[Federal Register Volume 67, Number 100 (Thursday, May 23, 2002)]
[Rules and Regulations]
[Pages 36483-36494]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 02-12952]



[[Page 36483]]

-----------------------------------------------------------------------

Part VII





Federal Trade Commission





-----------------------------------------------------------------------



16 CFR Part 314



Standards for Safeguarding Customer Information; Final Rule

Federal Register / Vol. 67 , No. 100 / Thursday, May 23, 2002 / Rules 
and Regulations

[[Page 36484]]


-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

16 CFR Part 314

RIN 3084 AA87


Standards for Safeguarding Customer Information

AGENCY: Federal Trade Commission.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Federal Trade Commission (''FTC'' or ''Commission'') is 
issuing a final Safeguards Rule, as required by section 501(b) of the 
Gramm-Leach-Bliley Act (''G-L-B Act'' or ''Act''), to establish 
standards relating to administrative, technical and physical 
information safeguards for financial institutions subject to the 
Commission's jurisdiction. As required by section 501(b), the standards 
are intended to: Ensure the security and confidentiality of customer 
records and information; protect against any anticipated threats or 
hazards to the security or integrity of such records; and protect 
against unauthorized access to or use of such records or information 
that could result in substantial harm or inconvenience to any customer.

EFFECTIVE DATE: This rule is effective on May 23, 2003.

FOR FURTHER INFORMATION CONTACT: Laura D. Berger, Attorney, Division of 
Financial Practices, (202) 326-3224.

SUPPLEMENTARY INFORMATION: The contents of this preamble are listed in 
the following outline:

A. Background
B. Overview of Comments Received
C. Section-by-Section Analysis
D. Paperwork Reduction Act
E. Regulatory Flexibility Act

Section A. Background

    On November 12, 1999, President Clinton signed the G-L-B Act (Pub. 
L. 106-102) into law. The purpose of the Act was to reform and 
modernize the banking industry by eliminating existing barriers between 
banking and commerce. The Act permits banks to engage in a broad range 
of activities, including insurance and securities brokering, with new 
affiliated entities. Subtitle A of Title V of the Act, captioned 
''Disclosure of Nonpublic Personal Information,'' limits the instances 
in which a financial institution may disclose nonpublic personal 
information about a consumer to nonaffiliated third parties, and 
requires a financial institution to disclose certain privacy policies 
and practices with respect to its information sharing with both 
affiliates and nonaffiliated third parties. On May 12, 2000, the 
Commission issued a final rule, Privacy of Consumer Financial 
Information, 16 CFR part 313, which implemented Subtitle A as it 
relates to these requirements (hereinafter ''Privacy Rule'').\1\ The 
Privacy Rule took effect on November 13, 2000, and full compliance was 
required on or before July 1, 2001.
---------------------------------------------------------------------------

    \1\ The rule was published in the Federal Register at 65 FR 
33646 (May 24, 2000).
---------------------------------------------------------------------------

    Subtitle A of Title V also requires the Commission and other 
federal agencies to establish standards for financial institutions 
relating to administrative, technical, and physical safeguards for 
certain information.\2\ See 15 U.S.C. 6801(b), 6805(b)(2). As described 
in the Act, the objectives of these standards are to: (1) Ensure the 
security and confidentiality of customer records and information; (2) 
protect against any anticipated threats or hazards to the security or 
integrity of such records; and (3) protect against unauthorized access 
to or use of such records or information which could result in 
substantial harm or inconvenience to any customer. See 15 U.S.C. 
6801(b)(1)-(3). The Act does not require all of the agencies to 
coordinate in developing their safeguards standards, and does not 
impose a deadline to establish them.\3\ Although the Act permits most 
of the agencies to develop their safeguards standards by issuing 
guidelines, it requires the SEC and the Commission to proceed by 
rule.\4\
---------------------------------------------------------------------------

    \2\ The other agencies responsible for establishing safeguards 
standards are: the Office of the Comptroller of the Currency 
(''OCC''); the Board of Governors of the Federal Reserve System 
(''Board''); the Federal Deposit Insurance Corporation (''FDIC''); 
the Office of Thrift Supervision (''OTS''); the National Credit 
Union Administration (''NCUA''); the Secretary of the Treasury 
(''Treasury''); and the Securities and Exchange Commission 
(''SEC'').
    \3\ By contrast, section 504 of the Act required the Agencies to 
work together to issue consistent and comparable rules to implement 
the Act's privacy provisions.
    \4\ The NCUA and the remaining banking agencies-the OCC, the 
Board, the FDIC, and OTS-have already issued final guidelines that 
are substantively identical. 66 FR 8152 (Jan. 30, 2001); 66 FR 8616 
(Feb. 1, 2001). The SEC also adopted a final safeguards rule as part 
of its Privacy of Consumer Financial Information Final Rule 
(hereinafter ''SEC rule''). See www.sec.gov/rules/final/34-42974.htm 
(June 29, 2000).
---------------------------------------------------------------------------

    On September 7, 2000, the Commission issued for publication in the 
Federal Register a Advanced Notice of Proposed Rulemaking (''the 
ANPR'') on the scope and potential requirements of a Safeguards Rule 
for the financial institutions subject to its jurisdiction.\5\ The 
Commission received thirty comments in response to the ANPR. Based on 
these comments, as well as the safeguards standards already issued by 
the other GLB agencies, the Commission issued a Notice of Proposed 
Rulemaking respecting Standards for Safeguarding Customer Information 
(''the proposal'' or ''the Proposed Rule'') on August 7, 2001.\6\ In 
response to the proposal, the Commission received forty-four comments 
from a variety of interested parties. The Commission now issues a final 
rule governing the safeguarding of customer records and information for 
the financial institutions subject to its jurisdiction (''Safeguards 
Rule'').
---------------------------------------------------------------------------

    \5\ 65 FR 54186.
    \6\ 66 FR 41162. In addition to considering the Banking Agency 
Guidelines, the Commission also considered the Final Report that was 
issued by the Federal Trade Commission Advisory Committee on Online 
Access and Security on May 15, 2000 (''Advisory Committee's Report'' 
or ''ACR''). Although the Advisory Committee's Report addressed 
security only in the online context, the Commission believes that 
its principles have general relevance to information safeguards.
---------------------------------------------------------------------------

    Like the proposal, the Final Rule requires each financial 
institution to develop a written information security program that is 
appropriate to its size and complexity, the nature and scope of its 
activities, and the sensitivity of the customer information at issue. 
As described below, each information security program must include 
certain basic elements to ensure that it addresses the relevant aspects 
of a financial institution's operations and that it keeps pace with 
developments that may have a material impact on its safeguards. In 
developing the Final Rule, the Commission carefully weighed the 
comments, including concerns expressed about the ability of smaller and 
less sophisticated financial institutions to meet the Rule's 
requirements. It also sought to ensure that the Rule mirrored the 
requirements of the guidelines already established by the NCUA and the 
other banking agencies (collectively, ''the Banking Agency 
Guidelines''),\7\ with adjustments as needed to clarify the Rule's 
scope and accommodate the diverse range of entities covered by the 
Commission's Rule. The Commission believes that the Final Rule strikes 
an appropriate balance between allowing flexibility to financial 
institutions and establishing standards for safeguarding customer 
information that are consistent with the Act's goals. As described 
below, the Commission will issue educational materials in connection 
with the Rule in order to assist businesses-and in particular, small 
entities-to comply with its requirements without imposing undue 
burdens.
---------------------------------------------------------------------------

    \7\ See supra n.4.[7]

---------------------------------------------------------------------------

[[Page 36485]]

