Standards for Safeguarding Customer Information, 70062-70067 [2021-25064]

Download as PDF 70062 71.1 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Proposed Rules [Amended] 2. The incorporation by reference in 14 CFR 71.1 of FAA Order JO 7400.11F, Airspace Designations and Reporting Points, dated August 10, 2021, and effective September 15, 2021, is amended as follows: ■ Paragraph 6005 Class E Airspace Areas Extending Upward From 700 Feet or More Above the Surface of the Earth. * * * * * AGL OH E5 Dayton, OH [Establish] Moraine Air Park, OH (Lat. 39°40′56″ N, long. 84°14′24″ W) That airspace extending upward from 700 feet above the surface within an 6.3-mile radius of the Moraine Air Park. Issued in Fort Worth, Texas, on December 6, 2021. Steven T. Phillips, Acting Manager, Operations Support Group, ATO Central Service Center. [FR Doc. 2021–26639 Filed 12–8–21; 8:45 am] BILLING CODE 4910–13–P FEDERAL TRADE COMMISSION 16 CFR Part 1 [File No. R207004] Petition for Rulemaking of Randall David Marks Federal Trade Commission. Receipt of petition; request for comment. AGENCY: ACTION: Please take notice that the Federal Trade Commission (‘‘Commission’’) received a petition for rulemaking from Randall David Marks, and has published that petition online at https://www.regulations.gov. The Commission invites written comments concerning the petition. Publication of this petition is pursuant to the Commission’s Rules of Practice and Procedure, and does not affect the legal status of the petition or its final disposition. DATES: Comments must identify the petition docket number and be filed by January 10, 2022. ADDRESSES: You may view the petition, identified by docket number FTC–2021– 0066, and submit written comments concerning its merits by using the Federal eRulemaking Portal at https:// www.regulations.gov. Follow the online instructions for submitting comments. Do not submit sensitive or confidential information. You may read background documents or comments received at https://www.regulations.gov at any time. FOR FURTHER INFORMATION CONTACT: Daniel Freer, Office of the Secretary, khammond on DSKJM1Z7X2PROD with PROPOSALS SUMMARY: VerDate Sep<11>2014 16:45 Dec 08, 2021 Jkt 256001 Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC, 20580, dfreer@ftc.gov, (202) 326– 2663. Pursuant to Section 18(a)(1)(B) of the Federal Trade Commission Act, 15 U.S.C. 57a(1)(B), and FTC Rule 1.31(f), 16 CFR 1.31(f), notice is hereby given that the above-captioned petition has been filed with the Secretary of the Commission and has been placed on the public record for a period of thirty (30) days. Any person may submit comments in support of or in opposition to the petition. All timely and responsive comments submitted in connection with this petition will become part of the public record. The Commission will not consider the petition’s merits until after the comment period closes. Because your comment will be placed on the publicly accessible website at https://www.regulations.gov, you are solely responsible for making sure your comment does not include any sensitive or confidential information. In particular, your comment should not include any sensitive personal information, such as your or anyone else’s Social Security number; date of birth; driver’s license number or other state identification number, or foreign country equivalent; passport number; financial account number; or credit or debit card number. You are also solely responsible for making sure your comment does not include any sensitive health information, such as medical records or other individually identifiable health information. In addition, your comment should not include any ‘‘trade secret or any commercial or financial information which . . . is privileged or confidential’’—as provided by Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2). SUPPLEMENTARY INFORMATION: Authority: 15 U.S.C. 46; 15 U.S.C. 57a; 5 U.S.C. 601 note. Supplemental notice of proposed rulemaking; request for public comment. ACTION: The Commission requests public comment on its proposal to further amend the Standards for Safeguarding Customer Information (‘‘Safeguards Rule’’ or ‘‘Rule’’) to require financial institutions to report to the Commission any security event where the financial institutions have determined misuse of customer information has occurred or is reasonably likely and at least 1,000 consumers have been affected or reasonably may be affected. DATES: Written comments must be received on or before February 7, 2022. ADDRESSES: Interested parties may file a comment online or on paper by following the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Write ‘‘Safeguards Rule, 16 CFR part 314, Project No. P145407,’’ on your comment and file your comment online at https:// www.regulations.gov by following the instructions on the web-based form. If you prefer to file your comment on paper, mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite CC–5610 (Annex B), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex B), Washington, DC 20024. FOR FURTHER INFORMATION CONTACT: David Lincicum, Katherine McCarron, or Robin Wetherill, Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580, (202) 326– 2773, (202) 326–2333, or (202) 326– 2220. SUMMARY: SUPPLEMENTARY INFORMATION: April J. Tabor, Secretary. I. Background [FR Doc. 2021–26611 Filed 12–8–21; 8:45 am] BILLING CODE 6750–01–P FEDERAL TRADE COMMISSION 16 CFR Part 314 RIN 3084–AB35 Standards for Safeguarding Customer Information Federal Trade Commission (‘‘FTC’’ or ‘‘Commission’’). Congress enacted the Gramm Leach Bliley Act (‘‘GLBA’’) in 1999.1 The GLBA provides a framework for regulating the privacy and data security practices of a broad range of financial institutions. Among other things, the GLBA requires financial institutions to provide customers with information about the institutions’ privacy practices and about their opt-out rights, and to implement security safeguards for customer information. AGENCY: PO 00000 Frm 00007 Fmt 4702 Sfmt 4702 1 Public E:\FR\FM\09DEP1.SGM Law 106–102, 113 Stat. 1338 (1999). 09DEP1 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Proposed Rules Subtitle A of Title V of the GLBA required the Commission and other Federal agencies to establish standards for financial institutions relating to administrative, technical, and physical safeguards for certain information.2 Pursuant to the Act’s directive, the Commission promulgated the Safeguards Rule in 2002. The Safeguards Rule became effective on May 23, 2003. II. Regulatory Review of the Safeguards Rule On September 7, 2016, the Commission solicited comments on the Safeguards Rule as part of its periodic review of its rules and guides.3 The Commission sought comment on a number of general issues, including the economic impact and benefits of the Rule; possible conflicts between the Rule and state, local, or other Federal laws or regulations; and the effect on the Rule of any technological, economic, or other industry changes. The Commission received 28 comments from individuals and entities representing a wide range of viewpoints.4 Most commenters agreed there is a continuing need for the Rule and it benefits consumers and competition.5 On April 4, 2019, the Commission issued a notice of proposed rulemaking (NPRM) setting forth proposed amendments to the Safeguards Rule.6 In response, the Commission received 49 comments from various interested parties including industry groups, consumer groups, and individual consumers.7 On July 13, 2020, the 2 See 15 U.S.C. 6801(b), 6805(b)(2). Rule, Request for Comment, 81 FR 61632 (Sept. 7, 2016). 4 The 28 public comments received prior to March 15, 2019, are posted at: https://www.ftc.gov/ policy/public-comments/initiative-674. 5 See, e.g., Mortgage Bankers Association, (comment 39); National Automobile Dealers Association, (comment 40; Data & Marketing Association, (comment 38); Electronic Transactions Association, (comment 24; State Privacy & Security Coalition, (comment 26). 6 FTC Notice of Proposed Rulemaking (‘‘NPRM’’), 84 FR 13158 (April 4, 2019). 7 The 49 relevant public comments received on or after March 15, 2019, can be found at Regulations.gov. See FTC Seeks Comment on Proposed Amendments to Safeguards and Privacy Rules, 16 CFR part 314, Project No. P145407, https://www.regulations.gov/docketBrowser?rpp= 25&so=ASC&sb=docId&po=25&dct=PS&D=FTC2019-0019&refD=FTC-2019-0019-0011. The 11 relevant public comments relating to the subject matter of the July 13, 2020, workshop can be found at: https://www.regulations.gov/ docketBrowser?rpp=25&so=ASC&sb=docId&po= 0&dct=PS&D=FTC-2020-0038. This notice cites comments using the last name of the individual submitter or the name of the organization, followed by the number based on the last two digits of the comment ID number. khammond on DSKJM1Z7X2PROD with PROPOSALS 3 Safeguards VerDate Sep<11>2014 16:45 Dec 08, 2021 Jkt 256001 Commission held a workshop concerning the proposed changes and conducted panels with information security experts discussing subjects related to the proposed amendments.8 The Commission received 11 comments following the workshop. After reviewing the initial comments to the NPRM, conducting the workshop, and then reviewing the comments received following the workshop, the Commission issued final amendments to the Safeguards Rule on October 8, 2021, which are published elsewhere in this issue of the Federal Register. III. Proposal for Requirement that Financial Institutions Report Security Events to the Commission In the NPRM, the Commission explained its proposed amendments to the Safeguards Rule were based primarily on the cybersecurity regulations issued by the New York Department of Financial Services, 23 NYCRR 500 (‘‘Cybersecurity Regulations’’).9 The Commission also noted the Cybersecurity Regulations require covered entities to report security events to the superintendent of the Department of Financial Services.10 Relatedly, Federal agencies enforcing the GLBA have required financial institutions to provide notice to the regulator, and in some instances notice to consumers as well, for many years.11 Although the Commission did not include a similar reporting requirement in the NPRM, it did seek comment on whether the Safeguards Rule should be amended to require that financial institutions report security events to the Commission. Specifically, the Commission requested comments on whether such a requirement should be added and, if so, (1) the appropriate deadline for reporting security events after discovery; (2) whether all security events should require notification or 8 See FTC, Information Security and Financial Institutions: FTC Workshop to Examine Safeguards Rule Tr. (July 13, 2020), https://www.ftc.gov/ system/files/documents/public_events/1567141/ transcript-glb-safeguards-workshop-full.pdf. 9 NPRM, 84 FR at 13163. 