitely at www.ftc.gov or on
one of the Commission’s publicly
available social media sites.
B. Requests To Participate as a Panelist
The workshop will be organized into
panels, which will address the
designated topics. Panelists will be
selected by FTC staff. Other attendees
will have an opportunity to comment
and ask questions. The Commission will
place a transcript of the proceeding on
the public record. Requests to
participate as a panelist must be
received on or before March 13, 2020, as
explained Section IV below. Persons
selected as panelists will be notified on
or before March 27, 2020. Disclosing
funding sources promotes transparency,
ensures objectivity, and maintains the
public’s trust. If chosen, prospective
panelists will be required to disclose the
source of any support they received in
connection with participation at the
workshop. This information will be
included in the published panelist bios
as part of the workshop record.
lotter on DSKBCFDHB2PROD with PROPOSALS
C. Electronic and Paper Comments
The submission of comments is not
required for participation in the
workshop. If a person wishes to submit
paper or electronic comments related to
the agenda topics or the issues
discussed by the panelists at the
workshop, such comments should be
filed as prescribed in Section IV, and
must be received on or before June 12,
2020.
IV. Filing Comments and Requests To
Participate as a Panelist
You can file a comment, or request to
participate as a panelist, online or on
paper. For the Commission to consider
your comment, we must receive it on or
before June 12, 2020. For the
Commission to consider your request to
participate as a panelist, we must
receive it by March 13, 2020. Write
‘‘Safeguards Rule, 16 CFR 314,
VerDate Sep<11>2014
18:04 Mar 05, 2020
Jkt 250001
Comment, Project No. P145407’’ and
your comment and ‘‘Safeguards Rule, 16
CFR 314, Request to Participate, Project
No. P145407’’ on your request to
participate. Your comment—including
your name and your state—will be
placed on the public record of this
proceeding, including to the extent
practicable, on the publicly available
website, https://www.regulations.gov.
Postal mail addressed to the
Commission is subject to delay due to
heightened security screening. As a
result, we encourage you to submit your
comments online, or to send them to the
Commission by courier or overnight
service. To make sure that the
Commission considers your online
comment, you must file it at https://
www.regulations.gov.
Because your comment will be placed
on a publicly accessible website, https://
www.regulations.gov, you are solely
responsible for making sure that your
comment does not include any sensitive
or confidential information. In
particular, your comment should not
include any sensitive personal
information, such as your or anyone
else’s Social Security number; date of
birth; driver’s license number or other
state identification number, or foreign
country equivalent; passport number,
financial account number, or credit or
debit card number. You are also solely
responsible for making sure your
comment does not include any sensitive
health information, such as medical
records or other individually
identifiable health information. In
addition, your comment should not
include any ‘‘trade secret or any
commercial or financial information
which . . . is privileged or
confidential’’—as provided by Section
6(f) of the FTC Act, 15 U.S.C. 46(f), and
FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)—
including in particular competitively
sensitive information such as costs,
sales statistics, inventories, formulas,
patterns, devices, manufacturing
processes, or customer names.
Comments containing material for
which confidential treatment is
requested must be filed in paper form,
must be clearly labeled ‘‘Confidential,’’
and must comply with FTC Rule 4.9(c).
In particular, the written request for
confidential treatment that accompanies
the comment must include the factual
and legal basis for the request, and must
identify the specific portions of the
comments to be withheld from the
public record.17 Your comment will be
kept confidential only if the FTC
General Counsel grants your request in
accordance with the law and the public
17 See
PO 00000
16 CFR 4.9(c).
Frm 00009
Fmt 4702
Sfmt 4702
interest. Once your comment has been
posted on the https://
www.regulations.gov website, we cannot
redact or remove your comment from
the FTC website, unless you submit a
confidentiality request that meets the
requirements for such treatment under
FTC Rule 4.9(c), and the General
Counsel grants that request.
Requests to participate as a panelist at
the workshop should be submitted
electronically to
safeguardsworkshop2020@ftc.gov, or, if
mailed, should be submitted in the
manner detailed below. Parties are
asked to include in their requests a brief
statement setting forth their expertise in
or knowledge of the issues on which the
workshop will focus as well as their
contact information, including a
telephone number and email address (if
available), to enable the FTC to notify
them if they are selected.
If you file your comment or request on
paper, write ‘‘Safeguards Rule, 16 CFR
part 314, Comment, Project No.
P145407’’ on your comment and on the
envelope and ‘‘Safeguards Rule, 16 CFR
part 314, Request to Participate, Project
No. P145407,’’ on your request and on
the envelope, and mail your comment to
the following address: Federal Trade
Commission, Office of the Secretary,
600 Pennsylvania Avenue NW, Suite
CC–5610 (Annex F), Washington, DC
20580, or deliver your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW,
5th Floor, Suite 5610 (Annex F). If
possible, submit your paper comment or
request to the Commission by courier or
overnight service.
Visit the Commission website at
https://www.ftc.gov to read this Notice
and the news release describing it. The
FTC Act and other laws that the
Commission administers permit the
collection of public comments to
consider and use in this proceeding as
appropriate. The Commission will
consider all timely and responsive
public comments that it receives on or
before June 12, 2020. The Commission
will consider all timely requests to
participate as a panelist in the workshop
that it receives by March 13, 2020. For
information on the Commission’s
privacy policy, including routine uses
permitted by the Privacy Act, see
https://www.ftc.gov/site-information/
privacy-policy.
V. Communications by Outside Parties
to Commissioners or Their Advisors
Written communications and
summaries or transcripts of oral
communications respecting the merits
of this proceeding, from any outside
E:\FR\FM\06MRP1.SGM
06MRP1
Federal Register / Vol. 85, No. 45 / Friday, March 6, 2020 / Proposed Rules
party to any Commissioner or
Commissioner’s advisor, will be placed
on the public record.18
By direction of the Commission.