Section B. Overview of Comments Received

    The comments received were submitted by a variety of interested 
parties: 8 twenty-eight were from trade or other 
associations or companies related to financial or Internet-related 
services; 9 six were from corporations or associations 
related to higher education or the funding of student loans; 
10 five were from individuals; 11 three were from 
information security companies; 12 two were from consumer 
reporting agencies; 13 and one was from a non-profit 
association of consumer agencies.14
---------------------------------------------------------------------------

    \8\ These comments are available on the Commission's Web site, 
at www.ftc.gov.
    \9\ ACA International (''ACA''); America's Community Bankers 
(''ACB''); Associated Credit Bureaus, now renamed the Consumer Data 
Industry Association (''CDIA''); BITS/Financial Services Roundtable 
(''BITS''); Commerce Bankshares, Inc.; Credit Union Nat'l Ass'n 
(''CUNA''); Council of Ins. Agents and Brokers; Debt Buyers Ass'n 
(''DBA''); Ernst & Young LLP (''Ernst & Young''); Financial Planning 
Ass'n (''FPA''); Household Finance Corporation (''Household''); 
Independent Community Bankers of America (''ICB''); Independent Ins. 
Agents of America (''Indep. Ins. Agents''); Intuit Inc. 
(''Intuit''); Information Technology Ass'n of America (''ITAA''); 
MasterCard International (''MasterCard''); Nat'l Ass'n of Indep. 
Insurers (''NAII''); Nat'l Ass'n of Mutual Ins. Cos. (''NAMIC''); 
Nat'l Automotive Dealers Ass'n (''NADA''); Nat'l Retail Federation 
(''NRF''); Navy Federal Credit Union (''NFCU''); Nat'l Indep. 
Automobile Dealers Ass'n (''NIADA''); Navy Federal Financial Group 
(''NFFG''); North American Securities Administrators Ass'n, Inc. 
(''NASAA''); Ohio Credit Union League (''OCUL''); Oracle Corporation 
(''Oracle''); Software & Information Industry Ass'n (''SIIA''); Visa 
USA, Inc. (''Visa'').
    \10\ American Council on Education (''ACE''); Education Finance 
Council and the National Council of Higher Education Loan Programs; 
Nat'l Council of Higher Educ. Loan Programs, Inc.; USA Education, 
Inc. & Student Loan Marketing Ass'n (collectively ''Sallie Mae''); 
Texas Guaranteed Student Loan Corp. (''TGSL''); United Student Aid 
Funds, Inc. (''USA Funds'').
    \11\ Forest Landreth (''Landreth''); Lou Larson (''Larson''); 
Sheila Musgrove (''Musgrove''); David Paas (''Paas''); Norman Post 
(''Post'').
    \12\ Portogo, Inc. (''Portogo''); Tiger Testing; VeriSign, Inc. 
(''VeriSign'').
    \13\ Equifax, Inc (''Equifax''); Experian Information Solutions, 
Inc. (''Experian'').
    \14\ Nat'l Ass'n of Consumer Agency Administrators (''NACAA'').
---------------------------------------------------------------------------

    The majority of commenters supported the proposal overall, citing 
its flexibility \15\ and similarity to the Banking Agency 
Guidelines.\16\ However, as discussed below, commenters expressed 
different views on issues concerning the Rule's scope-in particular, 
whether financial institutions should be responsible for the safeguards 
of their affiliates and service providers and whether the Rule should 
apply to a financial institution that has no customer relationship but 
receives customer information from another financial institution. In 
addition, a number of commenters asked that compliance with alternative 
standards be deemed compliance with the Rule and/or sought to exclude 
certain entities from the Rule's definition of ''service provider.'' 
Finally, numerous commenters urged that the Commission provide guidance 
to businesses-particularly smaller businesses-on how to comply with the 
Rule without incurring undue expense.\17\ As discussed in detail below, 
comments on all of these issues were instrumental in shaping the Final 
Rule.
---------------------------------------------------------------------------

    \15\ See, e.g., Household at 1; Intuit at 2; ITAA at 1; NRF at 
2; Sallie Mae at 2; SIIA at 3; TGSL at 1; Verisign at 2.
    \16\ See, e.g., Visa at 1.
    \17\ See, e.g., ICB at 2; Musgrove at 2; NADA at 2; NIADA at 9; 
Paas at 4-6.
---------------------------------------------------------------------------

    Additional comments, and the Commission's responses thereto, are 
discussed in the following Section-by-Section analysis.

Section C. Section-by-Section Analysis

    Consistent with the proposal, the Safeguards Rule will be part 314 
of 16 CFR, to be entitled ''Standards for Safeguarding Customer 
Information.'' This Part will follow the Privacy Rule, which is 
contained in part 313 of 16 CFR. The following is a section-by-section 
analysis of the Final Rule.

Section 314.1: Purpose and Scope

    Paragraph 314.1(a) states that the Rule is intended to establish 
standards for financial institutions to develop, implement and maintain 
administrative, technical, and physical safeguards to protect the 
security, confidentiality, and integrity of customer information. This 
paragraph also states the statutory authority for the proposed Rule. No 
comments addressed this provision, and the Commission has made no 
changes to it.
    Paragraph 314.1(b) sets forth the scope of the Rule, which applies 
to the handling of customer information by all financial institutions 
over which the FTC has jurisdiction. Because, as noted below, 
''financial institution'' is defined as it is in section 509(3)(A) of 
the Act and the Privacy Rule, the Rule covers a wide range of entities, 
including: non-depository lenders; consumer reporting agencies; debt 
collectors; data processors; courier services; retailers that extend 
credit by issuing credit cards to consumers; personal property or real 
estate appraisers; check-cashing businesses; mortgage brokers, and any 
other entity that meets this definition.\18\ Consistent with the 
proposal, the Safeguards Rule covers any financial institution that is 
handling ''customer information''-i.e., not only financial institutions 
that collect nonpublic personal information from their own customers, 
but also financial institutions that receive customer information from 
other financial institutions.
---------------------------------------------------------------------------

    \18\ Under section 313.3(k)(1) of the Privacy Rule, ''financial 
institution'' means: any institution the business of which is 
engaging in financial activities as described in section 4(k) of the 
Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)). An institution 
that is significantly engaged in financial activities is a financial 
institution.
    Additional examples of financial institutions are provided in 
section 313.3(k)(2) of the Privacy Rule.
---------------------------------------------------------------------------

    Comments were split on whether the Rule should apply to customer 
information that a financial institution receives from another 
financial institution. A number of commenters agreed that such 
recipients should be required to maintain safeguards, citing the added 
protections provided by this requirement.\19\ However, one of these 
commenters expressed concern that a recipient financial institution 
could be subject to multiple safeguards standards or even required to 
prepare multiple written safeguards plans if that financial institution 
also acts as a service provider or is subject to other laws, such as 
the Fair Credit Reporting Act, that impose confidentiality 
requirements.\20\ In addition, some commenters opposed covering 
recipients on the grounds that such coverage is: (1) Beyond the intent 
of section 501(a), which refers to a financial institution's obligation 
to ''its customers;'' (2) unnecessary in light of the Rule's separate 
treatment of service providers and affiliates; and/or (3) too 
burdensome.\21\
---------------------------------------------------------------------------

