Standards for Safeguarding Customer Information, 71509-71511 [2022-25201]
Download as PDF
<![CDATA[
Federal Register / Vol. 87, No. 225 / Wednesday, November 23, 2022 / Rules and Regulations
consumer reporting agency pursuant to
FCRA section 623(b).16
Accordingly, consumer reporting
agencies and furnishers must reasonably
investigate disputes received directly
from consumers that are not frivolous or
irrelevant—and furnishers must
reasonably investigate all indirect
disputes received from consumer
reporting agencies—even if such
disputes do not include the entity’s
preferred format, preferred intake forms,
or preferred documentation or forms.
Consumer reporting agencies must
provide to the furnisher all relevant
information regarding the dispute that it
received from the consumer.
Enforcers may bring a claim if a
consumer reporting agency fails to
promptly provide to the furnisher ‘‘all
relevant information’’ regarding the
dispute that the consumer reporting
agency receives from the consumer.17
Through its supervision, the CFPB has
found that consumer reporting agencies
tend to ingest dispute information from
consumers using automated protocols,
and they also share dispute information
with furnishers electronically.18 The use
of these technologies has reduced the
cost and time to transmit relevant
information.
When transmitting information about
a dispute, a consumer reporting agency
may be able to demonstrate that it has
transmitted ‘‘all relevant information’’
even if it does not provide original
documents in paper form. However,
given that primary sources of evidence
provided by consumers can be
dispositive in determining whether
there has been a furnishing error, and
given that the character of a primary
source of evidence is probative and thus
relevant to the investigation,19 it will be
difficult for a consumer reporting
agency to prove that it complied with
the FCRA if it does not provide
electronic images of primary evidence
for evaluation by the furnisher.20
lotter on DSK11XQN23PROD with RULES1
16 15
U.S.C. 1681s–2(b). See Brief for Consumer
Financial Protection Bureau and Federal Trade
Commission as Amici Curiae Supporting PlaintiffAppellant, Ingram v. Waypoint Resource Group,
LLC, Third Circuit Court of Appeals (No. 21–2430).
17 15 U.S.C. 1681i(a)(2)(A).
18 Consumer Financial Protection Bureau,
Bulletin 2013–09 (Sept. 4, 2013), at 1, https://
files.consumerfinance.gov/f/201309_cfpb_bulletin_
furnishers.pdf (alerting furnishers to the fact that
consumer reporting agencies have begun forwarding
images of relevant documentation to furnishers as
part of the reasonable investigation of disputes).
19 For example, a copy of a bill supporting the
consumer’s dispute conveys information regarding
the persuasiveness of a consumer’s dispute that
data about the bill would not.
20 Federal Trade Commission, 40 Years of
Experience with the Fair Credit Reporting Act: An
FTC Staff Report with Summary of Interpretations
(July 2011), at 77, https://www.ftc.gov/sites/default/
VerDate Sep<11>2014
15:59 Nov 22, 2022
Jkt 259001
The consumer reporting agency’s
failure to provide the furnisher with all
relevant information limits the
furnisher’s ability to reasonably
investigate the dispute. A furnisher
must ‘‘review all relevant information’’
provided by the consumer reporting
agency.21 Accordingly, consumer
reporting agency compliance with the
obligation to provide all relevant
information is crucial to the consumer’s
right to have their dispute reasonably
investigated.
About Consumer Financial Protection
Circulars
Consumer Financial Protection
Circulars are issued to all parties with
authority to enforce Federal consumer
financial law. The CFPB is the principal
Federal regulator responsible for
administering Federal consumer
financial law, see 12 U.S.C. 5511,
including the Consumer Financial
Protection Act’s prohibition on unfair,
deceptive, and abusive acts or practices,
12 U.S.C. 5536(a)(1)(B), and 18 other
‘‘enumerated consumer laws,’’ 12 U.S.C.
5481(12). However, these laws are also
enforced by State attorneys general and
State regulators, 12 U.S.C. 5552, and
prudential regulators including the
Federal Deposit Insurance Corporation,
the Office of the Comptroller of the
Currency, the Board of Governors of the
Federal Reserve System, and the
National Credit Union Administration.