April J. Tabor,
Acting Secretary.
Concurring Statement of
Commissioners Christine S. Wilson and
Noah Joshua Phillips
Today the Commission announced a
public workshop relating to its April 4,
2019 notice of proposed rulemaking
(‘‘NPRM’’) recommending changes to
the Commission’s Safeguards Rule.
Although we dissented from the
issuance of the NPRM, we concur with
the decision to hold this workshop. Our
dissent from the issuance of the NPRM 1
was based in part on the fact that the
FTC lacked an adequate evidentiary
basis for the proposed rule’s
requirements, so we applaud the FTC’s
willingness to seek additional
information, empirical data, and
testimony from stakeholders and experts
to inform the agency’s analysis of
potential changes to the Safeguards
Rule.
Our dissent expressed several
concerns that subsequently were echoed
in comments submitted to the FTC
during the NPRM process:
• First, we were concerned that the
proposed revisions are overly
prescriptive. We are wary of trading
flexibility for a costly one-size-fits-all
approach that would divert company
resources away from risk management
initiatives specifically tailored to each
entity’s unique data collection, usage,
and storage practices.2 Our wariness
was exacerbated by the fact that the
proposal would apply remedies
imposed in specific data security
enforcement actions—generally outside
the context of the Safeguards Rule and
only to the firms named in those
actions—to financial information
generally, without a basis to conclude
that the Safeguards Rule is not adequate
16 CFR 1.26(b)(5).
Statement of Commissioner Noah
Joshua Phillips and Commissioner Christine S.
Wilson, Regulatory Review of Safeguards Rule (Mar.
5, 2019), https://www.ftc.gov/system/files/
documents/public_statements/1466705/reg_review_
of_safeguards_rule_cmr_phillips_wilson_
dissent.pdf.
2 Comments express similar concerns that the
proposal is overly prescriptive and creates costs
that may not significantly reduce data security risks
or increase consumer benefits. See Comments
submitted by Office of Advocacy, U.S. Small
Business Administration, National Automobile
Dealers Association, Mortgage Bankers Association,
Global Privacy Alliance, Software Information &
Industry Association, and U.S. Chamber of
Commerce. NPRM Comments are posted at https://
www.regulations.gov/document?D=FTC-2019-00190011.
or that covered firms systematically
have worse data security than those not
covered, such that additional regulation
beyond the current Rule would be
warranted.
• Second, we were concerned that
this new and prescriptive approach
would impose significant incremental
costs without materially reducing data
security risks or significantly increasing
consumer benefits.3 The submission
from NADA, by way of example,
highlights the incremental costs
imposed by the proposed revisions:
NADA estimates that it would cost the
average car dealership one-time, upfront costs of $293,975, with $276,925
in additional costs each year.4 These
incremental costs will be particularly
burdensome for new entrants and
smaller companies, which may
ultimately hinder competition with
larger and better-established rivals.
• Third, we were concerned that the
suggested Rule revisions substituted the
Commission’s judgment for a private
firm’s governance decisions.5
• Fourth, we were concerned that the
Rule was premature because the
proposed regulations are substantially
based on relatively new New York State
Department of Financial Services
regulations that have not been markettested for feasibility and efficacy.6
The workshop will enable the FTC to
obtain additional information about the
costs and benefits of the proposed rule
changes and the ability of companies
that fall within the Rule’s scope to
comply with the proposed changes. We
continue to encourage stakeholders,
including experts in security for
financial services companies, to
comment and provide evidence for this
workshop. We are particularly
interested in hearing from those who are
knowledgeable about security for small
businesses. In light of the significant
proposed changes to the Safeguards
Rule, and the concerns expressed by
many commenters thus far, we view this
18 See
lotter on DSKBCFDHB2PROD with PROPOSALS
1 Dissenting
VerDate Sep<11>2014
18:04 Mar 05, 2020
Jkt 250001
3 See Comment from the National Independent
Automobile Dealers Association (noting the
considerable costs imposed on financial institutions
from the proposed revisions and the need for the
FTC to demonstrate a clear link between its
proposal and reductions in data security risks and
increases in consumer benefits).
4 Comment from the National Automobile Dealers
Association (NADA), 42.
5 This sentiment is reflected in the comment from
the Software Information & Industry Association.
6 Comments express similar concerns that the
FTC’s proposed regulations rely on untested
frameworks and recommend allowing time to assess
the impacts of the model legislation. See Comments
from the Office of Advocacy, US Small Business
Administration, CTIA, National Automobile Dealers
Association, and Consumer Data Industry
Association (CDIA).
PO 00000
Frm 00010
Fmt 4702
Sfmt 4702
13085
additional solicitation of input from
stakeholders as vital.
Statement of Commissioner Rohit
Chopra Joined by Commissioner
Rebecca Kelly Slaughter
Summary
• Corporate America’s surveillance of
our personal data is not just about
privacy. Foreign actors are stealing and
stockpiling this data, which threatens
our national security.
• Companies like Equifax, with their
unquenchable thirst for data and their
shoddy security practices, are not
victims. We must act to curtail the
collection, abuse, and misuse of data.
• Rather than ‘‘hold our breath and
wait’’ for Congress, the FTC should use
the legal authority it has today to protect
our citizens, our economy, and our
country.
A few weeks ago, U.S. Attorney
General William Barr announced
criminal indictments against four
members of the Chinese People’s
Liberation Army for conspiring to hack
Equifax’s computer systems. The
Attorney General noted that China has
a ‘‘voracious appetite for the personal
data of Americans’’ and linked China
with several other high-profile hacks of
personal data held by large U.S.
corporations, including the intrusions
into one of America’s largest hotel
chains, Marriott, and one of America’s
largest health insurers, Anthem.1
The threat posed by China’s hacks
goes far beyond identity theft. As
explained by Attorney General Barr,
‘‘these thefts can feed China’s
development of artificial intelligence
tools as well as the creation of
intelligence targeting packages.’’ 2
Safeguarding personal data is
undoubtedly a national security issue.