    \19\ See, e.g., Equifax at 1-2; Intuit at 2; NIADA at 2; TGSL at 
1.
    \20\ Equifax at 2.
    \21\ See, e.g., ACA at 2-3; CDIA at 3; Experian at 2; Mastercard 
at 2-3; NAMIC at 2-3; NRF at 3. In addition, one comment stated that 
numerous financial institutions that do not have customer 
relationships of their own could be swept into the Rule in this 
fashion (Visa at 4). Although no commenters identified the types of 
financial institutions that are likely to be so affected, the 
Commission envisions that such entities could include consumer 
reporting agencies, debt collectors, independent check cashers, 
automated teller machine operators, and other businesses that obtain 
customer information from other financial institutions to process 
customer data, facilitate customer transactions, or carry out 
transactions in a consumer context.
---------------------------------------------------------------------------

    After considering the comments, the Commission has determined that 
covering recipient financial institutions is consistent with the 
purpose and language of the Act. The Commission believes that imposing 
safeguards obligations as to customer information that a financial 
institution receives about another institution's customers is the most 
reasonable reading of the statutory language and clearly furthers the 
express congressional policy to

[[Page 36486]]

respect the privacy of these customers and to protect the security and 
confidentiality of their nonpublic personal information. Covering 
recipients will ensure that all financial institutions over which the 
Commission has jurisdiction safeguard customer information and that 
such safeguards are not lost merely because information is shared with 
a third-party financial institution.\22\ The Commission also believes 
that the Rule's provisions for affiliates and service providers, 
discussed below, are not sufficient to address circumstances where 
information is transferred to another financial institution in the 
absence of a service or affiliate relationship, such as for use in debt 
collection or consumer reporting. Without imposing safeguards in such 
cases, customer information would be insufficiently protected and 
Congressional intent to safeguard such information would be undermined. 
Finally, the flexible requirements of the Rule-which allow the 
safeguards to vary according to the size and complexity of a financial 
institution, the nature and scope of its activities, and the 
sensitivity of any customer information at issue-permit entities to 
develop safeguards appropriate to their operations and should minimize 
any burdens on recipient entities.
---------------------------------------------------------------------------

    \22\ Under the Act, the Commission has jurisdiction over ''any 
other financial institution or other person that is not subject to 
the jurisdiction of any agency or authority.'' 15 U.S.C. Section 
6805(7). Thus, the Commission does not have jurisdiction over any 
financial institution that is subject to another Agency's authority 
by the Act, including national banks, bank holding companies and 
savings associations the deposits of which are insured by the FDIC. 
See id. at Section 6805(a)(1)-(6).
---------------------------------------------------------------------------

    Nevertheless, the Commission recognizes that financial institutions 
covered by its Rule also may simultaneously be subject to the Rule's 
requirements for service providers or affiliates.\23\ For example, 
check printers, data processors, and real property appraisers that 
receive customer information as service providers for a financial 
institution will also be directly subject to the rule because they are 
themselves financial institutions.\24\ However, the obligations the 
Rule creates for financial institutions are entirely consistent with 
the standard it requires them to impose on their affiliate or service 
provider, so that each entity ultimately is required to maintain 
safeguards that are appropriate in light of the relevant circumstances. 
Thus, a financial institution that develops an information safeguards 
program according to the Rule will not be faced with additional or 
conflicting requirements merely because it also received customer 
information as an affiliate or service provider.
---------------------------------------------------------------------------

    \23\ As discussed below, the FTC Rule requires financial 
institutions to ensure the safeguards of their affiliates and take 
steps to oversee their service providers' safeguards. See sections 
314.2(b) and 314.4(d), below. What safeguards would be appropriate 
for an affiliate or service provider depends on the facts and 
circumstances, just as it would for a financial institution that is 
directly covered by the Rule.
    \24\ It should be noted that this potential overlap exists for 
all financial institutions that are affiliates or service providers 
of other financial institutions, not just recipient entities.
---------------------------------------------------------------------------

    As under the proposal, the Safeguards Rule does not cover 
recipients of customer information that are not financial institutions, 
and are also neither affiliates nor service providers as defined by the 
Rule. However, the Commission encourages each financial institution to 
take reasonable steps to assure itself that any third party to which it 
discloses customer information has safeguards that are adequate to 
fulfill any representations made by the financial institution regarding 
the security of customer information or the manner in which it is 
handled by third parties.\25\
---------------------------------------------------------------------------

    \25\ Misrepresentations regarding these issues could violate the 
Privacy Rule and Section 5 of the FTC Act.
---------------------------------------------------------------------------

    In addition, as under the proposal, the Safeguards Rule only 
applies to information about a consumer who is a ''customer'' of a 
financial institution within the meaning of the Rule.\26\ This approach 
is consistent with the Banking Agency Guidelines and the majority of 
comments that addressed this issue.\27\ Although the Commission 
believes that limiting the Rule to information about customers is 
warranted by the plain language of section 501 of the Act, the 
Commission notes, as it did in the proposal, that protecting 
information about consumers may be a part of providing reasonable 
safeguards to ''customer information'' where the two types of 
information cannot be segregated reliably. Further, consistent with its 
mandate under section 5 of the FTC Act, the Commission expects that, as 
with customers, any information that a financial institution provides 
to a consumer will be accurate concerning the extent to which 
safeguards apply to them. Finally, the Commission expects that each 
financial institution will have in place at least the administrative or 
other safeguards necessary to honor any ''opt-out'' requests made by 
consumers under the Privacy Rule.
---------------------------------------------------------------------------

    \26\ The Rule incorporates the definition of ''customer'' set 
forth in section 313(h) of the Privacy Rule. See section 314.2(a).
    \27\ See, e.g., ACA at 4; DBA at 1; Mastercard at 1-2; but see 
Intuit at 3-4; NACAA at 1.
---------------------------------------------------------------------------

    Other comments on the Rule's scope urged that compliance with 
various alternative standards should constitute compliance with the 
Safeguards Rule. Several such commenters urged that the Rule permit 
compliance with another agency's safeguards standard in lieu of the 
FTC's. Specifically, commenters urged that: (1) Compliance with the 
SEC's rule constitute compliance with the FTC Rule, so that state 
investment advisors covered by the FTC Rule would be subject to the 
same standards as federal investment advisors, which are subject to the 
SEC's jurisdiction; \28\ (2) non-federally-insured credit unions be 
permitted to comply with the NCUA's guidelines instead of the FTC's 
Rule, so that they would be subject to the same standards as federally-
insured credit unions, which are under the NCUA's jurisdiction; \29\ 
and (3) compliance with the Banking Agency Guidelines \30\ be deemed 
compliance for service providers that may be engaged by banks as well 
as by entities under the FTC's jurisdiction. In addition, other 
commenters requested that compliance with other laws be deemed 
compliance with the Rule, such as the Fair Credit Reporting Act 
(''FCRA''); \31\ the Health Insurance Portability and Accountability 
Act (''HIPAA''); \32\ and the Fair Debt Collection Practices Act 
(''FDCPA'').\33\
---------------------------------------------------------------------------

    \28\ NASAA at 2.
    \29\ CUNA at 1; OCUL at 3.
    \30\ Indep. Ins. Agents at 2.
    \31\ CDIA at 2-3; NIADA at 3.
    \32\ NIADA at 3.
    \33\ ACA at 4-5.
---------------------------------------------------------------------------

    As discussed above in connection with recipient financial 
institutions and others, the Commission does not intend to impose undue 
burdens on entities that already are subject to comparable safeguards 
requirements. In particular, the Commission envisions that any entity 
that can demonstrate compliance with the Banking Agency Guidelines 
(including the substantively identical NCUA Guidelines) will also 
satisfy the Rule. With respect to other rules and laws that may contain 
some safeguards, the Commission notes that the adoption of safeguards 
in furtherance of such rules or laws will be weighted heavily in 
assessing compliance with the Rule. However, because such other rules 
and laws do not necessarily provide comparable protections in terms of 
the safeguards mandated, data covered, and range of circumstances to 
which protections apply, compliance with such standards will not 
automatically ensure compliance with the Rule. For example, an entity's 
compliance with the FCRA, which limits the purposes for which certain 
financial information may be disclosed, will not guarantee that an

[[Page 36487]]

entity has adopted a comprehensive information security plan as 
described in the Rule.