10 Id. at 13169. 11 See Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (originally issued by the Office of the Comptroller of the Currency; the Board of Governors of the Federal Reserve System; the Federal Deposit Insurance Corporation; and the Office of Thrift Supervision), 70 FR 15736, 15752 (Mar. 29, 2005), https://www.occ.treas.gov/ news-issuances/federal-register/2005/70fr15736.pdf (‘‘At a minimum, an institution’s response program should contain procedures for the following: . . . Notifying its primary Federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information, as defined below; [and notifying] customers when warranted’’). PO 00000 Frm 00008 Fmt 4702 Sfmt 4702 70063 whether notification should be required only under certain circumstances, such as a determination of a likelihood of harm to customers or that the event affects a certain number of customers; (3) whether such reports should be made public; (4) whether events involving encrypted information should be included in the requirement; and (5) whether the requirement should allow law enforcement agencies to prevent or delay notification if notification would affect law-enforcement investigations.12 Several commenters supported adding a reporting requirement.13 For example, the Princeton University Center for Information Technology Policy (‘‘PUCITP’’) noted such a reporting requirement would ‘‘provide the Commission with valuable information about the scope of the problem and the effectiveness of security measures across different entities’’ and it would ‘‘also help the Commission coordinate responses to shared threats.’’ 14 PUCITP also recommended all security events that affect a certain number of customers should be reported without regard to the likelihood of harm and such reports should be made public.15 The National Association of FederallyInsured Credit Unions (‘‘NAFCU’’) argued requiring financial institutions to report security events to the Commission would provide an ‘‘appropriate incentive for covered financial companies to disclose information to consumers and relevant regulatory bodies.’’ 16 NAFCU also suggested notification requirements are important because they ‘‘ensure independent assessment of whether a security incident represents a threat to consumer privacy.’’ 17 Two commenters opposed the inclusion of a reporting requirement.18 The American Council on Education (‘‘ACE’’) argued such a requirement ‘‘would simply add another layer on top of an already crowded list of federal and state law enforcement contacts and state 12 Id. 13 Consumer Reports, (comment 52), at 6; Princeton University Center for Information Technology Policy, (comment 54), at 7; Credit Union National Association, (comment 30), at 2; Heartland Credit Union Association, (comment 42), at 2; National Association of Federally-Insured Credit Unions, (comment 43), at 1–2. 14 Princeton University Center for Information Technology Policy, (comment 54), at 7. 15 Id. 16 National Association of Federally-Insured Credit Unions, (comment 43), at 1. 17 Id. at 1–2. 18 National Independent Automobile Dealers Association, (comment 48), at 7; American Council on Education, (comment 24), at 15. E:\FR\FM\09DEP1.SGM 09DEP1 70064 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Proposed Rules khammond on DSKJM1Z7X2PROD with PROPOSALS breach reporting requirements.’’ 19 ACE also suggested any notification requirement should be limited to a more restricted definition of ‘‘security event’’ than the definition in the proposed Rule, so financial institutions would only be required to report incidents that could lead to consumer harm.20 The National Independent Automobile Dealers Association noted it ‘‘objects to any proposed amendment that would require a financial institution to report security events to the FTC.’’ 21 After reviewing the comments, the Commission proposes amending the Safeguards Rule to require financial institutions to report to the Commission certain security events as soon as possible, and no later than 30 days after discovery of the event. Such reports would ensure the Commission is aware of security events that could suggest a financial institution’s security program does not comply with the Rule’s requirements, thus facilitating Commission enforcement of the Rule. While many states already require notice of certain breaches, the state law requirements vary as to whether notice to the state regulator is required and as to whether such breach notifications are made public. To the extent state law already requires notification to consumers or state regulators, moreover, there is little additional burden in providing notice to the Commission as well. In order to address concerns expressed by commenters that a reporting requirement would add additional burden to financial institutions, the Commission proposes limiting the reporting requirement to only those security events where the financial institutions determine misuse of customer information has occurred or is reasonably likely, and where at least 1,000 consumers have been affected or reasonably may be affected.22 The notice to the Commission would involve a limited set of information, as typically required under existing breach notification requirements.23 Financial institutions would be required to promptly provide the Commission: (1) The name and contact information of the reporting financial institution; (2) a description of the types of information involved in the security event; (3) if the 19 American Council on Education, (comment 24), at 15. 20 Id. 21 National Independent Automobile Dealers Association, (comment 48), at 7. 22 See Princeton University Center for Information Technology Policy, (comment 54), at 7 (endorsing notification requirement for events that affect at least a certain number of consumers). 23 See, e.g., 23 CRR–NY 500.17; Cal. Civil Code 1798.82; Tex. Bus. & Com. Code 521.053; Fla. Stat. 501.171. VerDate Sep<11>2014 16:45 Dec 08, 2021 Jkt 256001 information is possible to determine, the date or date range of the security event; and (4) a general description of the security event. To further reduce costs, the Commission proposes the notice be provided electronically through a form located on the FTC’s website, https:// www.ftc.gov. The Commission will input the information it receives from affected financial institutions into a database that it will update periodically and make available to the public. The FTC does not believe the information to be provided to the Commission under the proposed reporting requirement will include confidential or proprietary information and, as a result, does not anticipate providing a mechanism for financial institutions to request confidential treatment of the information. The Commission invites comments on its proposed amendment requiring financial institutions to report certain security events to the Commission. Specifically, commenters may wish to address the following: (1) The information to be contained in any notice to the Commission. Is the proposed list of elements sufficient? Should there be additional information? Less? (2) Whether the Commission’s proposed threshold for requiring notice—for those security events for which misuse of the information of 1,000 or more consumers has occurred or is reasonably likely to occur—is the appropriate one. What about security events in which misuse is possible, but not likely? Should there be a carve-out for security events solely involving encrypted data? (3) The timing for notification to be given to the Commission. Is the current proposal of a maximum of 30 days after discovery of the security event reasonable? Is a shorter period practicable? (4) Whether the requirement should allow law enforcement agencies to prevent or delay notification if notification to the Commission would affect law-enforcement investigations. The proposed rule does not include such a requirement. Comments are also welcome on whether such a law enforcement right to prevent or delay notification is only necessary to the extent notices are made public. (5) Whether the information reported to the Commission should be made public. Should the Commission permit affected financial institutions to request confidential treatment of the required information? If so, under what circumstances? Should affected financial institutions be allowed to PO 00000 Frm 00009 Fmt 4702 Sfmt 4702 request delaying the public publication of the security event information and, if so, on what basis? (6) Whether, instead of implementing a stand-alone reporting requirement, the Commission should only require notification to the Commission whenever a financial institution is required to provide notice of a security event or similar to a governmental entity under another state or Federal statute, rule, or regulation. How would such a provision affect the Commission’s ability to enforce the Rule? Would such an approach affect the burden on financial institutions? Would such an approach generate consistent reporting due to differences in applicable laws? (7) Whether a notification requirement should be included at all. (8) Whether notification to consumers, as well as to the Commission, should be required, and if so, under what circumstances. IV. Section-by-Section Analysis Proposed Amendments to § 314.4: Elements The proposed amendment to § 314.4 would add a new paragraph (j). Proposed paragraph (j) would require financial institutions that experience a security event in which the misuse of customer information has occurred or is reasonably likely, and at least 1,000 consumers have been affected or reasonably may be affected, to provide notice of the security event to the Commission. Proposed paragraph (j) would also require that any such notice be made electronically on a form on the FTC’s website, https://www.ftc.gov, within 30 days from discovery of the security event and include the following information: (1) The name and contact information of the reporting financial institution; (2) a description of the types of information involved in the security event; (3) if the information is possible to determine, the date or date range of the security event; and (4) a general description of the security event. Proposed Amendments to § 314.5: Effective Date The proposed amendment to § 314.5 states the proposed reporting requirement would not be effective until six months after the publication of a final rule. The effective date of this element would be delayed to allow financial institutions appropriate time to incorporate such a reporting requirement into their