In spite of these risks, lax security
practices continue to expose our data.
According to an alert by the Department
of Homeland Security, 85 percent of
targeted attacks are preventable.3 For
example, it is hard to call Equifax a
victim. Their shoddy approach to
security was practically an invitation for
the Chinese People’s Liberation Army to
raid Americans’ data. Equifax received
critical alerts on the need to patch
1 William P. Barr, U.S. Attorney General, Attorney
General William P. Barr Announces Indictment of
Four Members of China’s Military for Hacking into
Equifax, Remarks as Prepared for Delivery, (Feb. 10,
2020), https://www.justice.gov/opa/speech/
attorney-general-william-p-barr-announcesindictment-four-members-china-s-military
2 Id.
3 Press Release, Department of Homeland
Security, Alert (TA15–119A) Top 30 Targeted High
Risk Vulnerabilities, (Sept. 29, 2016), https://
www.us-cert.gov/ncas/alerts/TA15-119A.
E:\FR\FM\06MRP1.SGM
06MRP1
13086
Federal Register / Vol. 85, No. 45 / Friday, March 6, 2020 / Proposed Rules
lotter on DSKBCFDHB2PROD with PROPOSALS
software systems, but failed to do so.
Equifax even stored sensitive usernames
and passwords in plain text.4
The costs of maintaining the status
quo approach are significant and
mounting. According to industry
analysis, the majority of small
businesses currently ‘‘do not have a
cyberattack prevention plan,’’ 5 yet
nearly half of them have experienced at
least one breach within the last year.6
Data breaches can be particularly
perilous for small businesses and new
entrants, with one survey finding that
66 percent could face temporary or
permanent closure if their systems are
compromised.7
The process of putting into place clear
rules requiring corporations to prevent
abuse and misuse personal data is long
overdue. As the agency responsible for
data protection across most of the
economy, the Federal Trade
Commission plays a central role.
While the effort to update the
Safeguards Rule is a start, its reach will
be limited to certain nonbank financial
institutions like Equifax, and violations
don’t even come with any civil
penalties. Given the ongoing harms to
individuals and our country, we should
use every tool in our toolbox to address
data security issues. The Commission
has urged Congress to act, but I agree
with Commissioner Rebecca Kelly
Slaughter, who has argued that ‘‘we
cannot simply hold our breath and
wait.’’ 8 There are many ways that we
can curtail the collection, misuse, and
abuse of personal data, including
launching a rulemaking that broadly
applies to companies across sectors so
4 Fed. Trade Comm’n v. Equifax, Case 1:19-mi99999-UNA, U.S. District Court for the Northern
District of Georgia, Atlanta Division, Complaint for
Permanent Injunction and Other Relief at 7–8 (July
22, 2019), https://www.ftc.gov/system/files/
documents/cases/172_3203_equifax_complaint_722-19.pdf.
5 Craig Lurey, Cyber Mindset Exposed: Keeper
Unveils its 2019 SMB Cyberthreat Study, Keeper
Security, (July 24, 2019), https://
www.keepersecurity.com/blog/2019/07/24/cybermindset-exposed-keeper-unveils-its-2019-smbcyberthreat-study/.
6 Hiscox Cyber Readiness Report 2019, Hiscox
Ltd., (Apr. 23, 2019), https://
www.keepersecurity.com/blog/2019/07/24/cybermindset-exposed-keeper-unveils-its-2019-smbcyberthreat-study/.
7 Press Release, VIPRE Announces Launch of
VIPRE Endpoint Security—Cloud Edition, Business
Wire, (Oct. 2, 2017), https://www.businesswire.com/
news/home/20171002005176/en.
8 Last year, Commissioner Slaughter described
how the FTC could use its existing authority to
initiate a data protection rulemaking. See Rebecca
Kelly Slaughter, Commissioner, Fed. Trade
Comm’n, Remarks at the Silicon Flatirons
Conference at the University of Colorado Law
School: The Near Future of U.S. Privacy Law,
(September 6, 2019), https://www.ftc.gov/system/
files/documents/public_statements/1543396/
slaughter_silicon_flatirons_remarks_9-6-19.pdf.
VerDate Sep<11>2014
18:04 Mar 05, 2020
Jkt 250001
there are meaningful sanctions for
violators. We have this authority today.
Commissioners Wilson and Phillips
argue that we must consider the impact
of data security on competition. I agree.
Data security must also be top of mind
in our competition enforcement work
across sectors of the economy. We
should be reviewing how mergers can
lead to a race to the bottom on data
security. We need to rigorously
scrutinize data deals. Companies are
being bought and sold based on the data
they have and the data they can
continue to collect. Acquired data is
being merged into larger databases and
used in ways that people may not have
authorized when they signed up for the
service or initially provided their
information.
We need to continue to take a close
look at what promises were made in
exchange for data access and whether
those promises were upheld when the
data was sold. We also need to examine
how companies are integrating different
security systems, whether strong
security standards are being maintained,
and whether sensitive data is being
handled appropriately.
Finally, we need to consider whether
there are limits to the amount of data
one company can collect and compile,
the types of data one company can
combine, and the ways in which data
can be used and monetized. The scale
and scope of data collection that large
companies are engaging in has made
them—and us—sitting ducks for
malicious actors. Since these companies
are more fixated on monetizing that data
than securing it, their mass surveillance
has become a national security threat.
Our adversaries know that these large
firms have essentially done the dirty
work of collecting intelligence on our
citizens, and lax security standards
make it easy to steal. Ultimately, we
need to fix the market structures and
incentives that drive firms to harvest
and traffic in our private information, so
that complacent companies are
punished when they don’t care about
our security needs or expectations.