Section 314.2: Definitions

    This section defines terms used in the Safeguards Rule. As under 
the proposal, paragraph (a) makes clear that, unless otherwise stated, 
terms used in the Safeguards Rule bear the same meaning as in the 
Commission's Privacy Rule. The remaining paragraphs (b)-(d) of this 
section define the terms ''customer information,'' ''information 
security program,'' and ''service provider,'' respectively.
    In addressing this section generally, several commenters expressed 
concern that the definitions would be confusing to the extent that they 
differ from those set forth in the Privacy Rule or the Banking Agency 
Guidelines.\34\ In response, the Commission notes that, the terms used 
in the Rule are consistent with those used in the Privacy Rule, and 
differ from those used in the Guidelines only as needed to clarify the 
Rule's scope and make its terms more understandable and appropriate to 
the diverse range of non-bank financial institutions subject to the 
Commission's jurisdiction. Thus, as described below, the Rule defines 
''customer information'' to include information handled by affiliates. 
Similarly, the Rule omits definitions found in the Guidelines, such as 
''Board of Directors'' or ''subsidiary,'' that are not universally 
applicable to entities that will be subject to the Rule.
---------------------------------------------------------------------------

    \34\ See, e.g., Intuit at 4; NADA at 2; NIADA at 2, 4.
---------------------------------------------------------------------------

    Proposed paragraph (b) defined ''customer information'' as any 
record containing nonpublic personal information, as defined in 
paragraph 313.3(n) of the Privacy Rule, about a customer of a financial 
institution, whether in paper, electronic, or other form, that is 
handled or maintained by or on behalf of a financial institution or its 
affiliates.'' Thus, to the extent that a financial institution shares 
customer information with its affiliates, the proposal required it to 
ensure that the affiliates maintain appropriate safeguards for the 
customer information at issue.
    Commenters expressed varying views on whether a financial 
institution should be responsible for its affiliates' safeguards. Some 
commenters agreed that customer information held by affiliates should 
be protected by the Rule.\35\ However, some commenters requested that 
affiliates that are financial institutions subject to the jurisdiction 
of another agency be permitted to comply with the safeguards standards 
of that agency in lieu of the Commission's Rule.\36\ Finally, several 
commenters stated that the Rule should not cover affiliates at all 
because (1) the Act was not meant to cover any entity that is not a 
financial institution and some affiliates may not be financial 
institutions \37\ or (2) the fact that the Act permits financial 
institutions to disclose nonpublic personal information to affiliates 
without providing any notice or opt out indicates that no affiliates 
were intended to be covered by the Act's safeguards provisions.\38\
    The Commission agrees that section 501 of the Act focuses on the 
obligations of financial institutions. It also notes, however, that the 
purpose of the Act is to protect customer information, and that such 
information easily may be shared with companies that are affiliated and 
under common control with such financial institutions. Therefore, the 
Rule imposes obligations only on financial institutions, but gives them 
duties with respect to customer information shared with their 
affiliates. The Commission does not believe that the unrestricted 
sharing that the Act permits among affiliates-including affiliates that 
are not financial institutions-shows an intent to exclude affiliates 
from safeguards obligations. To the contrary, the free sharing the Act 
permits among affiliates warrants a coordinated and consistent approach 
to security. The Commission notes, however, that the duty to ensure 
appropriate safeguards by affiliates arises only if a financial 
institution shares customer information with its affiliates; therefore 
this obligation can, and need only be, addressed as part of such 
sharing arrangements. In addition, the flexible standards of the Rule 
permit entities to develop safeguards appropriate to their operations 
and the sensitivity of the information at issue and should therefore 
minimize burdens on affiliates. Finally, as noted above, the Commission 
agrees that compliance with the Banking Agency Guidelines should 
satisfy the safeguards standards under the Commission's Rule. 
Therefore, any financial institution that can demonstrate its 
compliance with the Guidelines will not be subject to additional 
requirements merely because it is an affiliate of a financial 
institution that is covered by the Rule.
---------------------------------------------------------------------------

    \35\ Equifax at 2-4; Household at 1-2; NACAA at 1; NIADA at 4; 
SIIA at 2. See also NCHELP at 1.
    \36\ See, e.g., Household at 1-2; NCHELP at 2; OCUL at 2; USA 
Funds at 1. See also Equifax at 2.
    \37\ Mastercard at 4-5. See also NRF at 4.
    \38\ NAMIC at 5-6.
---------------------------------------------------------------------------

    Proposed paragraph (c) defined ''information security program'' as 
''the administrative, technical, or physical safeguards'' that a 
financial institution uses ''to access, collect, process, store, use, 
transmit, dispose of, or otherwise handle customer information.'' This 
definition is virtually identical to the Banking Agency Guidelines' 
definition of ''customer information systems.'' See Banking Agency 
Guidelines, section I.C.2.d. Few comments were received on this 
definition. In response to one commenter who urged that this term 
should better describe all of the ways that ''customer information'' 
can be provided to others, the Commission has added the words 
''distribute'' and ''protect'' to this definition.\39\ At the same 
time, the Commission notes that the words ''otherwise handle'' are 
intended to cover other ways that customer information is dealt with 
that are not specifically mentioned in the definition. Thus, the 
definition is adopted with only the minor changes noted above.
---------------------------------------------------------------------------

    \39\ Equifax at 4.
---------------------------------------------------------------------------

    Proposed paragraph (d) defined the term ''service provider'' to 
mean ''any person or entity that receives, maintains, processes, or 
otherwise is permitted access to customer information through its 
provision of services directly to a financial institution that is 
subject to the rule.'' This definition is virtually identical to the 
definition set forth in the Banking Agency Guidelines. See Banking 
Agency Guidelines, section I.C.2.e. Several commenters urged that this 
definition be amended to exclude particular entities from the 
definition of service providers, namely: (1) Accountants and auditors 
\40\ (2) financial institutions that also provide services to banks, 
and are subject to examination under the Bank Service Company Act 
(BSCA); \41\ (3) any service provider that is also an affiliate of a 
financial institution; \42\ and (4) any service provider that receives 
information under the Privacy Rule's general exceptions in Sections 
313.14 and 313.15, and is therefore permitted access to nonpublic 
personal information without need for a specific agreement concerning 
its reuse and redisclosure.\43\
---------------------------------------------------------------------------

    \40\ Ernst & Young at 1-2.
    \41\ Visa at 4.
    \42\ NIADA at 5.
    \43\ NIADA at 6 (but stating that the Rule's obligations for 
service providers are for the most part consistent with the Privacy 
Rule).
---------------------------------------------------------------------------

    The Commission notes that the Banking Agency Guidelines do not 
contain exceptions to the definition of service provider. Thus, some of 
the recommended exceptions could result