See, e.g., 12 U.S.C. 5516(d), 5581(c)(2)
(exclusive enforcement authority for
banks and credit unions with $10
billion or less in assets). Some Federal
consumer financial laws are also
enforceable by other Federal agencies,
including the Department of Justice and
the Federal Trade Commission, the
Farm Credit Administration, the
Department of Transportation, and the
Department of Agriculture. In addition,
some of these laws provide for private
enforcement.
Consumer Financial Protection
Circulars are intended to promote
consistency in approach across the
various enforcement agencies and
parties, pursuant to the CFPB’s statutory
files/documents/reports/40-years-experience-faircredit-reporting-act-ftc-staff-report-summaryinterpretations/110720fcrareport.pdf (‘‘A CRA does
not comply with this provision if it merely
indicates the nature of the dispute, without
communicating to the furnisher the specific
relevant information received from the consumer.
For example, if the consumer claimed ‘‘never late’’
and submitted documentation (such as cancelled
checks) to support his/her dispute, a CRA does not
comply with the requirement that is provide ‘‘all
relevant information’’ if it simply notifies the
furnisher that the consumer disputes the payment
history without communicating the evidence
received.’’).
21 15 U.S.C. 1681s–2(b)(1)(B).
PO 00000
Frm 00003
Fmt 4700
Sfmt 4700
71509
objective to ensure Federal consumer
financial law is enforced consistently.
12 U.S.C. 5511(b)(4).
Consumer Financial Protection
Circulars are also intended to provide
transparency to partner agencies
regarding the CFPB’s intended approach
when cooperating in enforcement
actions. See, e.g., 12 U.S.C. 5552(b)
(consultation with CFPB by State
attorneys general and regulators); 12
U.S.C. 5562(a) (joint investigatory work
between CFPB and other agencies).
Consumer Financial Protection
Circulars are general statements of
policy under the Administrative
Procedure Act. 5 U.S.C. 553(b). They
provide background information about
applicable law, articulate considerations
relevant to the Bureau’s exercise of its
authorities, and, in the interest of
maintaining consistency, advise other
parties with authority to enforce Federal
consumer financial law. They do not
restrict the Bureau’s exercise of its
authorities, impose any legal
requirements on external parties, or
create or confer any rights on external
parties that could be enforceable in any
administrative or civil proceeding. The
CFPB Director is instructing CFPB staff
as described herein, and the CFPB will
then make final decisions on individual
matters based on an assessment of the
factual record, applicable law, and
factors relevant to prosecutorial
discretion.
Rohit Chopra,
Director, Consumer Financial Protection
Bureau.
[FR Doc. 2022–25138 Filed 11–22–22; 8:45 am]
BILLING CODE 4810–AM–P
FEDERAL TRADE COMMISSION
16 CFR Part 314
RIN 3084–AB35
Standards for Safeguarding Customer
Information
Federal Trade Commission.
Final rule; delay of
effectiveness.
AGENCY:
ACTION:
The Federal Trade
Commission is delaying the effective
date of portions of the amended
Safeguards Rule as published on
December 9, 2021.
DATES:
Effective date: This final rule is
effective November 23, 2022.
Applicability date: The applicability
of the provisions set forth in § 314.5 is
delayed from December 9, 2022 until
June 9, 2023.
SUMMARY:
E:\FR\FM\23NOR1.SGM
23NOR1
71510
Federal Register / Vol. 87, No. 225 / Wednesday, November 23, 2022 / Rules and Regulations
FOR FURTHER INFORMATION CONTACT:
David Lincicum (202–326–2773),
Division of Privacy and Identity
Protection, Bureau of Consumer
Protection, Federal Trade Commission,
600 Pennsylvania Avenue NW,
Washington, DC 20580.
SUPPLEMENTARY INFORMATION:
I. Final Rule and Delay of Effectiveness
On December 9, 2021, the Federal
Trade Commission (Commission)
amended the Safeguards Rule, 16 CFR
part 314. While portions of the amended
rule became effective on January 10,
2022, certain provisions were originally
to become effective December 9, 2022.