The extraordinary step of criminal
indictments of members of the Chinese
People’s Liberation Army announced by
the Attorney General is yet another
wake-up call. Until we take serious
steps to curb corporate surveillance, the
risks to our citizens and country will
only grow as bad actors continue to steal
and stockpile our data. The FTC will
need to act decisively to protect
families, businesses, and our country
from these unquantifiable harms.
[FR Doc. 2020–04610 Filed 3–5–20; 8:45 am]
BILLING CODE 6750–01–P
PO 00000
Frm 00011
Fmt 4702
Sfmt 4702
DEPARTMENT OF LABOR
Employment and Training
Administration
20 CFR Parts 641, 655, 656, 658, 667,
683, and 702
Office of the Secretary of Labor
29 CFR Parts 2, 7, 8, 10, 13, 18, 24, 29,
38, and 96
Office of Labor-Management
Standards
29 CFR Parts 417 and 471
Wage and Hour Division
29 CFR Parts 501 and 580
Occupational Health and Safety
Administration
29 CFR Parts 1978 Through 1988
Office of Federal Contract Compliance
Programs
41 CFR Parts 50–203 and 60–30
RIN 1290–AA39
Discretionary Review by the Secretary
Office of the Secretary, DOL.
Notice of proposed rulemaking.
AGENCY:
ACTION:
The Department of Labor is
issuing this Notice of Proposed
Rulemaking to seek public comments on
a proposal to establish a system of
discretionary secretarial review over
cases pending before or decided by the
Board of Alien Labor Certification
Appeals and to make technical changes
to Departmental regulations governing
the timing and finality of decisions of
the Administrative Review Board and
the Board of Alien Labor Certification
Appeals to ensure consistency with the
new discretionary review processes
proposed in this rule and established in
Secretary’s Order 01–2020.
DATES: The Department invites
interested persons to submit comments
on the proposed rules. To ensure
consideration, comments must be in
writing and must be submitted
(transmitted, postmarked, or delivered)
by April 6, 2020.
ADDRESSES: You may send comments,
identified by Regulatory Identification
Number (RIN) 1290–AA39, by either
one of the following methods:
• Federal e-Rulemaking Portal: https://
www.regulations.gov. Follow the
website instructions for submitting
SUMMARY:
E:\FR\FM\06MRP1.SGM
06MRP1
]]>Agencies
[Federal Register Volume 85, Number 45 (Friday, March 6, 2020)]
[Proposed Rules]
[Pages 13082-13086]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-04610]
=======================================================================
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
16 CFR Part 314
Public Workshop Examining Information Security for Financial
Institutions and Information Related to Changes to the Safeguards Rule
AGENCY: Federal Trade Commission.
ACTION: Public workshop and request for public comment.
-----------------------------------------------------------------------
SUMMARY: The Federal Trade Commission (``FTC'' or ``Commission'') is
holding a public workshop relating to its April 4, 2019, Notice of
Proposed Rulemaking (``NPRM'') announcing proposed changes to the
Commission's Safeguards Rule. The workshop will explore information
concerning the cost of information security for financial institutions,
the availability of information security services for smaller financial
institutions, and other issues raised in comments received in response
to the NPRM.
DATES: The public workshop will be held on May 13, 2020, from 9:00 a.m.
until 4:30 p.m., at the Constitution Center Conference Center, located
at 400 7th Street SW, Washington, DC. Requests to participate as a
panelist must be received by March 13, 2020. Any written comments
related to agenda topics or the issues discussed by the panelists at
the workshop must be received by June 12, 2020.
ADDRESSES: Interested parties may file a comment or a request to
participate as a panelist online or on paper, by following the
instructions in the Filing Comments and Requests to Participate as a
Panelist part of the SUPPLEMENTARY INFORMATION section below. Write
``Safeguards Rule, 16 CFR part 314, Project No. P145407,'' on your
comment and file your comment online at https://www.regulations.gov by
following the instructions on the web-based form. If you prefer to file
your comment on paper, mail your comment to the following address:
Federal Trade Commission, Office of the Secretary, 600 Pennsylvania
Avenue NW, Suite CC-5610 (Annex B), Washington, DC 20580, or deliver
your comment to the following address: Federal Trade Commission, Office
of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor,
Suite 5610 (Annex B), Washington, DC 20024.
FOR FURTHER INFORMATION CONTACT: David Lincicum (202-326-2773),
Division of Privacy and Identity Protection, Bureau of Consumer
Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW,
Washington, DC 20580.
SUPPLEMENTARY INFORMATION:
I. Introduction
In 1999,\1\ Congress enacted the Gramm Leach Bliley Act (``GLB'' or
``GLBA''). The GLBA provides a framework for regulating the privacy and
data security practices of a broad range of financial institutions.
Among other things, the GLBA requires financial institutions to
implement security safeguards for customer information. Pursuant to the
GLBA, the Commission promulgated the Safeguards Rule in 2002. The
Safeguards Rule became effective on May 23, 2003.
---------------------------------------------------------------------------
\1\ Public Law 106-102, 113 Stat. 1338 (1999).
---------------------------------------------------------------------------
The Safeguards Rule requires a financial institution to develop,
implement, and maintain a comprehensive information security program
that consists of the
[[Page 13083]]
administrative, technical, and physical safeguards the financial
institution uses to access, collect, distribute, process, protect,
store, use, transmit, dispose of, or otherwise handle customer
information.\2\ The information security program must be written in one
or more readily accessible parts.\3\ The safeguards set forth in the
program must be appropriate to the size and complexity of the financial
institution, the nature and scope of its activities, and the
sensitivity of any customer information at issue.\4\ The safeguards
must also be reasonably designed to ensure the security and
confidentiality of customer information, protect against any
anticipated threats or hazards to the security or integrity of the
information, and protect against unauthorized access to or use of such
information that could result in substantial harm or inconvenience to
any customer.\5\
---------------------------------------------------------------------------
\2\ 16 CFR 314.2(c).