[[Page 36488]]

in disparate treatment of entities performing services for a bank and 
entities performing services for a financial institution under the 
FTC's jurisdiction. In addition, no commenters demonstrated that the 
confidentiality requirements that apply to auditors and accountants (or 
other professionals) would address unauthorized access to information 
by third parties, fraud, or any other security issues contemplated by 
the Rule. Further, given the Rule's flexibility, the Commission is 
aware of no duplicative burdens that will result from application of 
the Rule to auditors, accountants, or other professionals, or to 
service providers to, or affiliates of, banks. Finally, the Commission 
has determined that the Rule should apply to all service providers, 
even those that the Privacy Rule does not require to enter into 
agreements concerning reuse and redisclosure of the relevant 
information. Although the Privacy Rule allows certain service providers 
to receive information without entering into confidentiality 
agreements, these confidentiality provisions do not address the range 
of security issues that are contemplated by the Safeguards Rule.
    Other comments sought minor clarifications of the definition of 
service provider. Specifically, commenters asked (1) whether a student 
loan organization is covered where the tasks it performs-passing along 
updated contact information to schools, lenders, loan servicers, and 
others involved in the funding of student loans-could not be carried 
out by financial institutions directly; \44\ and (2) whether 
subservicers, employees and independent contractors of service 
providers are required to maintain separate safeguards.\45\ These 
concerns are addressed as follows: First, although outsourcing often 
involves functions that may be performed in-house, the Commission sees 
no reason to exclude from the Rule service providers that are 
specifically authorized to perform services that a financial 
institution cannot perform itself. Thus, such entities are covered to 
the extent that they meet the definition. Second, the focus of the 
Rule's service provider provisions is clearly on the original service 
provider-the entity that provides services ''directly to a financial 
institution''- and not on subservicers or employees or independent 
contractors of these service providers. Although the original service 
provider should address the practices of these individuals and entities 
in its own security plan, the Rule does not specifically require these 
individual entities to maintain their own safeguards.
---------------------------------------------------------------------------

    \44\ TGSL at 2.
    \45\ Equifax at 4.
---------------------------------------------------------------------------

    For the reasons discussed, the definition of service provider is 
adopted as proposed.

Section 314.3: Standards for Safeguarding Customer Information

    Proposed paragraph (a) of this section set forth the general 
standard that a financial institution must meet to comply with the 
Rule, namely to ''develop, implement, and maintain a comprehensive 
written information security program that contains administrative, 
technical, and physical safeguards'' that are appropriate to the size 
and complexity of the entity, the nature and scope of its activities, 
and the sensitivity of any customer information at issue. This standard 
is highly flexible, consistent with the comments, the Banking Agency 
Guidelines, and the Advisory Committee's Report, which concluded that a 
business should develop ''a program that has a continuous life cycle 
designed to meet the needs of a particular organization or industry.'' 
\46\ See ACR at 18. Paragraph (a) also requires that each information 
security program include the basic elements set forth in proposed 
section 314.4 of the Rule, and be reasonably designed to meet the 
objectives set forth in section 314.3(b). For the reasons discussed 
below, this standard is adopted with only minor changes.
---------------------------------------------------------------------------

    \46\ The adaptability of the standard according to ''the 
sensitivity of information'' mirrors the Advisory Committee's 
finding that ''different types of data warrant different levels of 
protection.'' Id.
---------------------------------------------------------------------------

    As noted above, commenters were generally supportive of the 
proposed standard, citing both its flexibility and its similarity to 
the Banking Agency Guidelines.\47\ In addition, the numerous commenters 
who addressed whether the information security program should be in 
writing were supportive of this requirement,\48\ stating that such a 
requirement is reasonable \49\ and essential to the effective 
implementation and management of safeguards.\50\ At the same time, two 
commenters suggested that the term ''comprehensive'' be deleted to 
avoid implying that the writing itself should be comprehensive.\51\ One 
commenter urged that the Final Rule explicitly state-as was stated in 
the section-by-section analysis of the Proposed Rule \52\-that the 
writing need not be contained in a single document. In response, the 
Commission has amended the standard slightly, so that each financial 
institution must ''develop, implement, and maintain a comprehensive 
information security program that is written in one or more readily 
accessible parts and contains administrative, technical, and physical 
safeguards'' that are appropriate to the size and complexity of the 
entity, the nature and scope of its activities, and the sensitivity of 
any customer information at issue. See paragraph (a). The Commission 
believes that this standard will ensure a comprehensive, coordinated 
approach to security while emphasizing the flexibility of the writing 
requirement.
---------------------------------------------------------------------------

    \47\ See supra nn.15 and 16, and accompanying text.
    \48\ CDIA at 4; Equifax at 5; Intuit at 4; NFCU at 1; NFFG at 1; 
NCHELP at 3; NASAA at 2.
    \49\ See, e.g., NCHELP at 3.
    \50\ See, e.g., Intuit at 4.
    \51\ CDIA at 4; Equifax at 5.
    \52\ 66 FR at 41165.
---------------------------------------------------------------------------

    One commenter requested that the Rule specify that a financial 
institution need not disclose its information security plan to any 
third party other than law enforcers. In response, the Commission notes 
that the Rule itself creates no obligation for a financial institution 
to disclose its information security program. Moreover, the Privacy 
Rule requires a financial institution to disclose to consumers only the 
most general information about its safeguards. See 16 CFR 313.6(a)(8) 
and (c)(6). However, the Safeguards Rule leaves private parties free to 
negotiate disclosure of any safeguards information that may be relevant 
to the business at hand. Further, neither the G-L-B Act nor the Rule 
provides a shield to disclosure that is sought by law enforcement or 
pursuant to court order, subpoena or other legal process.

Section 314.4: Elements

    This section sets forth the general elements that a financial 
institution must include in its information security program. The 
elements create a framework for developing, implementing, and 
maintaining the required safeguards, but leave each financial 
institution discretion to tailor its information security program to 
its own circumstances. Subject to the changes to paragraphs (d) and (e) 
that are set forth below, these elements are adopted as proposed.
1. Paragraph (a)
    Paragraph (a) requires each financial institution to designate an 
employee or employees to coordinate its information security program in 
order to ensure accountability and achieve adequate safeguards. This 
requirement is similar to the Banking Agency Guidelines'

[[Page 36489]]

requirement that each institution involve and report to its Board of 
Directors (see 66 FR 41166, citing Paragraphs III.A. and III.F., 
respectively), but allows designation of any employee or employees to 
better accommodate entities that are not controlled by Boards of 
Directors. Nearly all commenters on this paragraph expressed support, 
noting the importance of establishing a point of contact and citing the 
provision's flexibility.\53\ However, some commenters requested minor 
changes, namely: (1) That the Rule state that a financial institution 
need not designate an employee for each of its subsidiaries; (2) that 
the words ''as appropriate'' be added to the requirement; and (3) that 
the Rule make clear that financial institutions may outsource 
safeguards procedures.\54\ By contrast, one commenter opposed requiring 
financial institutions to designate any individual employee(s), based 
on a concern that customers might attempt to hold such designee(s) 
individually liable for any breach of security that occurs.\55\
---------------------------------------------------------------------------

    \53\ See, e.g., Intuit at 4; Mastercard at 6-7; NACAA at 1-2; 
NCHELP at 3; Sallie Mae at 3; SIIA at 2; Visa at 2.
    \54\ Sallie Mae at 3; Equifax at 6; NRF at 5, respectively.
    \55\ NIADA at 6.
---------------------------------------------------------------------------