16 CFR 314.5.
The Commission is aware there is a
reported shortage of qualified personnel
to implement information security
programs and supply chain issues may
lead to delays in obtaining necessary
equipment for upgrading security
systems.1 In addition, these difficulties
were exacerbated by the COVID–19
pandemic that has been active as
financial institutions have attempted to
come into compliance with the
amended Safeguards Rule. These issues
may make it difficult for financial
institutions, especially small ones, to
come into compliance with the
amended Safeguards Rule by December
9, 2022. Accordingly, the Commission is
delaying the effective date of those
portions of the Safeguards Rule that
were to go into effect on December 9,
2022, until June 9, 2023.2
lotter on DSK11XQN23PROD with RULES1
II. Administrative Procedure Act
The Commission is issuing the final
rule without prior notice and the
opportunity for public comment and, as
explained below, without the delayed
effective date ordinarily prescribed by
the Administrative Procedure Act
1 See, e.g., James Legg, ‘‘Confronting the shortage
of security professionals,’’ Forbes.com (Oct. 21,
2021), https://www.forbes.com/sites/
forbesbusinesscouncil/2021/10/21/confronting-theshortage-of-cybersecurity-professionals/; Cyber
Seek, Cybersecurity Supply/Demand, https://
www.cyberseek.org/heatmap.html; Robert Triggs,
‘‘The global computer chip shortage explained,’’
Androidauthority.com (June 5, 2022), https://
www.androidauthority.com/computer-chipshortage-1212941/.
2 The Safeguards Rule’s ongoing rulemaking was
included in the Commission’s Spring 2022
Regulatory Agenda, but that Agenda did not
contemplate this final rule extending the effective
date of parts of the final rule issued on December
9, 2021. See Fed. Trade Comm’n, Standards for
Safeguarding Consumer Information, https://
www.reginfo.gov/public/do/eAgendaViewRule?
pubId=202204&RIN=3084-AB35. Pursuant to
Section 22(d)(4) of the FTC Act, 15 U.S.C. 57–
b3(d)(4), this Rule was not included in the
Commission’s Spring 2022 Regulatory Agenda
because the Commission first considered this final
rule and the reasons supporting it after its approval
of the Agenda.
VerDate Sep<11>2014
15:59 Nov 22, 2022
Jkt 259001
(APA).3 Pursuant to section 553(b)(3)(B)
of the APA, general notice and the
opportunity for public comment are not
required with respect to a rulemaking
when an ‘‘agency for good cause finds
(and incorporates the finding and a brief
statement of reasons therefor in the
rules issued) that notice and public
procedure thereon are impracticable,
unnecessary, or contrary to the public
interest.’’ 4
The Commission believes the public
interest is best served by revising 16
CFR 314.5 to delay the effective date of
certain portions of the Safeguards Rule
and by making such revision effective
immediately upon publication in the
Federal Register. As noted above, the
COVID–19 pandemic has disrupted
economic activity in the United States.
This has exacerbated a reported shortage
of qualified information security
personnel and supply chain issues that
can lead to delays involving equipment
necessary to upgrade information
security systems. Delaying the effective
date of these portions of the amended
Safeguards Rule will allow financial
institutions additional time to
effectively and efficiently bring their
information security programs into
compliance with the Rule.5 For these
reasons, the Commission finds that
there is good cause consistent with the
public interest to issue the rule without
advance notice and comment.6
The APA also requires a 30-day
delayed effective date, except for ‘‘(1)
substantive rules which grant or
recognize an exemption or relieve a
restriction; (2) interpretative rules and
statements of policy; or (3) as otherwise
provided by the agency for good
cause.’’ 7 As noted above, the
Commission finds there is good cause to
revise the effective date of the portions
of the Safeguards Rule that were
previously designated to go into effect
on December 9, 2022, immediately.8
The Commission recognizes that, while
this rule revision goes into effect
immediately, the result of the revision is
to give regulated parties additional time
to come into compliance, so they would
not be prejudiced if the change goes into
effect immediately. Furthermore, the
delay of an effective date of a
substantive rule requirement is a
‘‘substantive rule[]’’ that ‘‘relieve[s] a
restriction’’ for a period of time, which
35
U.S.C. 553.
at 553(b)(3)(B).
5 The revised deadline should also go into effect
as soon as possible because the original deadline in
December 2022 is imminent.
