CUNA Regulatory Comment Call
August 9, 2001
FTC’s Proposed Rule on Safeguarding Information
(MAJOR RULE FOR NON-FEDERALLY-INSURED CREDIT UNIONS. OTHER CREDIT UNIONS MAY ALSO BE INTERESTED IN NOTING THE DIFFERENCES BETWEEN THIS RULE AND THE NCUA RULE THAT APPLIES TO FEDERALLY-INSURED CREDIT UNIONS)EXECUTIVE SUMMARY
- The Federal Trade Commission (FTC) has issued a proposed rule regarding information security programs in financial
institutions that are subject to the FTC’s jurisdiction. This rule will apply to the non-federally-insured credit unions
that are not subject to the rule issued in January by the National Credit Union Administration (NCUA) and will also apply
to credit union service organizations (CUSOs). More information about NCUA’s rule is available on the Internet at the
following address:
http://www.cuna.org/reg_advocacy/member/analysis/ncua_012301.html - Similar to NCUA’s rule, the FTC rule requires that an information security program include features to ensure the safety and confidentiality of consumer records, protect against anticipated threats or hazards to the security or integrity of such records, and protect against unauthorized access to or use of such records that could result in substantial harm or inconvenience to a consumer.
- The FTC rule differs from and is less detailed than NCUA’s rule. Here are the differences:
- NCUA’s rule includes an appendix with detailed guidelines. FTC’s rule does not include the guidelines, although some of the guideline provisions are included in the FTC rule. The provisions in NCUA’s guidelines that are not included in the FTC rule include:
- Suggestions that the board of directors approve and oversee the information security program and receive reports of the status of the security program. The FTC rule only requires that an employee be designated as responsible for coordinating the information security program.
- Detailed provisions regarding risk control measures that should be considered.
- Provisions regarding third-party review of the testing of the key elements of the security program.
- Suggestions that financial institutions monitor the obligations imposed on service providers.
- The FTC and NCUA rules will apply to financial institutions that collect information. The FTC rule will also apply to financial institutions that receive nonpublic personal information from other financial institutions.
- The FTC rule will be effective one year after it is issued in final form. The NCUA rule was effective as of July 1, 2001.
- Comments are due by October 9, 2001. Please submit your comments to CUNA by October 1, 2001.
Please feel free to fax your responses to CUNA at 202-371-8240; e-mail them to Associate General Counsel Mary Dunn at
mdunn@cuna.com or to Assistant General Counsel Jeffrey Bloch at jbloch@cuna.com; or mail them to Mary or Jeff in c/o CUNA’s Regulatory Advocacy Department,
805 15th Street, NW, Suite 300, Washington, DC 20005. Please contact us if you need more information. You may also contact us if you
would like a copy of the proposed rule or you may access it on the Internet at the following address:
http://www.ftc.gov/os/2001/07/stansafecustinfofrn.htm
BACKGROUND
The Gramm-Leach-Bliley Act (Act) requires the financial institution regulators and certain other agencies, including the FTC, to issue rules regarding privacy and the safeguarding of consumer information. Last year, NCUA issued privacy rules for federally-insured credit unions. These privacy rules require that credit unions disclose their policies and practices with respect to protecting the confidentiality, security, and integrity of nonpublic personal information as part of the initial and annual privacy notices that are sent to members. The FTC has issued similar rules that apply to financial institutions that are not covered by the rules of the other agencies, including non-federally insured credit unions and CUSOs. In connection with this requirement, the privacy provisions of the Act require the agencies to establish appropriate standards relating to the administrative, technical, and physical safeguards for consumer records and information.
NCUA issued a final rule in January 2001 regarding the safeguarding of member information. It also applies to federally-insured credit unions and was effective as of July 1, 2001. The FTC has now issued a proposed rule that will apply to non-federally insured credit unions.
DESCRIPTION OF THE PROPOSED RULE
An information security program must be established and include administrative, technical, and physical safeguards appropriate to the size and complexity of the financial institution, the nature and scope of its activities, and the sensitivity of the information. The objectives of the program are to ensure the safety and confidentiality of member’s records, protect against anticipated threats or hazards to the security or integrity of such records, and protect against unauthorized access to or use of such records that could result in substantial harm or inconvenience to a member.