    The Commission recognizes the importance of reserving to financial 
institutions the flexibility to select and designate the employee(s) 
that are needed to ensure accountability and achieve adequate 
safeguards. The Commission is particularly concerned that small 
institutions not be burdened disproportionately by this paragraph (or 
by other requirements) of the Rule. For these reasons, the paragraph 
allows each financial institution to determine which employee(s) to 
designate, including whether to designate additional employees to 
handle different subsidiaries. Further, there is nothing in the Rule to 
prevent a financial institution from outsourcing safeguards functions 
as appropriate, provided that at least one of its own employees is 
designated to see that such functions are properly carried out. At the 
same time, the Commission declines to add the words ''as appropriate'' 
to this paragraph because such language would only repeat the Rule's 
overarching requirement that each financial institution develop, 
implement and maintain ''appropriate'' safeguards. Lastly, the 
Commission notes that this Rule does not address or alter traditional 
principles of corporate liability and, therefore, should neither create 
nor limit individual liability for a financial institution's designated 
employee(s). Thus, paragraph (a) is adopted as proposed.
2. Paragraph (b)
    Proposed paragraph (b) required each financial institution to 
''identify reasonably foreseeable internal and external risks to the 
security, confidentiality, and integrity of customer information that 
could result in the unauthorized disclosure, misuse, alteration, 
destruction or other compromise of such information, and assess the 
sufficiency of any safeguards in place to control these risks.'' The 
proposal further required each financial institution to consider risks 
in each area of its operations, including three areas that the 
Commission believes are particularly relevant to information security: 
(1) Employee training and management; (2) information systems, 
including information processing, storage, transmission and disposal; 
and (3) detecting, preventing and responding to attacks, intrusions, or 
other systems failures. This paragraph is similar to the Banking Agency 
Guidelines requirement to assess risks.\56\
    Commenters who addressed the issue generally supported including a 
risk assessment requirement within the Rule.\57\ Some of these 
commenters supported the paragraph as proposed, stating that its 
benefits are appropriate relative to its burdens, and that it provides 
the proper level of guidance on how risk assessment should be carried 
out.\58\ Commenters that supported the paragraph's general description 
of the types of risks to be considered-including the proposed areas of 
operation-emphasized that the threats to information security are ever 
changing, and therefore can only be described in general terms.\59\ By 
contrast, other commenters urged that the paragraph be made more 
specific in a variety of ways, namely by: (1) Defining specific 
categories of threats and hazards, such as ''risks to physical 
security;'' (2) including more concrete and extensive guidance on how 
small businesses might perform the required assessment; or (3) 
including a procedure by which the FTC will conduct reviews or audits 
of the security practices of financial institutions under its 
jurisdiction.\60\
---------------------------------------------------------------------------

    \56\ See Banking Agency Guidelines, Paragraph III. B.
    \57\ See, e.g., Equifax at 7; Intuit at 5; Mastercard at 7; 
NASAA at 2; NCHELP at 3; Portogo at 1; SIAA at 4; VeriSign at 1.
    \58\ See, e.g., Intuit at 5; Mastercard at 7; SIAA at 2.
    \59\ Oracle at 2; Mastercard at 7.
    \60\ NACAA comment on the ANPR, at 2; Paas at 3; Musgrove at 2, 
respectively.
---------------------------------------------------------------------------

    The Commission notes the importance of providing guidance to 
financial institutions, particularly small businesses, on how to comply 
with this and other aspects of the Rule. The Commission therefore 
intends to issue educational materials to help businesses identify 
risks and comply with the various other provisions of the Rule. Because 
of the ever-changing nature of the relevant risks, however, the 
Commission does not find it appropriate to delineate risks more 
specifically within the Rule. In addition, to retain appropriate 
flexibility, the Commission will rely on its discretion in enforcing 
the Rule, and not describe any particular schedule or methods for 
enforcement.\61\ At the same time, the Commission has amended slightly 
the areas of operation, in order to better describe the activities that 
financial institutions should consider in developing, implementing and 
maintaining their information security programs. Specifically, the 
Commission has added (1) the item ''network and software design'' to 
the examples of information systems a financial institution should 
examine; and (2) the term ''detecting'' to the requirement that each 
financial institution consider means of ''preventing and responding'' 
to attacks, intrusions and other systems failures. In all other 
respects, paragraph (b) is adopted as proposed.
---------------------------------------------------------------------------

    \61\ By contrast to the Banking Agencies, the Commission is not 
authorized to conduct regular audits and review of entities under 
its jurisdiction.
---------------------------------------------------------------------------

3. Paragraph (c)
    Proposed paragraph (c) required each financial institution to 
''design and implement information safeguards to control the risks 
[identified] through risk assessment, and regularly test or otherwise 
monitor the effectiveness of the safeguards' key controls, systems, and 
procedures.'' The proposal further required each financial institution 
to consider its areas of operation in fulfilling this requirement. As 
with proposed paragraph (b), above, commenters generally supported this 
provision, citing its flexibility and the appropriateness of its 
benefits relative to its burdens.\62\ However, one commenter

[[Page 36490]]

asked that the provision be revised to require only such safeguards as 
are ''commercially reasonable,'' \63\ while another urged that the 
paragraph require each financial institution to keep specific written 
records of its particular safeguards procedures, such as its employee 
training activities and records retention schedules, to demonstrate 
compliance with the Rule.\64\
---------------------------------------------------------------------------

    \62\ Intuit at 5; NCHELP at 4; SIIA at 2. In addition, as 
elsewhere, commenters urged that the paragraph include more 
guidance, so that businesses-particularly smaller entities, such as 
sole proprietorships-will better understand what safeguards are 
sufficient to comply with the Rule. See NIADA at 7-8; Paas at 4-5. 
As discussed above, the Commission agrees that educating businesses 
and others is critical to achieving the Rule's objectives, and plans 
to issue educational materials in connection with the Rule.
    \63\ Equifax at 8.
    \64\ Musgrove at 2.
---------------------------------------------------------------------------

    The Commission recognizes that each financial institution must 
focus its limited resources on addressing those risks that are most 
relevant to its operations. However, because the Rule already contains 
flexible standards that take a variety of factors into account, the 
Commission does not believe it is necessary or appropriate to revise 
the Rule to require only such safeguards as are ''commercially 
reasonable.'' At the same time, to preserve flexibility and minimize 
burdens, the Commission declines to revise this paragraph to require 
that financial institutions document specific aspects of their risk 
control activities. For these reasons, paragraph (c) is adopted as 
proposed.
4. Paragraph (d)
    Proposed paragraph (d) required each financial institution to 
oversee its service providers by selecting and retaining service 
providers that are ''capable of maintaining appropriate safeguards'' 
for the customer information at issue (paragraph (d)(1)), and requiring 
its service providers by contract to ''implement and maintain such 
safeguards'' (paragraph(d)(2)). For the reasons discussed below, 
paragraph (d)(1) is revised slightly, while paragraph (d)(2) is adopted 
as proposed.
    Commenters supported requiring oversight of service providers' 
safeguards by financial institutions, particularly when, as one 
coalition of financial services organizations noted, the financial 
services industry increasingly relies on third parties to support core 
functions and online delivery.\65\ However, in commenting on proposed 
paragraph (d)(1), some commenters expressed concern about the ability 
of businesses-particularly smaller entities-to evaluate a service 
provider's capabilities.\66\ At the same time, other commenters 
supported adding to the Rule various standards for financial 
institutions to use in selecting service providers, specifically: (1) 
That financial institutions have ''reason to believe'' their service 
providers are capable of maintaining appropriate safeguards; \67\ (2) 
that they use a ''due diligence'' review, as under the Banking Agency 
guidelines; \68\ or (3) that they select service providers that are 
''capable of maintaining appropriate safeguards.'' \69\
---------------------------------------------------------------------------