security event response plans. All other requirements under the Safeguards Rule would remain in effect during this six-month E:\FR\FM\09DEP1.SGM 09DEP1 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Proposed Rules khammond on DSKJM1Z7X2PROD with PROPOSALS period. The Commission welcomes comment on this approach. V. Request for Comment You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before February 7, 2022. Write ‘‘Safeguards Rule, 16 CFR part 314, Project No. P145407’’ on the comment. Precautions related to the COVID–19 pandemic, along with the agency’s heightened security screening, will cause postal mail addressed to the Commission to be delayed. We strongly encourage you to submit your comments online. To make sure the Commission considers your online comment, you must file it through the https:// www.regulations.gov website by following the instructions on the webbased form provided. Your comment— including your name and your state— will be placed on the public record of this proceeding, including the https:// www.regulations.gov website. If you file your comment on paper, write ‘‘Safeguards Rule, 16 CFR part 314, Project No. P145407’’ on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite CC–5610 (Annex J), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610, Washington, DC 20024. If possible, please submit your paper comment to the Commission by courier or overnight service. Because your comment will be placed on the public record, you are solely responsible for making sure your comment does not include any sensitive or confidential information. In particular, your comment should not include any sensitive personal information, such as your or anyone else’s Social Security number, date of birth, driver’s license number or other state identification number or foreign country equivalent, passport number, financial account number, or credit or debit card number. You are also solely responsible for making sure your comment does not include any sensitive health information, such as medical records or other individually identifiable health information. In addition, your comment should not include any ‘‘trade secret or any commercial or financial information which . . . is privileged or confidential,’’ as provided by Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule § 4.10(a)(2), 16 CFR 4.10(a)(2), VerDate Sep<11>2014 16:45 Dec 08, 2021 Jkt 256001 including in particular, competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names. Comments containing material for which confidential treatment is requested must be filed in paper form, must be clearly labeled ‘‘Confidential,’’ and must comply with FTC Rule § 4.9(c). In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request and must identify the specific portions of the comments to be withheld from the public record. See FTC Rule § 4.9(c). Your comment will be kept confidential only if the General Counsel grants your request in accordance with the law and the public interest. Once your comment has been posted on the public website—as legally required by FTC Rule § 4.9(b)—we cannot redact or remove your comment from the FTC website, unless you submit a confidentiality request that meets the requirements for such treatment under FTC Rule § 4.9(c), and the General Counsel grants that request. The FTC Act and other laws the Commission administers permit the collection of public comments to consider and use in this proceeding as appropriate. The Commission will consider all timely and responsive public comments it receives on or before February 7, 2022. For information on the Commission’s privacy policy, including routine uses permitted by the Privacy Act, see https://www.ftc.gov/ site-information/privacy-policy. VI. Communications by Outside Parties to the Commissioners or Their Advisors Written communications and summaries or transcripts of oral communications respecting the merits of this proceeding, from any outside party to any Commissioner or Commissioner’s advisor, will be placed on the public record.24 70065 unless it displays a currently valid OMB control number. The proposed reporting requirement discussed above constitutes a ‘‘collection of information’’ for purposes of the PRA.25 As required by the PRA, the FTC has submitted this proposed information collection requirement to OMB for its review, and staff has estimated the paperwork burden for this requirement as set forth below. The proposed reporting requirement will only affect those financial institutions that suffer a security event in which the misuse of customer information has occurred or is reasonably likely and that affects, or reasonably may affect, at least 1,000 consumers. Therefore, FTC staff estimates the proposed reporting requirement will affect approximately 110 financial institutions each year.26 FTC staff anticipates the burden associated with the proposed reporting requirement will consist of the time necessary to compile the requested information and report it via the electronic form located on the Commission’s website. FTC staff estimates this will require approximately five hours for affected financial institutions, for a total annual burden of approximately 550 hours (110 responses × 5 hours). The Commission does not believe the proposed reporting requirement would impose any new investigative costs on financial institutions. The information about security events requested in the proposed reporting requirement (i.e., a general description of the event, the types of information affected, and the dates of the event) is information the Commission believes financial institutions would acquire in the normal course of responding to a security event. In addition, in many cases, the information requested by the proposed reporting requirement is similar to information entities are required to disclose under various states’ data breach notification laws.27 As a result, VII. Paperwork Reduction Act The Paperwork Reduction Act (‘‘PRA’’), 44 U.S.C. 3501 et seq., requires Federal agencies to obtain Office of Management and Budget (‘‘OMB’’) approval before undertaking a collection of information directed to ten or more persons. Pursuant to the regulations implementing the PRA (5 CFR 1320.8(b)(2)(vi)), an agency may not collect or sponsor the collection of information, nor may it impose an information collection requirement, 24 See PO 00000 16 CFR 1.26(b)(5). Frm 00010 Fmt 4702 Sfmt 4702 25 44 U.S.C. 3502(3)(A)(i). to the Identity Theft Resource Center, 108 entities in the ‘‘Banking/Credit/ Financial’’ category suffered data breaches in 2019. 2019 End-of-Year Data Breach Report, Identity Theft Resource Center, available at: https:// www.idtheftcenter.org/wp-content/uploads/2020/ 01/01.28.2020_ITRC_2019-End-of-Year-DataBreach-Report_FINAL_Highres-Appendix.pdf. Although this number may exclude some entities covered by the Safeguards Rule but not contained in the ‘‘Banking/Credit/Financial’’ category, not every security event will trigger the reporting obligations in the proposed requirement. Therefore, the Commission believes 110 to be a reasonable estimate. 27 See, e.g., Cal. Civil Code 1798.82; Tex. Bus. & Com. Code 521.053; Fla. Stat. 501.171. 26 According E:\FR\FM\09DEP1.SGM 09DEP1 70066 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Proposed Rules khammond on DSKJM1Z7X2PROD with PROPOSALS FTC staff estimates the additional costs imposed by the proposed reporting requirement will be limited to the administrative costs of compiling the requested information and reporting it to the Commission on an electronic form located on the Commission’s website. FTC staff derives the associated labor cost by calculating the hourly wages necessary to prepare the required reports. Staff anticipates required information will be compiled by information security analysts in the course of assessing and responding to a security event, resulting in 3 hours of labor at a mean hourly wage of $50.10 (3 hours × $50.10 = $150.30).28 Staff also anticipates affected financial institutions may use attorneys to formulate and submit the required report, resulting in 2 hours of labor at a mean hourly wage of $69.86 (2 hours × $69.86 = $139.72).29 Accordingly, FTC staff estimates the approximate labor cost to be $290 per report (rounded to the nearest dollar). This yields a total annual cost burden of $31,900 (110 annual responses × $290). The Commission proposes to provide an online reporting form on the Commission’s website to facilitate reporting of qualifying security events. As a result, the Commission does not anticipate covered financial institutions will incur any new capital or non-labor costs in complying with the proposed reporting requirement. Pursuant to Section 3506(c)(2)(A) of the PRA, the FTC invites comments on: (1) Whether the disclosure requirements are necessary, including whether the information will be practically useful; (2) the accuracy of our burden estimates, including whether the methodology and assumptions used are valid; (3) ways to enhance the quality, utility, and clarity of the information to be collected; and (4) ways to minimize the burden of providing the required information to the Commission. All comments should be filed as prescribed in the ADDRESSES section above and must be received on or before February 7, 2022. 