6 See 5 U.S.C. 553(b)(3)(B).
7 Id. at 553(d).
8 See id. at 553(d)(3).
4 Id.
PO 00000
Frm 00004
Fmt 4700
Sfmt 4700
makes it eligible to take effect without
the ordinary wait of 30 days.9
III. Paperwork Reduction Act
In accordance with the requirements
of the Paperwork Reduction Act (PRA),
an agency may not conduct or sponsor,
and a respondent is not required to
respond to, an information collection
unless it displays a currently valid
Office of Management and Budget
(OMB) control number. The
Commission has reviewed this final rule
pursuant to authority delegated by the
OMB and has determined it does not
contain any collections of information
pursuant to the PRA.
IV. Regulatory Flexibility Act and
Congressional Review Act
The Regulatory Flexibility Act
(RFA) 10 requires an agency to consider
whether the rules it proposes will have
a significant economic impact on a
substantial number of small entities.
The RFA applies only to rules for which
an agency publishes a general notice of
proposed rulemaking pursuant to 5
U.S.C. 553(b). As discussed previously,
consistent with section 553(b)(3)(B) of
the APA, the Commission has
determined for good cause that general
notice and opportunity for public
comment is unnecessary, and therefore
the Commission is not issuing a notice
of proposed rulemaking. Accordingly,
the Commission has concluded the
RFA’s requirements relating to initial
and final regulatory flexibility analyses
do not apply. In any event, the
extension of the effective date will
reduce the burden of complying with
the Rule for all covered financial
institutions, including small businesses.
Pursuant to the Congressional Review
Act (5 U.S.C. 801 through 808), the
Office of Information and Regulatory
Affairs designated this rule as not a
‘‘major rule,’’ as defined by 5 U.S.C.
804(2).
List of Subjects in 16 CFR Part 314
Consumer protection, Credit, Data
protection, Privacy, Trade practices.
For the reasons stated above, the
Federal Trade Commission amends 16
CFR part 314 as follows:
PART 314—STANDARDS FOR
SAFEGUARDING CUSTOMER
INFORMATION
1. The authority citation for part 314
continues to read as follows:
■
Authority: 15 U.S.C. 6801(b), 6805(b)(2).
■
2. Revise § 314.5 to read as follows:
9 Id.
10 5
at 553(d)(1).
U.S.C. 601–612.
E:\FR\FM\23NOR1.SGM
23NOR1
Federal Register / Vol. 87, No. 225 / Wednesday, November 23, 2022 / Rules and Regulations
§ 314.5
Effective date.
Sections 314.4(a), (b)(1), (c)(1) through
(8), (d)(2), (e), (f)(3), (h), and (i) are
effective as of June 9, 2023.
By direction of the Commission.
April J. Tabor,
Secretary.
Note: the following statement will not
appear in the Code of Federal Regulations.
Concurring Statement of Commissioner
Christine S. Wilson
The Safeguards Rule requires
financial institutions to develop,
implement, and maintain a
comprehensive information security
program to protect customer
information.1 In 2021, the Commission
updated the Safeguards Rule to add
several prescriptive requirements that
necessitate significant investment to
effectively implement.2 I voted against
the revisions to the rule, in part, because
I feared the new obligations would
inhibit flexibility and impose
substantial costs, especially on small
businesses.3 Despite assurances that
financial institutions were already
implementing many of the requirements
of the amended rule or had
sophisticated compliance programs that
could easily adopt and pivot to address
new obligations, I was concerned that
the Commission did not understand
fully the economic impact of the
proposed changes. It has become clear
that the Commission may have
underestimated the burdens imposed by
the rule revisions.
While I continue to note my concerns
about the revisions to the recently
amended Safeguards Rule, I support
extending the effective date. Labor
shortages of qualified personnel have
hampered efforts by companies to
implement information security
programs. Some estimates place the
lotter on DSK11XQN23PROD with RULES1
1 16
CFR part 314.
2 The amended Rule was published in the Federal
Register on December 9, 2021. 86 FR 70272 (Dec.
9, 2021). As I noted at the time of the final rule’s
publication, I appreciated Staff’s diligent work on
the Safeguards Rule and commitment to consider
input from all relevant parties. Staff’s continued
commitment to address the serious concerns of
parties impacted by the Safeguards Rule is laudable.
3 Dissenting Statement of Commissioner Noah
Joshua Phillips and Commissioner Christine S.