    \65\ BITS at 1. See also CDIA at 6; ITAA at 3; VeriSign at 2 
(Rule appropriately places on financial institutions the burden to 
select appropriate service providers).
    \66\ Paas at 5. See also NRF at 5 (expressing concern that Rule 
could make financial institutions strictly liable for safeguards 
breaches by their service providers).
    \67\ NRF at 5; TGSL at 2.
    \68\ Household at 1; ICBA at 1; NIADA at 6.
    \69\ Mastercard at 7.
---------------------------------------------------------------------------

    The Commission agrees that businesses cannot be expected to perform 
unlimited evaluation of their service providers' capabilities. Thus, 
the Commission has amended the provision to state that each financial 
institution must ''take reasonable steps'' to select and retain 
appropriate service providers. This added language more closely 
parallels the Banking Agency Guidelines, as well as the Rule's 
requirement to assess risks that are ''reasonably foreseeable.'' The 
steps that are reasonable under the Rule will depend upon the 
circumstances and the relationship between the financial institution 
and the service provider in question. At a minimum, the Commission 
envisions that each financial institution will (1) take reasonable 
steps to assure itself that its current and potential service providers 
maintain sufficient procedures to detect and respond to security 
breaches, and (2) maintain reasonable procedures to discover and 
respond to widely-known security failures by its current and potential 
service providers.
    Proposed paragraph (d)(2) required financial institutions to enter 
into contracts that require service providers to implement and maintain 
appropriate safeguards. Most comments that addressed this requirement 
supported it.\70\ Nevertheless, as discussed above, some commenters 
urged that certain service providers be exempt from the Rule, or be 
permitted to comply with the safeguards standards of another agency, 
such as their own functional regulator in the case of financial 
institution service providers. These comments already have been 
addressed above. In addition, two commenters urged that the Rule give 
examples of appropriate language or specifically require the inclusion 
of certain clauses in the contract,\71\ while other commenters stated 
that no such specifications are needed or desirable.\72\ The Commission 
believes that financial institutions are well positioned to develop and 
implement appropriate contracts with their service providers. Further, 
keeping the contract provision flexible should allow financial 
institutions and their service providers to develop arrangements that 
do not impose undue or conflicting burdens on service providers that 
may be subject to other standards and/or agreements concerning 
safeguards. Therefore, the Commission declines to include specific 
contract language within the Rule. However, the Commission intends to 
provide education for businesses on how to comply with the Rule, and 
will include general guidance concerning oversight of service providers 
as part of this effort. For these reasons, paragraph (d)(2) is adopted 
as proposed.
---------------------------------------------------------------------------

    \70\ Equifax at 8; Indep. Ins. Agents 3; Intuit at 5; Mastercard 
at 7; NACAA at 2; NCHELP at 4; Navy Federal Financial Group at 1-2; 
NIADA at 7; Sallie Mae at 3; SIIA at 2.
    \71\ NADA at 3; Navy Federal Financial Group at 1-2.
    \72\ Intuit at 5; Sallie Mae at 3.
---------------------------------------------------------------------------

5. Paragraph (e)
    Proposed paragraph (e) required each financial institution to 
''evaluate and adjust [its] information security program in light of 
any material changes to [its] business that may affect [its] 
safeguards.'' The preamble to the proposed section offered examples of 
such material changes, namely changes in technology; changes to its 
operations or business arrangements, such as mergers and acquisitions, 
alliances and joint ventures, outsourcing arrangements, or changes to 
the services provided; new or emerging internal or external threats to 
information security; or any other circumstances that give it reason to 
know that its information security program is vulnerable to attack or 
compromise. See 66 FR 41167. Several commenters supported this 
requirement as proposed.\73\ However, a few commenters recommended 
certain revisions to the paragraph's description of the types of 
changes that may warrant evaluation and adjustment of an entity's 
safeguards. Specifically, one commenter urged that although changes in 
the sensitivity of customer information or the nature of any threats 
will warrant evaluation, changes to a business's internal organization 
may be irrelevant to its safeguards, and therefore should not 
necessitate a review.\74\ Similarly, another commenter urged that the 
paragraph be revised to require that a financial institution ''take 
reasonable steps so that the information security

[[Page 36491]]

program continues to be appropriate'' for the financial 
institution.\75\
---------------------------------------------------------------------------

    \73\ NACAA at 2; NCHELP at 5; SIIA at 2.
    \74\ Intuit at 6.
    \75\ Equifax at 9.
---------------------------------------------------------------------------

    Consistent with the intent of the Proposed Rule, as well as the 
concerns reflected in these comments, the Commission believes that the 
bases for a financial institution to adjust its information security 
program will vary depending on the circumstances and may include a wide 
range of factors. Accordingly, paragraph (e) has been amended to more 
clearly reflect the fact-specific nature of the inquiry and to better 
encompass the broad range of factors that a financial institution 
should consider. Under the revised paragraph, each financial 
institution must evaluate and adjust its information security program 
''in light of the results of the testing and monitoring required by 
paragraph (c); any material changes to [its] operations or business 
arrangements; or any other circumstances that you know or have reason 
to know may have a material impact on [its] information security 
program.'' The Commission believes that the Rule allows a financial 
institution sufficient flexibility as to how to adjust its safeguards, 
and therefore finds it unnecessary to limit the responsibility of 
financial institutions to taking ''reasonable steps'' to make any 
adjustments. Thus, paragraph (e) is adopted with the changes noted 
above.

Section 314.5: Effective Date

    Proposed section 314.5 required each financial institution covered 
by the Rule to implement an information security program not later than 
one year from the date on which a Final Rule is issued. In addition, 
the proposal requested comment on whether the Rule should contain a 
transition period to allow the continuation of existing contracts with 
service providers, even if the contracts would not satisfy the Rule's 
requirements.
    Many commenters supported as adequate an effective date of one year 
from the date on which the Final Rule is issued.\76\ A few commenters 
urged that a longer time be given, such as 18 months,\77\ or that an 
additional year be allowed for businesses-particularly small entities-
to comply.\78\ In addition, all commenters who addressed the issue 
urged that the Rule allow a transition period for service provider 
contracts.\79\ Most of these commenters requested that financial 
institutions be given two years to make service provider contracts 
comply,\80\ while a few commenters sought a slightly longer time.\81\
---------------------------------------------------------------------------

    \76\ See, e.g., Equifax at 10; Intuit at 6; Mastercard at 8; 
NIADA at 8; OCUL at 3; Sallie Mae at 3; SIIA at 2; USA Funds at 1-2.
    \77\ NADA at 2-3; NIADA at 8. See also NFFG at 2 (2 years).
    \78\ ACA at 6-7.
    \79\ See, e.g., CDIA at 5; NIADA at 8; OCUL at 3; SIIA at 2; 
TGSL at 2; Visa at 5.
    \80\ See, e.g., Equifax at 10; NRF at 5; NFFG at 2; OCUL at 3.
    \81\ Sallie Mae at 3; Visa at 5.
---------------------------------------------------------------------------

    Consistent with the majority of comments, the Rule will take effect 
one year from the date on which the Final Rule is published in the 
Federal Register, except that there will be a transition rule for 
contracts between financial institutions and nonaffiliated third party 
service providers. Under the transition Rule, set forth in section 
314.5(b) of the Rule, financial institutions will be given an 
additional year to bring these service provider contracts into 
compliance with the Rule, as long as the contract was in place 30 days 
after the date on which the Final Rule is published in the Federal 
Register. The transition rule parallels the two-year grandfathering of 
service contracts that was permitted under both the Privacy Rule and 
the Banking Agency Guidelines. The Commission believes that the 
effective date and transition rule will provide businesses appropriate 
flexibility in complying with the Rule.