28 This figure is derived from the mean hourly wage for Information security analysts. See ‘‘Occupational Employment and Wages–May 2019,’’ Bureau of Labor Statistics, U.S. Department of Labor (March 31, 2020), Table 1 (‘‘National employment and wage data from the Occupational Employment Statistics survey by occupation, May 2019’’), available at https://www.bls.gov/news.release/pdf/ ocwage.pdf. 29 This figure is derived from the mean hourly wage for Lawyers. See ‘‘Occupational Employment and Wages–May 2019,’’ Bureau of Labor Statistics, U.S. Department of Labor (March 31, 2020), Table 1 (‘‘National employment and wage data from the Occupational Employment Statistics survey by occupation, May 2019’’), available at https:// www.bls.gov/news.release/pdf/ocwage.pdf. VerDate Sep<11>2014 16:45 Dec 08, 2021 Jkt 256001 Comments on the proposed information collection requirements subject to review under the PRA should also be submitted to OMB. If sent by U.S. mail, comments should be addressed to Office of Information and Regulatory Affairs, Office of Management and Budget, Attention: Desk Officer for the Federal Trade Commission, New Executive Office Building, Docket Library, Room 10102, 725 17th Street NW, Washington, DC 20503. Comments can also be sent by email to MBX.OMB.OIRA.Submission@ OMB.eop.gov. VIII. Regulatory Flexibility Act The Regulatory Flexibility Act (‘‘RFA’’), as amended by the Small Business Regulatory Enforcement Fairness Act of 1996, requires an agency to either provide an Initial Regulatory Flexibility Analysis with a proposed rule, or certify that the proposed rule will not have a significant impact on a substantial number of small entities.30 The Commission recognizes some affected entities may qualify as small businesses under the relevant thresholds. However, the Commission does not expect the proposed reporting requirement, if adopted, would have the threshold impact on small entities. The proposed reporting requirement will apply to financial institutions that, in many instances, already have an obligation to disclose similar information under certain state laws. This document serves as notification to the Small Business Administration of the agency’s certification of no effect. Although the Commission certifies under the RFA that these proposed amendments would not, if promulgated, have a significant impact on a substantial number of small entities, the Commission has determined it is appropriate to publish an Initial Regulatory Flexibility Analysis to inquire into the impact of the proposed amendments on small entities. The Commission invites comment on the burden on any small entities that would be covered and has prepared the following analysis: 1. Reasons for the Proposed Rule The proposed reporting requirement would ensure the Commission is aware of security events that could suggest a financial institution’s security program does not comply with the Rule’s requirements, thus facilitating Commission enforcement of the Rule. To the extent the reported information is made public, the information will also assist consumers by providing 30 5 PO 00000 U.S.C. 603 et seq. Frm 00011 Fmt 4702 Sfmt 4702 information as to the security of their personal information in the hands of various financial institutions. 2. Statement of Objectives and Legal Basis The objectives of the proposed reporting requirement are discussed above. The legal basis for the proposed requirement is Section 501(b) of the GLBA. 3. Description of Small Entities to Which the Rule Will Apply Determining a precise estimate of the number of small entities 31 is not readily feasible. Financial institutions already covered by the Safeguards Rule include lenders, financial advisors, loan brokers and servicers, collection agencies, financial advisors, tax preparers, and real estate settlement services, to the extent they have ‘‘customer information’’ within the meaning of the Rule. However, it is not known how many of these financial institutions are small entities. The Commission requests comment and information on the number of small entities that would be affected by the proposed reporting requirement. 4. Projected Reporting, Recordkeeping, and Other Compliance Requirements The proposed notification requirement imposes reporting requirements within the meaning of the PRA. The Commission is seeking clearance from OMB for these requirements. Specifically, as outlined above, the proposed reporting requirement will apply to financial institutions that experience a security event in which the misuse of customer information has occurred or is reasonably likely and affects, or reasonably may affect, at least 31 The U.S. Small Business Administration Table of Small Business Size Standards Matched to North American Industry Classification System Codes (‘‘NAICS’’) are generally expressed in either millions of dollars or number of employees. A size standard is the largest a business can be and still qualify as a small business for Federal Government programs. For the most part, size standards are the annual receipts or the average employment of a firm. Depending on the nature of the financial services an institution provides, the size standard varies. By way of example, mortgage and nonmortgage loan brokers (NAICS code 522310) are classified as small if their annual receipts are $8 million or less. Consumer lending institutions (NAICS code 52291) are classified as small if their annual receipts are $41.5 million or less. Commercial banking and savings institutions (NAICS codes 522110 and 522120) are classified as small if their assets are $600 million or less. Assets are determined by averaging the assets reported on businesses’ four quarterly financial statements for the preceding year. The 2019 Table of Small Business Size Standards is available at https:// www.sba.gov/document/support--table-sizestandards. E:\FR\FM\09DEP1.SGM 09DEP1 Federal Register / Vol. 86, No. 234 / Thursday, December 9, 2021 / Proposed Rules 1,000 consumers. If such an event occurs, the affected financial institution may expend costs to provide the Commission with the information required by the proposed reporting requirement. As noted in the PRA analysis above, the estimated annual cost burden for all entities subject to the proposed reporting requirement will be approximately $31,900. 5. Identification of Duplicative, Overlapping, or Conflicting Federal Rules khammond on DSKJM1Z7X2PROD with PROPOSALS 6. Discussion of Significant Alternatives to the Proposed Amendment In drafting the proposed reporting requirement, the Commission has made every effort to avoid unduly burdensome requirements for entities. The proposed reporting requirement requires only that affected financial institutions provide the Commission with information necessary to assist it in the Commission’s regulatory and enforcement efforts. The proposed rule minimizes burden on all covered financial institutions, including small business, by providing for reporting through an online form on the Commission’s website. In addition, the proposed rule requires only that security events involving at least 1,000 consumers must be reported, which will reduce potential burden on small businesses that retain information on fewer consumers. The Commission has invited comment on the 1,000-consumer threshold and whether an alternative threshold would better serve the goal of ensuring security events are reported while minimizing burden on covered institutions. The Commission welcomes comment on any significant alternative consistent with the GLBA that would minimize the impact on small entities of the proposed reporting requirement. 2. In § 314.4, add paragraph (j) to read as follows: § 314.4 Elements. * * * * (j) When you become aware of a security event, promptly determine the likelihood that customer information has been or will be misused. If you determine that misuse of customer information has occurred or is reasonably likely and that at least 1,000 consumers have been affected or reasonably may be affected, you must notify the Federal Trade Commission as soon as possible, and no later than 30 days after discovery of the event. The notice shall be made electronically on a form to be located on the FTC’s website, https://www.ftc.gov. The notice shall include the following: (1) The name and contact information of the reporting financial institution; (2) A description of the types of information that were involved in the security event; (3) If the information is possible to determine, the date or date range of the security event; and (4) A general description of the security event. ■ 3. Revise § 314.5 to read as follows: § 314.5 Effective date. Section 314.4(j) is effective as of [SIX MONTHS AFTER DATE OF PUBLICATION OF THE FINAL RULE]. By direction of the Commission. Joel Christie, Acting Secretary. For the reasons stated above, the Federal Trade Commission proposes to amend 16 CFR part 314 as follows: [FR Doc. 2021–25064 Filed 12–8–21; 8:45 am] NATIONAL INDIAN GAMING COMMISSION 25 CFR Part 522 RIN 3141–AA73 Submission of Gaming Ordinance or Resolution The National Indian Gaming Commission (NIGC) proposes to amend the Submission of Gaming Ordinance or Resolution under the Indian Gaming PO 00000 Frm 00012 Fmt 4702 Sfmt 4702 You may send comments by any of the following methods: • Federal eRulemaking Portal: Go to http://www.regulations.gov. Follow the instructions for submitting comments. • Email: information@nigc.gov. • Fax: (202) 632–7066. • Mail: National Indian Gaming Commission, 1849 C Street NW, MS 1621, Washington, DC 20240. • Hand Delivery: National Indian Gaming Commission, 90 K Street NE, Suite 200, Washington, DC 20002, between 9 a.m. and 5 p.m., Monday through Friday, except Federal holidays. FOR FURTHER INFORMATION CONTACT: James A. Lewis, National Indian Gaming Commission; Telephone: (202) 632– 7003. ADDRESSES: I. Comments Invited Interested parties are invited to participate in this proposed rulemaking by submitting such written data, views, or arguments as they may desire. Comments providing the factual basis behind supporting the views and suggestions presented are particularly helpful in developing reasoned regulatory decisions on the proposal. BILLING CODE 6750–01–P SUMMARY: Regulatory Act. The proposed rule would amend the regulations controlling the submission and approval requirements of tribal gaming ordinances or resolutions and amendments thereof. Notably, the proposed rule: Authorizes the submission of documents in electronic or physical form; clarifies that the submission requirements applies to amendments of ordinances or resolutions; eliminates the requirement that an Indian tribe provide copies of all gaming regulations with its submission; requires tribes to submit a copy of pertinent governing documents; initiates the 90-day deadline for the NIGC’s Chair ruling upon receipt of a complete submission; and eliminates the requirement that the NICG Chair publish a tribe’s entire gaming ordinance in the Federal Register. DATES: The agency must receive comments on or before January 10, 2022. SUPPLEMENTARY INFORMATION: National Indian Gaming Commission. ACTION: Proposed rule. Consumer protection, Credit, Data protection, Privacy, Trade practices. Jkt 256001 Authority: 15 U.S.C. 6801(b), 6805(b)(2). ■ AGENCY: List of Subjects in 16 CFR Part 314 16:45 Dec 08, 2021 1. The authority citation for part 314 continues to read as follows: ■ * The Commission has not identified any other Federal statutes, rules, or policies currently in effect that would conflict with the proposed reporting requirement. The Commission invites comment on any potentially duplicative, overlapping, or conflicting Federal statutes, rules, or policies. VerDate Sep<11>2014 PART 314—STANDARDS FOR SAFEGUARDING CUSTOMER INFORMATION 70067 II. Background The Indian Gaming Regulatory Act (IGRA or Act), Public Law 100–497, 25 U.S.C. 2701 et seq., was signed into law on October 17, 1988. The Act establishes the National Indian Gaming Commission (NIGC or Commission) and sets out a comprehensive framework for the regulation of gaming on Indian lands. E:\FR\FM\09DEP1.SGM 09DEP1