Wilson, Final Rule Amending the Gramm-LeachBliley Act’s Safeguards Rule (Oct. 27, 2021), https://
www.ftc.gov/system/files/documents/public_
statements/1597994/joint_statement_of_
commissioners_phillips_and_wilson_in_the_
matter_of_regulatory_review_of_the_1.pdf;
Dissenting Statement of Commissioner Noah Joshua
Phillips and Commissioner Christine S. Wilson,
Review of Safeguards Rule (Mar. 5, 2019), https://
www.ftc.gov/system/files/documents/public_
statements/1466705/reg_review_of_safeguards_
rule_cmr_phillips_wilson_dissent.pdf.
VerDate Sep<11>2014
15:59 Nov 22, 2022
Jkt 259001
shortage of cybersecurity professionals
in the 500,000 range.4 Supply chain
issues also have led to delays in
obtaining necessary equipment for
upgrading systems. These factors are
outside the control of financial
institutions and have complicated
efforts by companies to meet the
requirements of the amended rule by
year end.
The revisions finalized in December
2021 did not merely codify basic
security practices of most financial
institutions. Rather, the modifications
imposed new onerous, misguided, and
complex obligations. Safeguarding
customer information is important. But
it is still unclear whether these
mandates will translate into a
significant reduction in data security
risks or offer other substantial consumer
benefits. Regardless of the rule’s effects,
companies should be given the time
necessary to correctly implement the
final rule’s burdensome requirements.
For these reasons, I support extending
the effective date until June 2023.
[FR Doc. 2022–25201 Filed 11–22–22; 8:45 am]
BILLING CODE 6750–01–P
DEPARTMENT OF ENERGY
Federal Energy Regulatory
Commission
18 CFR Parts 154, 260, and 284
[Docket No. RM21–18–000; Order No. 884]
Revised Filing and Reporting
Requirements for Interstate Natural
Gas Company Rate Schedules and
Tariffs
Federal Energy Regulatory
Commission, Department of Energy.
ACTION: Final rule.
AGENCY:
The Federal Energy
Regulatory Commission issues this final
rule to require natural gas pipelines to
submit all supporting statements,
schedules and workpapers in native
format (e.g., Microsoft Excel) with all
links and formulas included when filing
a Natural Gas Act section 4 rate case.
DATES: This rule is effective December
23, 2022.
FOR FURTHER INFORMATION CONTACT:
SUMMARY:
4 Data gathered under a Commerce Department
grant indicates that there are over 500,000 unfilled
cybersecurity job openings. The research indicates
that nationally, there are only enough cybersecurity
workers in the United States to fill 68% of the
cybersecurity jobs that employers demand. Cyber
Seek, Cybersecurity Supply/Demand Heat Map,
https://www.cyberseek.org/heatmap.html (last
visited Nov. 14, 2022).
PO 00000
Frm 00005
Fmt 4700
Sfmt 4700
71511
Tehseen Rana (Technical Information),
Office of Energy Market Regulation,
Federal Energy Regulatory
Commission, 888 First Street NE,
Washington, DC 20426, (202) 502–
8639, Tehseen.Rana@ferc.gov
Caitlin Tweed (Legal Information),
Office of the General Counsel, Federal
Energy Regulatory Commission, 888
First Street NE, Washington, DC
20426, (202) 502–8073,
Caitlin.Tweed@ferc.gov
SUPPLEMENTARY INFORMATION:
1. In this final rule, the Federal
Energy Regulatory Commission
(Commission) revises the filing and
reporting requirements for natural gas
pipelines filing a Natural Gas Act (NGA)
section 4 rate case.1 As discussed below,
we adopt the Commission’s proposal
pursuant to the Notice of Proposed
Rulemaking (NOPR) issued on May 19,
2022,2 to establish a rule to require
natural gas pipelines to submit all
supporting statements, schedules and
workpapers in native format (e.g.,
Microsoft Excel) with all links and
formulas included when filing an NGA
section 4 rate case.
I. Background
2. When a natural gas pipeline files
under NGA section 4 to change its rates,
the Commission requires the pipeline to
provide detailed support for all the
components of its cost of service.3
3. Commission regulations require
that natural gas pipelines filing general
NGA section 4 rate cases provide certain
statements (Statements A through P)
and associated schedules.4 In 1995, the
Commission issued its Filing and
Reporting Requirements for Interstate
Natural Gas Company Rate Schedules
and Tariffs (Order No. 582), stating that
Statements I, J and a portion of H
(containing state tax formulations) must
be received in spreadsheet format with
formulas included, as the data provided
in these statements and schedules are
essential to understanding a natural gas
pipeline’s position with regard to cost
allocation and rate design.5 The
Commission explained that although
these spreadsheets could be obtained
through discovery, that process is
burdensome and inhibits better1 15
U.S.C. 717c.