\3\ 16 CFR 314.3(a).
\4\ 16 CFR 314.3(a), (b).
\5\ 16 CFR 314.3(a), (b).
---------------------------------------------------------------------------
In order to develop, implement, and maintain its information
security program, a financial institution must identify reasonably
foreseeable internal and external risks to the security,
confidentiality, and integrity of customer information that could
result in the unauthorized disclosure, misuse, alteration, destruction,
or other compromise of such information, including in the areas of: (1)
Employee training and management; (2) information systems, including
network and software design, as well as information processing,
storage, transmission, and disposal; and (3) detecting, preventing, and
responding to attacks, intrusions, or other systems failures.\6\ The
financial institution must then design and implement safeguards to
control the risks identified through the risk assessment, and must
regularly test or otherwise monitor the effectiveness of the
safeguards' key controls, systems, and procedures.\7\ The financial
institution is also required to evaluate and adjust its information
security program in light of the results of this testing and
monitoring, as well as any material changes in its operations or
business arrangements, or any other circumstances that it knows or has
reason to know may have a material impact on its information security
program.\8\ The financial institution must also designate an employee
or employees to coordinate the information security program.\9\
---------------------------------------------------------------------------
\6\ 16 CFR 314.4(b).
\7\ 16 CFR 314.4(c).
\8\ 16 CFR 314.4(e).
\9\ 16 CFR 314.4(a).
---------------------------------------------------------------------------
Finally, the Safeguards Rule requires financial institutions to
take reasonable steps to select and retain service providers that are
capable of maintaining appropriate safeguards for customer information
and require those service providers by contract to implement and
maintain such safeguards.\10\
---------------------------------------------------------------------------
\10\ 16 CFR 314.4(d).
---------------------------------------------------------------------------
On August 29, 2016, the Commission solicited comments on the
Safeguards Rule as part of its periodic review of its rules and
guides.\11\ The Commission sought comment on a number of general
issues, including the economic impact and benefits of the Rule;
possible conflicts between the Rule and state, local, or other federal
laws or regulations; and the effect on the Rule of any technological,
economic, or other industry changes. The Commission received 28
comments from individuals and entities representing a wide range of
viewpoints.\12\ Most commenters agreed that there is a continuing need
for the Rule and that it benefits consumers and competition.\13\
---------------------------------------------------------------------------
\11\ Safeguards Rule, Request for Comment, 81 FR 61632 (Sept. 7,
2016).
\12\ The comments are posted at: https://www.ftc.gov/policy/public-comments/initiative-674. The Commission has assigned each
comment a number appearing after the name of the commenter and the
date of submission. This notice cites comments using the last name
of the individual submitter or the name of the organization,
followed by the number assigned by the Commission.
\13\ See, e.g., Mortgage Bankers Association (Comment #39);
National Automobile Dealers Association (Comment #40); Data &
Marketing Association (Comment #38); Electronic Transactions
Association (Comment #24); State Privacy & Security Coalition
(Comment #26).
---------------------------------------------------------------------------
After reviewing the comments, the Commission published a Notice of
Proposed Rulemaking (``NPRM'') proposing to amend the Rule to include
more detailed requirements for the development and establishment of the
information security program required under the Rule, including
requirements for encrypting financial information, the use of
multifactor authentication, a written incident response plan, and the
creation of periodic reports for the financial institution's board of
directors.\14\ In addition, the Commission proposed amendments to the
definition of ``financial institution'' and the addition of examples
previously contained in the Privacy Rule to clarify the Safeguards
Rule.\15\ The Commission sought public comment on these proposed
amendments as well as requesting information about the cost, benefits
and options for information security for financial institutions,
particularly smaller institutions. The Commission received 48
comments.\16\ Thirteen comments from consumer groups, individuals,
academic institutions, and government groups generally supported the
addition of more detailed requirements as proposed. Twenty-four
comments from industry groups and individuals generally opposed the
addition, on the grounds that they would impose unwarranted costs on
financial institutions.
---------------------------------------------------------------------------
\14\ 84 FR 13158 (April 4, 2019).
\15\ Id.
\16\ The comments are posted at https://www.regulations.gov/document?D=FTC-2019-0019-0011.
---------------------------------------------------------------------------
II. Issues for Discussion at the Workshop
As part of the Safeguards Rule rulemaking, the FTC has decided to
seek additional information about the costs and benefits of the
proposed rule changes and the ability of financial institutions to
comply with them. The workshop will seek information, empirical data,
and testimony from security professionals who have worked with
financial services companies, and will cover such topics as:
(1) Price models for specific elements of information security
programs;
(2) Industry standards for security in various industries;
(3) How risks of cybersecurity events change based on the size of
the financial institutions;
(4) Availability of third party information security services aimed
at different sized institutions;
(5) Different methods of achieving continuous monitoring of
information security systems;
(6) Costs and optimal frequency of penetration and vulnerability
testing and the factors that affect that determination;
(7) Best uses for security logs and audit trails;
(8) The advantages and disadvantages of having a single person
responsible for the information security program;
(9) How different corporate governance structures can affect
performance of information security programs;
(10) Costs of encryption and multifactor authentication, and
possible alternatives to these technologies
(11) Whether SMS is an appropriate factor for multifactor
authentication;
(12) The optimal balance between documentation and implementation
of security measures.
A more detailed agenda will be published at a later date, in
advance of the scheduled workshop.
[[Page 13084]]
III. Public Participation Information
A. Workshop Attendance
The workshop is free and open to the public, and will be held at
the Constitution Center, 400 7th Street SW, Washington, DC. It will be
webcast live on the FTC's website. For admittance to the Constitution
Center, all attendees must show valid government-issued photo
identification, such as a driver's license. Please arrive early enough
to allow adequate time for this process.