Agencies

[Federal Register Volume 86, Number 234 (Thursday, December 9, 2021)]
[Proposed Rules]
[Pages 70062-70067]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-25064]


-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

16 CFR Part 314

RIN 3084-AB35


Standards for Safeguarding Customer Information

AGENCY: Federal Trade Commission (``FTC'' or ``Commission'').

ACTION: Supplemental notice of proposed rulemaking; request for public 
comment.

-----------------------------------------------------------------------

SUMMARY: The Commission requests public comment on its proposal to 
further amend the Standards for Safeguarding Customer Information 
(``Safeguards Rule'' or ``Rule'') to require financial institutions to 
report to the Commission any security event where the financial 
institutions have determined misuse of customer information has 
occurred or is reasonably likely and at least 1,000 consumers have been 
affected or reasonably may be affected.

DATES: Written comments must be received on or before February 7, 2022.

ADDRESSES: Interested parties may file a comment online or on paper by 
following the Request for Comment part of the SUPPLEMENTARY INFORMATION 
section below. Write ``Safeguards Rule, 16 CFR part 314, Project No. 
P145407,'' on your comment and file your comment online at https://www.regulations.gov by following the instructions on the web-based 
form. If you prefer to file your comment on paper, mail your comment to 
the following address: Federal Trade Commission, Office of the 
Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex B), 
Washington, DC 20580, or deliver your comment to the following address: 
Federal Trade Commission, Office of the Secretary, Constitution Center, 
400 7th Street SW, 5th Floor, Suite 5610 (Annex B), Washington, DC 
20024.

FOR FURTHER INFORMATION CONTACT: David Lincicum, Katherine McCarron, or 
Robin Wetherill, Division of Privacy and Identity Protection, Bureau of 
Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue 
NW, Washington, DC 20580, (202) 326-2773, (202) 326-2333, or (202) 326-
2220.

SUPPLEMENTARY INFORMATION:

I. Background

    Congress enacted the Gramm Leach Bliley Act (``GLBA'') in 1999.\1\ 
The GLBA provides a framework for regulating the privacy and data 
security practices of a broad range of financial institutions. Among 
other things, the GLBA requires financial institutions to provide 
customers with information about the institutions' privacy practices 
and about their opt-out rights, and to implement security safeguards 
for customer information.
---------------------------------------------------------------------------

    \1\ Public Law 106-102, 113 Stat. 1338 (1999).

---------------------------------------------------------------------------

[[Page 70063]]

    Subtitle A of Title V of the GLBA required the Commission and other 
Federal agencies to establish standards for financial institutions 
relating to administrative, technical, and physical safeguards for 
certain information.\2\ Pursuant to the Act's directive, the Commission 
promulgated the Safeguards Rule in 2002. The Safeguards Rule became 
effective on May 23, 2003.
---------------------------------------------------------------------------

    \2\ See 15 U.S.C. 6801(b), 6805(b)(2).
---------------------------------------------------------------------------

II. Regulatory Review of the Safeguards Rule

    On September 7, 2016, the Commission solicited comments on the 
Safeguards Rule as part of its periodic review of its rules and 
guides.\3\ The Commission sought comment on a number of general issues, 
including the economic impact and benefits of the Rule; possible 
conflicts between the Rule and state, local, or other Federal laws or 
regulations; and the effect on the Rule of any technological, economic, 
or other industry changes. The Commission received 28 comments from 
individuals and entities representing a wide range of viewpoints.\4\ 
Most commenters agreed there is a continuing need for the Rule and it 
benefits consumers and competition.\5\
---------------------------------------------------------------------------

    \3\ Safeguards Rule, Request for Comment, 81 FR 61632 (Sept. 7, 
2016).
    \4\ The 28 public comments received prior to March 15, 2019, are 
posted at: https://www.ftc.gov/policy/public-comments/initiative-674.
    \5\ See, e.g., Mortgage Bankers Association, (comment 39); 
National Automobile Dealers Association, (comment 40; Data & 
Marketing Association, (comment 38); Electronic Transactions 
Association, (comment 24; State Privacy & Security Coalition, 
(comment 26).
---------------------------------------------------------------------------

    On April 4, 2019, the Commission issued a notice of proposed 
rulemaking (NPRM) setting forth proposed amendments to the Safeguards 
Rule.\6\ In response, the Commission received 49 comments from various 
interested parties including industry groups, consumer groups, and 
individual consumers.\7\ On July 13, 2020, the Commission held a 
workshop concerning the proposed changes and conducted panels with 
information security experts discussing subjects related to the 
proposed amendments.\8\ The Commission received 11 comments following 
the workshop. After reviewing the initial comments to the NPRM, 
conducting the workshop, and then reviewing the comments received 
following the workshop, the Commission issued final amendments to the 
Safeguards Rule on October 8, 2021, which are published elsewhere in 
this issue of the Federal Register.
---------------------------------------------------------------------------

    \6\ FTC Notice of Proposed Rulemaking (``NPRM''), 84 FR 13158 
(April 4, 2019).
    \7\ The 49 relevant public comments received on or after March 
15, 2019, can be found at Regulations.gov. See FTC Seeks Comment on 
Proposed Amendments to Safeguards and Privacy Rules, 16 CFR part 
314, Project No. P145407, https://www.regulations.gov/docketBrowser?rpp=25&so=ASC&sb=docId&po=25&dct=PS&D=FTC-2019-0019&refD=FTC-2019-0019-0011. The 11 relevant public comments 
relating to the subject matter of the July 13, 2020, workshop can be 
found at: https://www.regulations.gov/docketBrowser?rpp=25&so=ASC&sb=docId&po=0&dct=PS&D=FTC-2020-0038. 
This notice cites comments using the last name of the individual 
submitter or the name of the organization, followed by the number 
based on the last two digits of the comment ID number.
    \8\ See FTC, Information Security and Financial Institutions: 
FTC Workshop to Examine Safeguards Rule Tr. (July 13, 2020), https://www.ftc.gov/system/files/documents/public_events/1567141/transcript-glb-safeguards-workshop-full.pdf.
---------------------------------------------------------------------------

III. Proposal for Requirement that Financial Institutions Report 
Security Events to the Commission

    In the NPRM, the Commission explained its proposed amendments to 
the Safeguards Rule were based primarily on the cybersecurity 
regulations issued by the New York Department of Financial Services, 23 
NYCRR 500 (``Cybersecurity Regulations'').\9\ The Commission also noted 
the Cybersecurity Regulations require covered entities to report 
security events to the superintendent of the Department of Financial 
Services.\10\ Relatedly, Federal agencies enforcing the GLBA have 
required financial institutions to provide notice to the regulator, and 
in some instances notice to consumers as well, for many years.\11\ 
Although the Commission did not include a similar reporting requirement 
in the NPRM, it did seek comment on whether the Safeguards Rule should 
be amended to require that financial institutions report security 
events to the Commission. Specifically, the Commission requested 
comments on whether such a requirement should be added and, if so, (1) 
the appropriate deadline for reporting security events after discovery; 
(2) whether all security events should require notification or whether 
notification should be required only under certain circumstances, such 
as a determination of a likelihood of harm to customers or that the 
event affects a certain number of customers; (3) whether such reports 
should be made public; (4) whether events involving encrypted 
information should be included in the requirement; and (5) whether the 
requirement should allow law enforcement agencies to prevent or delay 
notification if notification would affect law-enforcement 
investigations.\12\
---------------------------------------------------------------------------