Here are the requirements regarding the information security program:
- At least one employee must be designated as the coordinator of the information security program.
- The foreseeable internal and external risks that could result in unauthorized disclosure or misuse of consumer information must be identified and the sufficiency of the safeguards that are in place must be assessed. This risk assessment should include risks in all relevant areas, including:
- Employee training and management.
- Information systems; including information processing, storage, transmission, and disposal.
- Prevention and response measures for attacks and system failures.
- Safeguards to control the risks identified in the risk assessment described above must be designed and implemented. The effectiveness of the safeguards must be monitored and tested regularly.
- The financial institution must select service providers that are capable of maintaining the appropriate safeguards. The service providers must be required, by contract, to implement and maintain these safeguards.
- The financial institution must also evaluate and adjust the information security program in light of any changes that may affect the safeguards.
The FTC rule differs from and is less detailed than NCUA’s rule. Here are the differences:
- NCUA’s rule includes an appendix with detailed guidelines. FTC’s rule does not include the guidelines, although some of the guideline provisions are included in the FTC rule. The provisions in NCUA’s guidelines that are not included in the FTC rule include:
- Suggestions that the board of directors approve and oversee the information security program and receive reports of the status of the security program. The FTC rule only requires that an employee be designated as responsible for coordinating the information security program.
- Detailed provisions regarding risk control measures that should be considered.
- Provisions regarding third-party review of the testing of the key elements of the security program.
- Suggestions that financial institutions monitor the obligations imposed on service providers.
- The FTC and NCUA rules will apply to financial institutions that collect information. The FTC rule will also apply to financial institutions that receive nonpublic personal information from other financial institutions.
- The FTC rule will be effective one year after it is issued in final form. The NCUA rule was effective as of July 1, 2001.
QUESTIONS TO CONSIDER REGARDING THE FTC’s PROPOSED RULE ON SAFEGUARDING INFORMATION
(Most of these are issues raised by the FTC)
- The FTC’s rule is not as detailed as NCUA’s. How will this help or hinder your ability to develop an information
security program? Should the rule state that following NCUA’s rule and guidelines would be considered sufficient for
those non-federally insured credit unions that must comply with the FTC’s rule?
- In addition to information collected from customers or members of financial institutions, the FTC rule will also cover
nonpublic personal information received from other financial institutions. (Here, financial institutions are broadly defined
to include many types of financial service providers.) Does the burden of this additional requirement outweigh the benefit of
additional protection of this information?
- The FTC rule will apply to a wide variety of financial service providers, many of whom will be larger than the non-federally
insured credit unions that will also be covered. Will this rule impose disproportionate burden on these credit unions? If so, how
can the burden be reduced without compromising an effective information security program?
- The rule specifically requires consideration of risks in the areas of employee training and management, information
systems, and prevention and response measures for attacks and failures. Is the listing of these specific areas helpful or
burdensome and what additional guidance would be useful?
- Is more guidance necessary regarding the safeguards that are necessary for service providers? Is it necessary to
require a contract with the service provider or is there an equally protective alternative? Should these provisions apply
to all service providers, even though the rules regarding the annual privacy notices do not require contracts with the service
providers covered under the exceptions to the consumers’ ability to “opt out” of information sharing?
- The rule will require that security programs be implemented within one year after the FTC rule is finalized. Is this enough
time? Should current contracts with service providers still be effective beyond that time even if they will not be in
compliance with the final rule, similar to the two-year grandfather period that exists in the rules regarding the annual privacy
notices?
- Other comments?
|
Eric Richard • General Counsel • (202) 508-6742 • erichard@cuna.com Mary Mitchell Dunn • SVP & Associate General Counsel • (202) 508-6736 • mdunn@cuna.com Jeffrey Bloch • Assistant General Counsel • (202) 508-6732 • jbloch@cuna.com Catherine Orr • Senior Regulatory Counsel • (202) 508-6743 • corr@cuna.com |