This event may be photographed, videotaped, webcast, or otherwise
recorded. By participating in this event, you are agreeing that your
image--and anything you say or submit--may be posted indefinitely at
www.ftc.gov or on one of the Commission's publicly available social
media sites.
B. Requests To Participate as a Panelist
The workshop will be organized into panels, which will address the
designated topics. Panelists will be selected by FTC staff. Other
attendees will have an opportunity to comment and ask questions. The
Commission will place a transcript of the proceeding on the public
record. Requests to participate as a panelist must be received on or
before March 13, 2020, as explained Section IV below. Persons selected
as panelists will be notified on or before March 27, 2020. Disclosing
funding sources promotes transparency, ensures objectivity, and
maintains the public's trust. If chosen, prospective panelists will be
required to disclose the source of any support they received in
connection with participation at the workshop. This information will be
included in the published panelist bios as part of the workshop record.
C. Electronic and Paper Comments
The submission of comments is not required for participation in the
workshop. If a person wishes to submit paper or electronic comments
related to the agenda topics or the issues discussed by the panelists
at the workshop, such comments should be filed as prescribed in Section
IV, and must be received on or before June 12, 2020.
IV. Filing Comments and Requests To Participate as a Panelist
You can file a comment, or request to participate as a panelist,
online or on paper. For the Commission to consider your comment, we
must receive it on or before June 12, 2020. For the Commission to
consider your request to participate as a panelist, we must receive it
by March 13, 2020. Write ``Safeguards Rule, 16 CFR 314, Comment,
Project No. P145407'' and your comment and ``Safeguards Rule, 16 CFR
314, Request to Participate, Project No. P145407'' on your request to
participate. Your comment--including your name and your state--will be
placed on the public record of this proceeding, including to the extent
practicable, on the publicly available website, https://www.regulations.gov.
Postal mail addressed to the Commission is subject to delay due to
heightened security screening. As a result, we encourage you to submit
your comments online, or to send them to the Commission by courier or
overnight service. To make sure that the Commission considers your
online comment, you must file it at https://www.regulations.gov.
Because your comment will be placed on a publicly accessible
website, https://www.regulations.gov, you are solely responsible for
making sure that your comment does not include any sensitive or
confidential information. In particular, your comment should not
include any sensitive personal information, such as your or anyone
else's Social Security number; date of birth; driver's license number
or other state identification number, or foreign country equivalent;
passport number, financial account number, or credit or debit card
number. You are also solely responsible for making sure your comment
does not include any sensitive health information, such as medical
records or other individually identifiable health information. In
addition, your comment should not include any ``trade secret or any
commercial or financial information which . . . is privileged or
confidential''--as provided by Section 6(f) of the FTC Act, 15 U.S.C.
46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)-- including in
particular competitively sensitive information such as costs, sales
statistics, inventories, formulas, patterns, devices, manufacturing
processes, or customer names.
Comments containing material for which confidential treatment is
requested must be filed in paper form, must be clearly labeled
``Confidential,'' and must comply with FTC Rule 4.9(c). In particular,
the written request for confidential treatment that accompanies the
comment must include the factual and legal basis for the request, and
must identify the specific portions of the comments to be withheld from
the public record.\17\ Your comment will be kept confidential only if
the FTC General Counsel grants your request in accordance with the law
and the public interest. Once your comment has been posted on the
https://www.regulations.gov website, we cannot redact or remove your
comment from the FTC website, unless you submit a confidentiality
request that meets the requirements for such treatment under FTC Rule
4.9(c), and the General Counsel grants that request.
---------------------------------------------------------------------------
\17\ See 16 CFR 4.9(c).
---------------------------------------------------------------------------
Requests to participate as a panelist at the workshop should be
submitted electronically to [email protected], or, if
mailed, should be submitted in the manner detailed below. Parties are
asked to include in their requests a brief statement setting forth
their expertise in or knowledge of the issues on which the workshop
will focus as well as their contact information, including a telephone
number and email address (if available), to enable the FTC to notify
them if they are selected.
If you file your comment or request on paper, write ``Safeguards
Rule, 16 CFR part 314, Comment, Project No. P145407'' on your comment
and on the envelope and ``Safeguards Rule, 16 CFR part 314, Request to
Participate, Project No. P145407,'' on your request and on the
envelope, and mail your comment to the following address: Federal Trade
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite
CC-5610 (Annex F), Washington, DC 20580, or deliver your comment to the
following address: Federal Trade Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex
F). If possible, submit your paper comment or request to the Commission
by courier or overnight service.
Visit the Commission website at https://www.ftc.gov to read this
Notice and the news release describing it. The FTC Act and other laws
that the Commission administers permit the collection of public
comments to consider and use in this proceeding as appropriate. The
Commission will consider all timely and responsive public comments that
it receives on or before June 12, 2020. The Commission will consider
all timely requests to participate as a panelist in the workshop that
it receives by March 13, 2020. For information on the Commission's
privacy policy, including routine uses permitted by the Privacy Act,
see https://www.ftc.gov/site-information/privacy-policy.
V. Communications by Outside Parties to Commissioners or Their Advisors
Written communications and summaries or transcripts of oral
communications respecting the merits of this proceeding, from any
outside
[[Page 13085]]
party to any Commissioner or Commissioner's advisor, will be placed on
the public record.\18\
---------------------------------------------------------------------------
\18\ See 16 CFR 1.26(b)(5).
By direction of the Commission.
April J. Tabor,
Acting Secretary.