    \9\ NPRM, 84 FR at 13163.
    \10\ Id. at 13169.
    \11\ See Interagency Guidance on Response Programs for 
Unauthorized Access to Customer Information and Customer Notice 
(originally issued by the Office of the Comptroller of the Currency; 
the Board of Governors of the Federal Reserve System; the Federal 
Deposit Insurance Corporation; and the Office of Thrift 
Supervision), 70 FR 15736, 15752 (Mar. 29, 2005), https://www.occ.treas.gov/news-issuances/federal-register/2005/70fr15736.pdf 
(``At a minimum, an institution's response program should contain 
procedures for the following: . . . Notifying its primary Federal 
regulator as soon as possible when the institution becomes aware of 
an incident involving unauthorized access to or use of sensitive 
customer information, as defined below; [and notifying] customers 
when warranted'').
    \12\ Id.
---------------------------------------------------------------------------

    Several commenters supported adding a reporting requirement.\13\ 
For example, the Princeton University Center for Information Technology 
Policy (``PUCITP'') noted such a reporting requirement would ``provide 
the Commission with valuable information about the scope of the problem 
and the effectiveness of security measures across different entities'' 
and it would ``also help the Commission coordinate responses to shared 
threats.'' \14\ PUCITP also recommended all security events that affect 
a certain number of customers should be reported without regard to the 
likelihood of harm and such reports should be made public.\15\ The 
National Association of Federally-Insured Credit Unions (``NAFCU'') 
argued requiring financial institutions to report security events to 
the Commission would provide an ``appropriate incentive for covered 
financial companies to disclose information to consumers and relevant 
regulatory bodies.'' \16\ NAFCU also suggested notification 
requirements are important because they ``ensure independent assessment 
of whether a security incident represents a threat to consumer 
privacy.'' \17\
---------------------------------------------------------------------------

    \13\ Consumer Reports, (comment 52), at 6; Princeton University 
Center for Information Technology Policy, (comment 54), at 7; Credit 
Union National Association, (comment 30), at 2; Heartland Credit 
Union Association, (comment 42), at 2; National Association of 
Federally-Insured Credit Unions, (comment 43), at 1-2.
    \14\ Princeton University Center for Information Technology 
Policy, (comment 54), at 7.
    \15\ Id.
    \16\ National Association of Federally-Insured Credit Unions, 
(comment 43), at 1.
    \17\ Id. at 1-2.
---------------------------------------------------------------------------

    Two commenters opposed the inclusion of a reporting 
requirement.\18\ The American Council on Education (``ACE'') argued 
such a requirement ``would simply add another layer on top of an 
already crowded list of federal and state law enforcement contacts and 
state

[[Page 70064]]

breach reporting requirements.'' \19\ ACE also suggested any 
notification requirement should be limited to a more restricted 
definition of ``security event'' than the definition in the proposed 
Rule, so financial institutions would only be required to report 
incidents that could lead to consumer harm.\20\ The National 
Independent Automobile Dealers Association noted it ``objects to any 
proposed amendment that would require a financial institution to report 
security events to the FTC.'' \21\
---------------------------------------------------------------------------

    \18\ National Independent Automobile Dealers Association, 
(comment 48), at 7; American Council on Education, (comment 24), at 
15.
    \19\ American Council on Education, (comment 24), at 15.
    \20\ Id.
    \21\ National Independent Automobile Dealers Association, 
(comment 48), at 7.
---------------------------------------------------------------------------

    After reviewing the comments, the Commission proposes amending the 
Safeguards Rule to require financial institutions to report to the 
Commission certain security events as soon as possible, and no later 
than 30 days after discovery of the event. Such reports would ensure 
the Commission is aware of security events that could suggest a 
financial institution's security program does not comply with the 
Rule's requirements, thus facilitating Commission enforcement of the 
Rule. While many states already require notice of certain breaches, the 
state law requirements vary as to whether notice to the state regulator 
is required and as to whether such breach notifications are made 
public. To the extent state law already requires notification to 
consumers or state regulators, moreover, there is little additional 
burden in providing notice to the Commission as well. In order to 
address concerns expressed by commenters that a reporting requirement 
would add additional burden to financial institutions, the Commission 
proposes limiting the reporting requirement to only those security 
events where the financial institutions determine misuse of customer 
information has occurred or is reasonably likely, and where at least 
1,000 consumers have been affected or reasonably may be affected.\22\ 
The notice to the Commission would involve a limited set of 
information, as typically required under existing breach notification 
requirements.\23\ Financial institutions would be required to promptly 
provide the Commission: (1) The name and contact information of the 
reporting financial institution; (2) a description of the types of 
information involved in the security event; (3) if the information is 
possible to determine, the date or date range of the security event; 
and (4) a general description of the security event. To further reduce 
costs, the Commission proposes the notice be provided electronically 
through a form located on the FTC's website, https://www.ftc.gov.
---------------------------------------------------------------------------

    \22\ See Princeton University Center for Information Technology 
Policy, (comment 54), at 7 (endorsing notification requirement for 
events that affect at least a certain number of consumers).
    \23\ See, e.g., 23 CRR-NY 500.17; Cal. Civil Code 1798.82; Tex. 
Bus. & Com. Code 521.053; Fla. Stat. 501.171.
---------------------------------------------------------------------------

    The Commission will input the information it receives from affected 
financial institutions into a database that it will update periodically 
and make available to the public. The FTC does not believe the 
information to be provided to the Commission under the proposed 
reporting requirement will include confidential or proprietary 
information and, as a result, does not anticipate providing a mechanism 
for financial institutions to request confidential treatment of the 
information.
    The Commission invites comments on its proposed amendment requiring 
financial institutions to report certain security events to the 
Commission. Specifically, commenters may wish to address the following:
    (1) The information to be contained in any notice to the 
Commission. Is the proposed list of elements sufficient? Should there 
be additional information? Less?
    (2) Whether the Commission's proposed threshold for requiring 
notice--for those security events for which misuse of the information 
of 1,000 or more consumers has occurred or is reasonably likely to 
occur--is the appropriate one. What about security events in which 
misuse is possible, but not likely? Should there be a carve-out for 
security events solely involving encrypted data?
    (3) The timing for notification to be given to the Commission. Is 
the current proposal of a maximum of 30 days after discovery of the 
security event reasonable? Is a shorter period practicable?
    (4) Whether the requirement should allow law enforcement agencies 
to prevent or delay notification if notification to the Commission 
would affect law-enforcement investigations. The proposed rule does not 
include such a requirement. Comments are also welcome on whether such a 
law enforcement right to prevent or delay notification is only 
necessary to the extent notices are made public.
    (5) Whether the information reported to the Commission should be 
made public. Should the Commission permit affected financial 
institutions to request confidential treatment of the required 
information? If so, under what circumstances? Should affected financial 
institutions be allowed to request delaying the public publication of 
the security event information and, if so, on what basis?
    (6) Whether, instead of implementing a stand-alone reporting 
requirement, the Commission should only require notification to the 
Commission whenever a financial institution is required to provide 
notice of a security event or similar to a governmental entity under 
another state or Federal statute, rule, or regulation. How would such a 
provision affect the Commission's ability to enforce the Rule? Would 
such an approach affect the burden on financial institutions? Would 
such an approach generate consistent reporting due to differences in 
applicable laws?
    (7) Whether a notification requirement should be included at all.
    (8) Whether notification to consumers, as well as to the 
Commission, should be required, and if so, under what circumstances.

IV. Section-by-Section Analysis

Proposed Amendments to Sec.  314.4: Elements

    The proposed amendment to Sec.  314.4 would add a new paragraph 
(j). Proposed paragraph (j) would require financial institutions that 
experience a security event in which the misuse of customer information 
has occurred or is reasonably likely, and at least 1,000 consumers have 
been affected or reasonably may be affected, to provide notice of the 
security event to the Commission. Proposed paragraph (j) would also 
require that any such notice be made electronically on a form on the 
FTC's website, https://www.ftc.gov, within 30 days from discovery of 
the security event and include the following information: (1) The name 
and contact information of the reporting financial institution; (2) a 
description of the types of information involved in the security event; 
(3) if the information is possible to determine, the date or date range 
of the security event; and (4) a general description of the security 
event.