Filing & Reporting Requirements for
Interstate Nat. Gas Co. Rate Schedules & Tariffs, 87
FR 31783 (May 25, 2022), 179 FERC ¶ 61,114)
(2022) (NOPR).
3 18 CFR 154.312 and 154.313 (2021).
4 18 CFR 154.312.
5 Filing & Reporting Requirements for Interstate
Nat. Gas Co. Rate Schedules & Tariffs, Order No.
582, 60 FR 52,960, 52,994 (Oct. 11, 1995), FERC
Stats. & Regs. ¶ 31,025 (1995) (cross-referenced at 72
FERC ¶ 61,300), order on clarification, 76 FERC
¶ 61,077 (1996).
2 Revised
E:\FR\FM\23NOR1.SGM
23NOR1
]]>Agencies
[Federal Register Volume 87, Number 225 (Wednesday, November 23, 2022)]
[Rules and Regulations]
[Pages 71509-71511]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-25201]
=======================================================================
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
16 CFR Part 314
RIN 3084-AB35
Standards for Safeguarding Customer Information
AGENCY: Federal Trade Commission.
ACTION: Final rule; delay of effectiveness.
-----------------------------------------------------------------------
SUMMARY: The Federal Trade Commission is delaying the effective date of
portions of the amended Safeguards Rule as published on December 9,
2021.
DATES:
Effective date: This final rule is effective November 23, 2022.
Applicability date: The applicability of the provisions set forth
in Sec. 314.5 is delayed from December 9, 2022 until June 9, 2023.
[[Page 71510]]
FOR FURTHER INFORMATION CONTACT: David Lincicum (202-326-2773),
Division of Privacy and Identity Protection, Bureau of Consumer
Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW,
Washington, DC 20580.
SUPPLEMENTARY INFORMATION:
I. Final Rule and Delay of Effectiveness
On December 9, 2021, the Federal Trade Commission (Commission)
amended the Safeguards Rule, 16 CFR part 314. While portions of the
amended rule became effective on January 10, 2022, certain provisions
were originally to become effective December 9, 2022. 16 CFR 314.5.
The Commission is aware there is a reported shortage of qualified
personnel to implement information security programs and supply chain
issues may lead to delays in obtaining necessary equipment for
upgrading security systems.\1\ In addition, these difficulties were
exacerbated by the COVID-19 pandemic that has been active as financial
institutions have attempted to come into compliance with the amended
Safeguards Rule. These issues may make it difficult for financial
institutions, especially small ones, to come into compliance with the
amended Safeguards Rule by December 9, 2022. Accordingly, the
Commission is delaying the effective date of those portions of the
Safeguards Rule that were to go into effect on December 9, 2022, until
June 9, 2023.\2\
---------------------------------------------------------------------------
\1\ See, e.g., James Legg, ``Confronting the shortage of
security professionals,'' Forbes.com (Oct. 21, 2021), https://www.forbes.com/sites/forbesbusinesscouncil/2021/10/21/confronting-the-shortage-of-cybersecurity-professionals/; Cyber Seek,
Cybersecurity Supply/Demand, https://www.cyberseek.org/heatmap.html;
Robert Triggs, ``The global computer chip shortage explained,''
Androidauthority.com (June 5, 2022), https://www.androidauthority.com/computer-chip-shortage-1212941/.
\2\ The Safeguards Rule's ongoing rulemaking was included in the
Commission's Spring 2022 Regulatory Agenda, but that Agenda did not
contemplate this final rule extending the effective date of parts of
the final rule issued on December 9, 2021. See Fed. Trade Comm'n,
Standards for Safeguarding Consumer Information, https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202204&RIN=3084-AB35. Pursuant to Section 22(d)(4) of the FTC Act, 15 U.S.C. 57-
b3(d)(4), this Rule was not included in the Commission's Spring 2022
Regulatory Agenda because the Commission first considered this final
rule and the reasons supporting it after its approval of the Agenda.