Concurring Statement of Commissioners Christine S. Wilson and Noah
Joshua Phillips
Today the Commission announced a public workshop relating to its
April 4, 2019 notice of proposed rulemaking (``NPRM'') recommending
changes to the Commission's Safeguards Rule. Although we dissented from
the issuance of the NPRM, we concur with the decision to hold this
workshop. Our dissent from the issuance of the NPRM \1\ was based in
part on the fact that the FTC lacked an adequate evidentiary basis for
the proposed rule's requirements, so we applaud the FTC's willingness
to seek additional information, empirical data, and testimony from
stakeholders and experts to inform the agency's analysis of potential
changes to the Safeguards Rule.
---------------------------------------------------------------------------
\1\ Dissenting Statement of Commissioner Noah Joshua Phillips
and Commissioner Christine S. Wilson, Regulatory Review of
Safeguards Rule (Mar. 5, 2019), https://www.ftc.gov/system/files/documents/public_statements/1466705/reg_review_of_safeguards_rule_cmr_phillips_wilson_dissent.pdf.
---------------------------------------------------------------------------
Our dissent expressed several concerns that subsequently were
echoed in comments submitted to the FTC during the NPRM process:
First, we were concerned that the proposed revisions are
overly prescriptive. We are wary of trading flexibility for a costly
one-size-fits-all approach that would divert company resources away
from risk management initiatives specifically tailored to each entity's
unique data collection, usage, and storage practices.\2\ Our wariness
was exacerbated by the fact that the proposal would apply remedies
imposed in specific data security enforcement actions--generally
outside the context of the Safeguards Rule and only to the firms named
in those actions--to financial information generally, without a basis
to conclude that the Safeguards Rule is not adequate or that covered
firms systematically have worse data security than those not covered,
such that additional regulation beyond the current Rule would be
warranted.
---------------------------------------------------------------------------
\2\ Comments express similar concerns that the proposal is
overly prescriptive and creates costs that may not significantly
reduce data security risks or increase consumer benefits. See
Comments submitted by Office of Advocacy, U.S. Small Business
Administration, National Automobile Dealers Association, Mortgage
Bankers Association, Global Privacy Alliance, Software Information &
Industry Association, and U.S. Chamber of Commerce. NPRM Comments
are posted at https://www.regulations.gov/document?D=FTC-2019-0019-0011.
---------------------------------------------------------------------------
Second, we were concerned that this new and prescriptive
approach would impose significant incremental costs without materially
reducing data security risks or significantly increasing consumer
benefits.\3\ The submission from NADA, by way of example, highlights
the incremental costs imposed by the proposed revisions: NADA estimates
that it would cost the average car dealership one-time, up-front costs
of $293,975, with $276,925 in additional costs each year.\4\ These
incremental costs will be particularly burdensome for new entrants and
smaller companies, which may ultimately hinder competition with larger
and better-established rivals.
---------------------------------------------------------------------------
\3\ See Comment from the National Independent Automobile Dealers
Association (noting the considerable costs imposed on financial
institutions from the proposed revisions and the need for the FTC to
demonstrate a clear link between its proposal and reductions in data
security risks and increases in consumer benefits).
\4\ Comment from the National Automobile Dealers Association
(NADA), 42.
---------------------------------------------------------------------------
Third, we were concerned that the suggested Rule revisions
substituted the Commission's judgment for a private firm's governance
decisions.\5\
---------------------------------------------------------------------------
\5\ This sentiment is reflected in the comment from the Software
Information & Industry Association.
---------------------------------------------------------------------------
Fourth, we were concerned that the Rule was premature
because the proposed regulations are substantially based on relatively
new New York State Department of Financial Services regulations that
have not been market-tested for feasibility and efficacy.\6\
---------------------------------------------------------------------------
\6\ Comments express similar concerns that the FTC's proposed
regulations rely on untested frameworks and recommend allowing time
to assess the impacts of the model legislation. See Comments from
the Office of Advocacy, US Small Business Administration, CTIA,
National Automobile Dealers Association, and Consumer Data Industry
Association (CDIA).
---------------------------------------------------------------------------
The workshop will enable the FTC to obtain additional information
about the costs and benefits of the proposed rule changes and the
ability of companies that fall within the Rule's scope to comply with
the proposed changes. We continue to encourage stakeholders, including
experts in security for financial services companies, to comment and
provide evidence for this workshop. We are particularly interested in
hearing from those who are knowledgeable about security for small
businesses. In light of the significant proposed changes to the
Safeguards Rule, and the concerns expressed by many commenters thus
far, we view this additional solicitation of input from stakeholders as
vital.
Statement of Commissioner Rohit Chopra Joined by Commissioner Rebecca
Kelly Slaughter
Summary
Corporate America's surveillance of our personal data is
not just about privacy. Foreign actors are stealing and stockpiling
this data, which threatens our national security.
Companies like Equifax, with their unquenchable thirst for
data and their shoddy security practices, are not victims. We must act
to curtail the collection, abuse, and misuse of data.
Rather than ``hold our breath and wait'' for Congress, the
FTC should use the legal authority it has today to protect our
citizens, our economy, and our country.
A few weeks ago, U.S. Attorney General William Barr announced
criminal indictments against four members of the Chinese People's
Liberation Army for conspiring to hack Equifax's computer systems. The
Attorney General noted that China has a ``voracious appetite for the
personal data of Americans'' and linked China with several other high-
profile hacks of personal data held by large U.S. corporations,
including the intrusions into one of America's largest hotel chains,
Marriott, and one of America's largest health insurers, Anthem.\1\
---------------------------------------------------------------------------
\1\ William P. Barr, U.S. Attorney General, Attorney General
William P. Barr Announces Indictment of Four Members of China's
Military for Hacking into Equifax, Remarks as Prepared for Delivery,
(Feb. 10, 2020), https://www.justice.gov/opa/speech/attorney-general-william-p-barr-announces-indictment-four-members-china-s-military
---------------------------------------------------------------------------
The threat posed by China's hacks goes far beyond identity theft.