Proposed Amendments to Sec.  314.5: Effective Date

    The proposed amendment to Sec.  314.5 states the proposed reporting 
requirement would not be effective until six months after the 
publication of a final rule. The effective date of this element would 
be delayed to allow financial institutions appropriate time to 
incorporate such a reporting requirement into their security event 
response plans. All other requirements under the Safeguards Rule would 
remain in effect during this six-month

[[Page 70065]]

period. The Commission welcomes comment on this approach.

V. Request for Comment

    You can file a comment online or on paper. For the Commission to 
consider your comment, we must receive it on or before February 7, 
2022. Write ``Safeguards Rule, 16 CFR part 314, Project No. P145407'' 
on the comment. Precautions related to the COVID-19 pandemic, along 
with the agency's heightened security screening, will cause postal mail 
addressed to the Commission to be delayed. We strongly encourage you to 
submit your comments online. To make sure the Commission considers your 
online comment, you must file it through the https://www.regulations.gov website by following the instructions on the web-
based form provided. Your comment--including your name and your state--
will be placed on the public record of this proceeding, including the 
https://www.regulations.gov website.
    If you file your comment on paper, write ``Safeguards Rule, 16 CFR 
part 314, Project No. P145407'' on your comment and on the envelope, 
and mail your comment to the following address: Federal Trade 
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite 
CC-5610 (Annex J), Washington, DC 20580, or deliver your comment to the 
following address: Federal Trade Commission, Office of the Secretary, 
Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610, 
Washington, DC 20024. If possible, please submit your paper comment to 
the Commission by courier or overnight service.
    Because your comment will be placed on the public record, you are 
solely responsible for making sure your comment does not include any 
sensitive or confidential information. In particular, your comment 
should not include any sensitive personal information, such as your or 
anyone else's Social Security number, date of birth, driver's license 
number or other state identification number or foreign country 
equivalent, passport number, financial account number, or credit or 
debit card number. You are also solely responsible for making sure your 
comment does not include any sensitive health information, such as 
medical records or other individually identifiable health information. 
In addition, your comment should not include any ``trade secret or any 
commercial or financial information which . . . is privileged or 
confidential,'' as provided by Section 6(f) of the FTC Act, 15 U.S.C. 
46(f), and FTC Rule Sec.  4.10(a)(2), 16 CFR 4.10(a)(2), including in 
particular, competitively sensitive information such as costs, sales 
statistics, inventories, formulas, patterns, devices, manufacturing 
processes, or customer names.
    Comments containing material for which confidential treatment is 
requested must be filed in paper form, must be clearly labeled 
``Confidential,'' and must comply with FTC Rule Sec.  4.9(c). In 
particular, the written request for confidential treatment that 
accompanies the comment must include the factual and legal basis for 
the request and must identify the specific portions of the comments to 
be withheld from the public record. See FTC Rule Sec.  4.9(c). Your 
comment will be kept confidential only if the General Counsel grants 
your request in accordance with the law and the public interest. Once 
your comment has been posted on the public website--as legally required 
by FTC Rule Sec.  4.9(b)--we cannot redact or remove your comment from 
the FTC website, unless you submit a confidentiality request that meets 
the requirements for such treatment under FTC Rule Sec.  4.9(c), and 
the General Counsel grants that request.
    The FTC Act and other laws the Commission administers permit the 
collection of public comments to consider and use in this proceeding as 
appropriate. The Commission will consider all timely and responsive 
public comments it receives on or before February 7, 2022. For 
information on the Commission's privacy policy, including routine uses 
permitted by the Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.

VI. Communications by Outside Parties to the Commissioners or Their 
Advisors

    Written communications and summaries or transcripts of oral 
communications respecting the merits of this proceeding, from any 
outside party to any Commissioner or Commissioner's advisor, will be 
placed on the public record.\24\
---------------------------------------------------------------------------

    \24\ See 16 CFR 1.26(b)(5).
---------------------------------------------------------------------------

VII. Paperwork Reduction Act

    The Paperwork Reduction Act (``PRA''), 44 U.S.C. 3501 et seq., 
requires Federal agencies to obtain Office of Management and Budget 
(``OMB'') approval before undertaking a collection of information 
directed to ten or more persons. Pursuant to the regulations 
implementing the PRA (5 CFR 1320.8(b)(2)(vi)), an agency may not 
collect or sponsor the collection of information, nor may it impose an 
information collection requirement, unless it displays a currently 
valid OMB control number.
    The proposed reporting requirement discussed above constitutes a 
``collection of information'' for purposes of the PRA.\25\ As required 
by the PRA, the FTC has submitted this proposed information collection 
requirement to OMB for its review, and staff has estimated the 
paperwork burden for this requirement as set forth below.
---------------------------------------------------------------------------

    \25\ 44 U.S.C. 3502(3)(A)(i).
---------------------------------------------------------------------------

    The proposed reporting requirement will only affect those financial 
institutions that suffer a security event in which the misuse of 
customer information has occurred or is reasonably likely and that 
affects, or reasonably may affect, at least 1,000 consumers. Therefore, 
FTC staff estimates the proposed reporting requirement will affect 
approximately 110 financial institutions each year.\26\ FTC staff 
anticipates the burden associated with the proposed reporting 
requirement will consist of the time necessary to compile the requested 
information and report it via the electronic form located on the 
Commission's website. FTC staff estimates this will require 
approximately five hours for affected financial institutions, for a 
total annual burden of approximately 550 hours (110 responses x 5 
hours).
---------------------------------------------------------------------------

    \26\ According to the Identity Theft Resource Center, 108 
entities in the ``Banking/Credit/Financial'' category suffered data 
breaches in 2019. 2019 End-of-Year Data Breach Report, Identity 
Theft Resource Center, available at: https://www.idtheftcenter.org/wp-content/uploads/2020/01/01.28.2020_ITRC_2019-End-of-Year-Data-Breach-Report_FINAL_Highres-Appendix.pdf. Although this number may 
exclude some entities covered by the Safeguards Rule but not 
contained in the ``Banking/Credit/Financial'' category, not every 
security event will trigger the reporting obligations in the 
proposed requirement. Therefore, the Commission believes 110 to be a 
reasonable estimate.
---------------------------------------------------------------------------

    The Commission does not believe the proposed reporting requirement 
would impose any new investigative costs on financial institutions. The 
information about security events requested in the proposed reporting 
requirement (i.e., a general description of the event, the types of 
information affected, and the dates of the event) is information the 
Commission believes financial institutions would acquire in the normal 
course of responding to a security event. In addition, in many cases, 
the information requested by the proposed reporting requirement is 
similar to information entities are required to disclose under various 
states' data breach notification laws.\27\ As a result,

[[Page 70066]]

FTC staff estimates the additional costs imposed by the proposed 
reporting requirement will be limited to the administrative costs of 
compiling the requested information and reporting it to the Commission 
on an electronic form located on the Commission's website.
---------------------------------------------------------------------------

    \27\ See, e.g., Cal. Civil Code 1798.82; Tex. Bus. & Com. Code 
521.053; Fla. Stat. 501.171.
---------------------------------------------------------------------------

    FTC staff derives the associated labor cost by calculating the 
hourly wages necessary to prepare the required reports. Staff 
anticipates required information will be compiled by information 
security analysts in the course of assessing and responding to a 
security event, resulting in 3 hours of labor at a mean hourly wage of 
$50.10 (3 hours x $50.10 = $150.30).\28\ Staff also anticipates 
affected financial institutions may use attorneys to formulate and 
submit the required report, resulting in 2 hours of labor at a mean 
hourly wage of $69.86 (2 hours x $69.86 = $139.72).\29\ Accordingly, 
FTC staff estimates the approximate labor cost to be $290 per report 
(rounded to the nearest dollar). This yields a total annual cost burden 
of $31,900 (110 annual responses x $290).
---------------------------------------------------------------------------

    \28\ This figure is derived from the mean hourly wage for 
Information security analysts. See ``Occupational Employment and 
Wages-May 2019,'' Bureau of Labor Statistics, U.S. Department of 
Labor (March 31, 2020), Table 1 (``National employment and wage data 
from the Occupational Employment Statistics survey by occupation, 
May 2019''), available at https://www.bls.gov/news.release/pdf/ocwage.pdf.
    \29\ This figure is derived from the mean hourly wage for 
Lawyers. See ``Occupational Employment and Wages-May 2019,'' Bureau 
of Labor Statistics, U.S. Department of Labor (March 31, 2020), 
Table 1 (``National employment and wage data from the Occupational 
Employment Statistics survey by occupation, May 2019''), available 
at https://www.bls.gov/news.release/pdf/ocwage.pdf.
---------------------------------------------------------------------------