---------------------------------------------------------------------------
II. Administrative Procedure Act
The Commission is issuing the final rule without prior notice and
the opportunity for public comment and, as explained below, without the
delayed effective date ordinarily prescribed by the Administrative
Procedure Act (APA).\3\ Pursuant to section 553(b)(3)(B) of the APA,
general notice and the opportunity for public comment are not required
with respect to a rulemaking when an ``agency for good cause finds (and
incorporates the finding and a brief statement of reasons therefor in
the rules issued) that notice and public procedure thereon are
impracticable, unnecessary, or contrary to the public interest.'' \4\
---------------------------------------------------------------------------
\3\ 5 U.S.C. 553.
\4\ Id. at 553(b)(3)(B).
---------------------------------------------------------------------------
The Commission believes the public interest is best served by
revising 16 CFR 314.5 to delay the effective date of certain portions
of the Safeguards Rule and by making such revision effective
immediately upon publication in the Federal Register. As noted above,
the COVID-19 pandemic has disrupted economic activity in the United
States. This has exacerbated a reported shortage of qualified
information security personnel and supply chain issues that can lead to
delays involving equipment necessary to upgrade information security
systems. Delaying the effective date of these portions of the amended
Safeguards Rule will allow financial institutions additional time to
effectively and efficiently bring their information security programs
into compliance with the Rule.\5\ For these reasons, the Commission
finds that there is good cause consistent with the public interest to
issue the rule without advance notice and comment.\6\
---------------------------------------------------------------------------
\5\ The revised deadline should also go into effect as soon as
possible because the original deadline in December 2022 is imminent.
\6\ See 5 U.S.C. 553(b)(3)(B).
---------------------------------------------------------------------------
The APA also requires a 30-day delayed effective date, except for
``(1) substantive rules which grant or recognize an exemption or
relieve a restriction; (2) interpretative rules and statements of
policy; or (3) as otherwise provided by the agency for good cause.''
\7\ As noted above, the Commission finds there is good cause to revise
the effective date of the portions of the Safeguards Rule that were
previously designated to go into effect on December 9, 2022,
immediately.\8\ The Commission recognizes that, while this rule
revision goes into effect immediately, the result of the revision is to
give regulated parties additional time to come into compliance, so they
would not be prejudiced if the change goes into effect immediately.
Furthermore, the delay of an effective date of a substantive rule
requirement is a ``substantive rule[]'' that ``relieve[s] a
restriction'' for a period of time, which makes it eligible to take
effect without the ordinary wait of 30 days.\9\
---------------------------------------------------------------------------
\7\ Id. at 553(d).
\8\ See id. at 553(d)(3).
\9\ Id. at 553(d)(1).
---------------------------------------------------------------------------
III. Paperwork Reduction Act
In accordance with the requirements of the Paperwork Reduction Act
(PRA), an agency may not conduct or sponsor, and a respondent is not
required to respond to, an information collection unless it displays a
currently valid Office of Management and Budget (OMB) control number.
The Commission has reviewed this final rule pursuant to authority
delegated by the OMB and has determined it does not contain any
collections of information pursuant to the PRA.
IV. Regulatory Flexibility Act and Congressional Review Act
The Regulatory Flexibility Act (RFA) \10\ requires an agency to
consider whether the rules it proposes will have a significant economic
impact on a substantial number of small entities. The RFA applies only
to rules for which an agency publishes a general notice of proposed
rulemaking pursuant to 5 U.S.C. 553(b). As discussed previously,
consistent with section 553(b)(3)(B) of the APA, the Commission has
determined for good cause that general notice and opportunity for
public comment is unnecessary, and therefore the Commission is not
issuing a notice of proposed rulemaking. Accordingly, the Commission
has concluded the RFA's requirements relating to initial and final
regulatory flexibility analyses do not apply. In any event, the
extension of the effective date will reduce the burden of complying
with the Rule for all covered financial institutions, including small
businesses.
---------------------------------------------------------------------------
\10\ 5 U.S.C. 601-612.
---------------------------------------------------------------------------
Pursuant to the Congressional Review Act (5 U.S.C. 801 through
808), the Office of Information and Regulatory Affairs designated this
rule as not a ``major rule,'' as defined by 5 U.S.C. 804(2).
List of Subjects in 16 CFR Part 314
Consumer protection, Credit, Data protection, Privacy, Trade
practices.