As explained by Attorney General Barr, ``these thefts can feed China's
development of artificial intelligence tools as well as the creation of
intelligence targeting packages.'' \2\ Safeguarding personal data is
undoubtedly a national security issue.
---------------------------------------------------------------------------
\2\ Id.
---------------------------------------------------------------------------
In spite of these risks, lax security practices continue to expose
our data. According to an alert by the Department of Homeland Security,
85 percent of targeted attacks are preventable.\3\ For example, it is
hard to call Equifax a victim. Their shoddy approach to security was
practically an invitation for the Chinese People's Liberation Army to
raid Americans' data. Equifax received critical alerts on the need to
patch
[[Page 13086]]
software systems, but failed to do so. Equifax even stored sensitive
usernames and passwords in plain text.\4\
---------------------------------------------------------------------------
\3\ Press Release, Department of Homeland Security, Alert (TA15-
119A) Top 30 Targeted High Risk Vulnerabilities, (Sept. 29, 2016),
https://www.us-cert.gov/ncas/alerts/TA15-119A.
\4\ Fed. Trade Comm'n v. Equifax, Case 1:19-mi-99999-UNA, U.S.
District Court for the Northern District of Georgia, Atlanta
Division, Complaint for Permanent Injunction and Other Relief at 7-8
(July 22, 2019), https://www.ftc.gov/system/files/documents/cases/172_3203_equifax_complaint_7-22-19.pdf.
---------------------------------------------------------------------------
The costs of maintaining the status quo approach are significant
and mounting. According to industry analysis, the majority of small
businesses currently ``do not have a cyberattack prevention plan,'' \5\
yet nearly half of them have experienced at least one breach within the
last year.\6\ Data breaches can be particularly perilous for small
businesses and new entrants, with one survey finding that 66 percent
could face temporary or permanent closure if their systems are
compromised.\7\
---------------------------------------------------------------------------
\5\ Craig Lurey, Cyber Mindset Exposed: Keeper Unveils its 2019
SMB Cyberthreat Study, Keeper Security, (July 24, 2019), https://www.keepersecurity.com/blog/2019/07/24/cyber-mindset-exposed-keeper-unveils-its-2019-smb-cyberthreat-study/.
\6\ Hiscox Cyber Readiness Report 2019, Hiscox Ltd., (Apr. 23,
2019), https://www.keepersecurity.com/blog/2019/07/24/cyber-mindset-exposed-keeper-unveils-its-2019-smb-cyberthreat-study/.
\7\ Press Release, VIPRE Announces Launch of VIPRE Endpoint
Security--Cloud Edition, Business Wire, (Oct. 2, 2017), https://www.businesswire.com/news/home/20171002005176/en.
---------------------------------------------------------------------------
The process of putting into place clear rules requiring
corporations to prevent abuse and misuse personal data is long overdue.
As the agency responsible for data protection across most of the
economy, the Federal Trade Commission plays a central role.
While the effort to update the Safeguards Rule is a start, its
reach will be limited to certain nonbank financial institutions like
Equifax, and violations don't even come with any civil penalties. Given
the ongoing harms to individuals and our country, we should use every
tool in our toolbox to address data security issues. The Commission has
urged Congress to act, but I agree with Commissioner Rebecca Kelly
Slaughter, who has argued that ``we cannot simply hold our breath and
wait.'' \8\ There are many ways that we can curtail the collection,
misuse, and abuse of personal data, including launching a rulemaking
that broadly applies to companies across sectors so there are
meaningful sanctions for violators. We have this authority today.
---------------------------------------------------------------------------
\8\ Last year, Commissioner Slaughter described how the FTC
could use its existing authority to initiate a data protection
rulemaking. See Rebecca Kelly Slaughter, Commissioner, Fed. Trade
Comm'n, Remarks at the Silicon Flatirons Conference at the
University of Colorado Law School: The Near Future of U.S. Privacy
Law, (September 6, 2019), https://www.ftc.gov/system/files/documents/public_statements/1543396/slaughter_silicon_flatirons_remarks_9-6-19.pdf.
---------------------------------------------------------------------------
Commissioners Wilson and Phillips argue that we must consider the
impact of data security on competition. I agree. Data security must
also be top of mind in our competition enforcement work across sectors
of the economy. We should be reviewing how mergers can lead to a race
to the bottom on data security. We need to rigorously scrutinize data
deals. Companies are being bought and sold based on the data they have
and the data they can continue to collect. Acquired data is being
merged into larger databases and used in ways that people may not have
authorized when they signed up for the service or initially provided
their information.
We need to continue to take a close look at what promises were made
in exchange for data access and whether those promises were upheld when
the data was sold. We also need to examine how companies are
integrating different security systems, whether strong security
standards are being maintained, and whether sensitive data is being
handled appropriately.
Finally, we need to consider whether there are limits to the amount
of data one company can collect and compile, the types of data one
company can combine, and the ways in which data can be used and
monetized. The scale and scope of data collection that large companies
are engaging in has made them--and us--sitting ducks for malicious
actors. Since these companies are more fixated on monetizing that data
than securing it, their mass surveillance has become a national
security threat. Our adversaries know that these large firms have
essentially done the dirty work of collecting intelligence on our
citizens, and lax security standards make it easy to steal. Ultimately,
we need to fix the market structures and incentives that drive firms to
harvest and traffic in our private information, so that complacent
companies are punished when they don't care about our security needs or
expectations.
The extraordinary step of criminal indictments of members of the
Chinese People's Liberation Army announced by the Attorney General is
yet another wake-up call. Until we take serious steps to curb corporate
surveillance, the risks to our citizens and country will only grow as
bad actors continue to steal and stockpile our data. The FTC will need
to act decisively to protect families, businesses, and our country from
these unquantifiable harms.
[FR Doc. 2020-04610 Filed 3-5-20; 8:45 am]
BILLING CODE 6750-01-P