    The Commission proposes to provide an online reporting form on the 
Commission's website to facilitate reporting of qualifying security 
events. As a result, the Commission does not anticipate covered 
financial institutions will incur any new capital or non-labor costs in 
complying with the proposed reporting requirement.
    Pursuant to Section 3506(c)(2)(A) of the PRA, the FTC invites 
comments on: (1) Whether the disclosure requirements are necessary, 
including whether the information will be practically useful; (2) the 
accuracy of our burden estimates, including whether the methodology and 
assumptions used are valid; (3) ways to enhance the quality, utility, 
and clarity of the information to be collected; and (4) ways to 
minimize the burden of providing the required information to the 
Commission. All comments should be filed as prescribed in the ADDRESSES 
section above and must be received on or before February 7, 2022.
    Comments on the proposed information collection requirements 
subject to review under the PRA should also be submitted to OMB. If 
sent by U.S. mail, comments should be addressed to Office of 
Information and Regulatory Affairs, Office of Management and Budget, 
Attention: Desk Officer for the Federal Trade Commission, New Executive 
Office Building, Docket Library, Room 10102, 725 17th Street NW, 
Washington, DC 20503. Comments can also be sent by email to 
[email protected].

VIII. Regulatory Flexibility Act

    The Regulatory Flexibility Act (``RFA''), as amended by the Small 
Business Regulatory Enforcement Fairness Act of 1996, requires an 
agency to either provide an Initial Regulatory Flexibility Analysis 
with a proposed rule, or certify that the proposed rule will not have a 
significant impact on a substantial number of small entities.\30\ The 
Commission recognizes some affected entities may qualify as small 
businesses under the relevant thresholds. However, the Commission does 
not expect the proposed reporting requirement, if adopted, would have 
the threshold impact on small entities. The proposed reporting 
requirement will apply to financial institutions that, in many 
instances, already have an obligation to disclose similar information 
under certain state laws.
---------------------------------------------------------------------------

    \30\ 5 U.S.C. 603 et seq.
---------------------------------------------------------------------------

    This document serves as notification to the Small Business 
Administration of the agency's certification of no effect. Although the 
Commission certifies under the RFA that these proposed amendments would 
not, if promulgated, have a significant impact on a substantial number 
of small entities, the Commission has determined it is appropriate to 
publish an Initial Regulatory Flexibility Analysis to inquire into the 
impact of the proposed amendments on small entities. The Commission 
invites comment on the burden on any small entities that would be 
covered and has prepared the following analysis:

1. Reasons for the Proposed Rule

    The proposed reporting requirement would ensure the Commission is 
aware of security events that could suggest a financial institution's 
security program does not comply with the Rule's requirements, thus 
facilitating Commission enforcement of the Rule. To the extent the 
reported information is made public, the information will also assist 
consumers by providing information as to the security of their personal 
information in the hands of various financial institutions.

2. Statement of Objectives and Legal Basis

    The objectives of the proposed reporting requirement are discussed 
above. The legal basis for the proposed requirement is Section 501(b) 
of the GLBA.

3. Description of Small Entities to Which the Rule Will Apply

    Determining a precise estimate of the number of small entities \31\ 
is not readily feasible. Financial institutions already covered by the 
Safeguards Rule include lenders, financial advisors, loan brokers and 
servicers, collection agencies, financial advisors, tax preparers, and 
real estate settlement services, to the extent they have ``customer 
information'' within the meaning of the Rule. However, it is not known 
how many of these financial institutions are small entities. The 
Commission requests comment and information on the number of small 
entities that would be affected by the proposed reporting requirement.
---------------------------------------------------------------------------

    \31\ The U.S. Small Business Administration Table of Small 
Business Size Standards Matched to North American Industry 
Classification System Codes (``NAICS'') are generally expressed in 
either millions of dollars or number of employees. A size standard 
is the largest a business can be and still qualify as a small 
business for Federal Government programs. For the most part, size 
standards are the annual receipts or the average employment of a 
firm. Depending on the nature of the financial services an 
institution provides, the size standard varies. By way of example, 
mortgage and nonmortgage loan brokers (NAICS code 522310) are 
classified as small if their annual receipts are $8 million or less. 
Consumer lending institutions (NAICS code 52291) are classified as 
small if their annual receipts are $41.5 million or less. Commercial 
banking and savings institutions (NAICS codes 522110 and 522120) are 
classified as small if their assets are $600 million or less. Assets 
are determined by averaging the assets reported on businesses' four 
quarterly financial statements for the preceding year. The 2019 
Table of Small Business Size Standards is available at https://www.sba.gov/document/support--table-size-standards.
---------------------------------------------------------------------------

4. Projected Reporting, Recordkeeping, and Other Compliance 
Requirements

    The proposed notification requirement imposes reporting 
requirements within the meaning of the PRA. The Commission is seeking 
clearance from OMB for these requirements.
    Specifically, as outlined above, the proposed reporting requirement 
will apply to financial institutions that experience a security event 
in which the misuse of customer information has occurred or is 
reasonably likely and affects, or reasonably may affect, at least

[[Page 70067]]

1,000 consumers. If such an event occurs, the affected financial 
institution may expend costs to provide the Commission with the 
information required by the proposed reporting requirement. As noted in 
the PRA analysis above, the estimated annual cost burden for all 
entities subject to the proposed reporting requirement will be 
approximately $31,900.

5. Identification of Duplicative, Overlapping, or Conflicting Federal 
Rules

    The Commission has not identified any other Federal statutes, 
rules, or policies currently in effect that would conflict with the 
proposed reporting requirement. The Commission invites comment on any 
potentially duplicative, overlapping, or conflicting Federal statutes, 
rules, or policies.

6. Discussion of Significant Alternatives to the Proposed Amendment

    In drafting the proposed reporting requirement, the Commission has 
made every effort to avoid unduly burdensome requirements for entities. 
The proposed reporting requirement requires only that affected 
financial institutions provide the Commission with information 
necessary to assist it in the Commission's regulatory and enforcement 
efforts. The proposed rule minimizes burden on all covered financial 
institutions, including small business, by providing for reporting 
through an online form on the Commission's website.
    In addition, the proposed rule requires only that security events 
involving at least 1,000 consumers must be reported, which will reduce 
potential burden on small businesses that retain information on fewer 
consumers. The Commission has invited comment on the 1,000-consumer 
threshold and whether an alternative threshold would better serve the 
goal of ensuring security events are reported while minimizing burden 
on covered institutions.
    The Commission welcomes comment on any significant alternative 
consistent with the GLBA that would minimize the impact on small 
entities of the proposed reporting requirement.

List of Subjects in 16 CFR Part 314

    Consumer protection, Credit, Data protection, Privacy, Trade 
practices.

    For the reasons stated above, the Federal Trade Commission proposes 
to amend 16 CFR part 314 as follows:

PART 314--STANDARDS FOR SAFEGUARDING CUSTOMER INFORMATION

0
1. The authority citation for part 314 continues to read as follows:

    Authority:  15 U.S.C. 6801(b), 6805(b)(2).
0
2. In Sec.  314.4, add paragraph (j) to read as follows:


Sec.  314.4   Elements.

* * * * *
    (j) When you become aware of a security event, promptly determine 
the likelihood that customer information has been or will be misused. 
If you determine that misuse of customer information has occurred or is 
reasonably likely and that at least 1,000 consumers have been affected 
or reasonably may be affected, you must notify the Federal Trade 
Commission as soon as possible, and no later than 30 days after 
discovery of the event. The notice shall be made electronically on a 
form to be located on the FTC's website, https://www.ftc.gov. The 
notice shall include the following:
    (1) The name and contact information of the reporting financial 
institution;
    (2) A description of the types of information that were involved in 
the security event;
    (3) If the information is possible to determine, the date or date 
range of the security event; and
    (4) A general description of the security event.
0
3. Revise Sec.  314.5 to read as follows:


Sec.  314.5   Effective date.

    Section 314.4(j) is effective as of [SIX MONTHS AFTER DATE OF 
PUBLICATION OF THE FINAL RULE].

    By direction of the Commission.
Joel Christie,
Acting Secretary.
[FR Doc. 2021-25064 Filed 12-8-21; 8:45 am]
BILLING CODE 6750-01-P