For the reasons stated above, the Federal Trade Commission amends
16 CFR part 314 as follows:
PART 314--STANDARDS FOR SAFEGUARDING CUSTOMER INFORMATION
0
1. The authority citation for part 314 continues to read as follows:
Authority: 15 U.S.C. 6801(b), 6805(b)(2).
0
2. Revise Sec. 314.5 to read as follows:
[[Page 71511]]
Sec. 314.5 Effective date.
Sections 314.4(a), (b)(1), (c)(1) through (8), (d)(2), (e), (f)(3),
(h), and (i) are effective as of June 9, 2023.
By direction of the Commission.
April J. Tabor,
Secretary.
Note: the following statement will not appear in the Code of
Federal Regulations.
Concurring Statement of Commissioner Christine S. Wilson
The Safeguards Rule requires financial institutions to develop,
implement, and maintain a comprehensive information security program to
protect customer information.\1\ In 2021, the Commission updated the
Safeguards Rule to add several prescriptive requirements that
necessitate significant investment to effectively implement.\2\ I voted
against the revisions to the rule, in part, because I feared the new
obligations would inhibit flexibility and impose substantial costs,
especially on small businesses.\3\ Despite assurances that financial
institutions were already implementing many of the requirements of the
amended rule or had sophisticated compliance programs that could easily
adopt and pivot to address new obligations, I was concerned that the
Commission did not understand fully the economic impact of the proposed
changes. It has become clear that the Commission may have
underestimated the burdens imposed by the rule revisions.
---------------------------------------------------------------------------
\1\ 16 CFR part 314.
\2\ The amended Rule was published in the Federal Register on
December 9, 2021. 86 FR 70272 (Dec. 9, 2021). As I noted at the time
of the final rule's publication, I appreciated Staff's diligent work
on the Safeguards Rule and commitment to consider input from all
relevant parties. Staff's continued commitment to address the
serious concerns of parties impacted by the Safeguards Rule is
laudable.
\3\ Dissenting Statement of Commissioner Noah Joshua Phillips
and Commissioner Christine S. Wilson, Final Rule Amending the Gramm-
Leach-Bliley Act's Safeguards Rule (Oct. 27, 2021), https://www.ftc.gov/system/files/documents/public_statements/1597994/joint_statement_of_commissioners_phillips_and_wilson_in_the_matter_of_regulatory_review_of_the_1.pdf; Dissenting Statement of
Commissioner Noah Joshua Phillips and Commissioner Christine S.
Wilson, Review of Safeguards Rule (Mar. 5, 2019), https://www.ftc.gov/system/files/documents/public_statements/1466705/reg_review_of_safeguards_rule_cmr_phillips_wilson_dissent.pdf.
---------------------------------------------------------------------------
While I continue to note my concerns about the revisions to the
recently amended Safeguards Rule, I support extending the effective
date. Labor shortages of qualified personnel have hampered efforts by
companies to implement information security programs. Some estimates
place the shortage of cybersecurity professionals in the 500,000
range.\4\ Supply chain issues also have led to delays in obtaining
necessary equipment for upgrading systems. These factors are outside
the control of financial institutions and have complicated efforts by
companies to meet the requirements of the amended rule by year end.
---------------------------------------------------------------------------
\4\ Data gathered under a Commerce Department grant indicates
that there are over 500,000 unfilled cybersecurity job openings. The
research indicates that nationally, there are only enough
cybersecurity workers in the United States to fill 68% of the
cybersecurity jobs that employers demand. Cyber Seek, Cybersecurity
Supply/Demand Heat Map, https://www.cyberseek.org/heatmap.html (last
visited Nov. 14, 2022).
---------------------------------------------------------------------------
The revisions finalized in December 2021 did not merely codify
basic security practices of most financial institutions. Rather, the
modifications imposed new onerous, misguided, and complex obligations.
Safeguarding customer information is important. But it is still unclear
whether these mandates will translate into a significant reduction in
data security risks or offer other substantial consumer benefits.
Regardless of the rule's effects, companies should be given the time
necessary to correctly implement the final rule's burdensome
requirements. For these reasons, I support extending the effective date
until June 2023.
[FR Doc. 2022-25201 Filed 11-22-22; 8:45 am]
BILLING CODE 6750-01-P