Section D. Paperwork Reduction Act

    The Paperwork Reduction Act (''PRA''), 44 U.S.C. Chapter 35, 
requires federal agencies to seek and obtain OMB approval before 
undertaking a collection of information directed to ten or more 
persons. 44 U.S.C. 3502(3)(a)(i). Under the PRA, a rule creates a 
''collection of information'' where ten or more persons are asked to 
report, provide, disclose, or record information'' in response to 
''identical questions.'' See 44 U.S.C. 3502(3)(A). Applying these 
standards, the Rule does not constitute a ''collection of 
information.'' The Rule calls upon affected financial institutions to 
develop or strengthen their information security programs in order to 
provide reasonable safeguards. Under the Rule, each financial 
institution's safeguards will vary according to its size and 
complexity, the nature and scope of its activities, and the sensitivity 
of the information involved. For example, a financial institution with 
numerous employees would develop and implement employee training and 
management procedures beyond those that would be appropriate or 
reasonable for a sole proprietorship, such as an individual tax 
preparer or mortgage broker. Similarly, a financial institution that 
shares customer information with numerous affiliates would need to take 
steps to ensure that such information remains protected, while a 
financial institution with no affiliates would not need to address this 
issue. Thus, although each financial institution must summarize its 
compliance efforts in one or more written documents, the discretionary 
balancing of factors and circumstances that the Rule allows-including 
the myriad operational differences among businesses that it 
contemplated-does not require entities to answer ''identical 
questions,'' and therefore does not trigger the PRA's requirements. See 
''The Paperwork Reduction Act of 1995: Implementing Guidance for OMB 
Review of Agency Information Collection,'' Office of Information and 
Regulatory Affairs, OMB (August 16, 1999), at 20-21.

Section E. Regulatory Flexibility Act

    In its ANPR, the Commission stated its belief that, under the 
Regulatory Flexibility Act (''RFA''), 5 U.S.C. 604(a), it was not 
required to issue an Initial Regulatory Flexibility Analysis (''IRFA'') 
because the Commission did not expect that the Proposed Rule would have 
a significant economic impact on a substantial number of small entities 
within the meaning of the Act. See 66 FR at 41167. The Commission 
nonetheless issued an IRFA with the Proposed Rule in order to inquire 
into the possible impact of the Proposed Rule on small entities, and to 
provide information to small businesses, as well as other businesses, 
on how to implement the Rule. Id.
    Although the Commission specifically sought comment on the costs to 
small entities of complying with the Rule, no commenters provided 
specific cost information. Some commenters generally praised the 
proposal's flexibility \82\ or noted that given its flexible standards, 
it was appropriate for the Rule to apply equally to businesses of all 
sizes.\83\ However, other commenters suggested that small entities may 
be disproportionately burdened by the Rule because they lack expertise 
(relative to larger entities) in developing, implementing and 
maintaining the required safeguards.\84\ In light of these comments, 
the Commission has carefully considered whether to certify that the 
Rule will not have a significant impact on a

[[Page 36492]]

substantial number of small entities. The Commission continues to 
believe that the Rule's impact will not be substantial in the case of 
most small entities. However, the Commission cannot quantify the impact 
the Rule will have on such entities. Therefore, in the interest of 
thoroughness, the Commission has prepared the following Final 
Regulatory Flexibility Analysis (''FRFA'') with this Final Rule. 5 
U.S.C. 605.
---------------------------------------------------------------------------

    \82\ See, e.g., Household at 1; SIIA at 1; TGSL at 1; VeriSign 
at 1.
    \83\ Intuit at 2; NASAA at 2.
    \84\ See, e.g., NADA at 2; NIADA at 9; Musgrove at 2 (stating 
that small financial institutions may need to hire outside 
consultants to comply with Rule).
---------------------------------------------------------------------------

1. Succinct Statement of the Need for, and Objectives of, the Rule

    The Final Rule is necessary in order to implement section 501(b) of 
the G-L-B Act, which requires the FTC to establish standards for 
financial institutions subject to its jurisdiction relating to 
administrative, technical, and physical standards. According to section 
501(b), these standards must: (1) Insure the security and 
confidentiality of customer records and information; (2) protect 
against any anticipated threats or hazards to the security or integrity 
of such records; and (3) protect against unauthorized access to or use 
of such records or information which could result in substantial harm 
or inconvenience to any customer. These objectives have been discussed 
above in the statement of basis and purpose for the Final Rule.

2. Summary of the Significant Issues Raised by the Public Comments in 
Response to the IRFA; Summary of the Assessment of the Agency of Such 
Issues; and Statement of Any Changes Made in the Rule as a Result of 
Such Comments

    As stated above, no comments were received concerning specific 
costs that will be imposed on small entities by the Rule. However, some 
commenters stated that the Rule and/or certain of its requirements 
would impose high costs on businesses, including small entities.\85\ In 
addition, as stated, a few commenters suggested that small entities may 
be disproportionately burdened by the Rule because they lack expertise 
(relative to larger entities) in developing, implementing and 
maintaining the required safeguards.\86\ Finally, as stated above, many 
commenters urged that the Commission provide guidance on how to comply 
with the Rule to assist entities-particularly smaller businesses-to 
comply without incurring undue expense.\87\ In addition, some 
commenters specifically requested guidance on how to assess risks as 
required by section 314.4(b);\88\ develop, implement and maintain 
safeguards as required by section 314.4(c); \89\ and oversee service 
providers as required by section 314.4(d).
---------------------------------------------------------------------------

    \85\ FPA at 3; Paas at 2; see also OCUL (stating that the NCUA's 
safeguards rule is very burdensome for credit unions); Post at 1 
(stating that Privacy Rule is very burdensome).
    \86\ See supra n. 81.
    \87\ See, e.g., ICB at 2; Musgrove at 2; NADA at 2; NIADA at 9; 
Paas at 4-6.
    \88\ Paas at 3.
    \89\ See NIADA at 7; Paas at 4-5.
---------------------------------------------------------------------------

    The Commission took comments respecting the Rule's impact on small 
entities into account by designing flexible safeguards standards 
(section 313.3(a)). Similarly, the Commission took smaller entities 
into account in allowing each financial institution to decide for 
itself what employees to designate to handle safeguards (section 
314.4(a)), in order to give businesses, particularly smaller entities, 
flexibility in complying with the Rule. Lastly, because some commenters 
expressed concern about the ability of businesses-particularly smaller 
entities-to evaluate a service provider's capabilities,\90\ the 
Commission amended the relevant paragraph to state that each financial 
institution must ''take reasonable steps'' to select and retain 
appropriate service providers.
---------------------------------------------------------------------------

    \90\ Paas at 5; see also NRF at 5 (expressing concern that Rule 
could make financial institutions strictly liable for safeguards 
breaches by their service providers).
---------------------------------------------------------------------------

    In addition to the above changes, the Commission has taken into 
account those comments that stated the importance of educating 
businesses and others on how to implement and maintain information 
safeguards. The Commission agrees that such education is critical to 
achieving the Rule's objectives and to minimizing burdens on 
businesses. Thus, as stated in the Rule's preamble, the Commission 
plans to provide educational materials on or near the date on which 
compliance is required. As part of this effort, the Commission intends 
to perform outreach to inform small entities, such as individual tax 
preparers or other sole proprietors, of the Rule and its requirements.
    In addition to the forthcoming educational materials, the 
Commission has given guidance in the Rule and its Preamble that is 
intended to assist businesses, particularly small entities, to comply 
with the Rule. Specifically, as discussed above, the Commission has 
included within the Rule a brief description of those areas of a 
business' operations that the Commission believes are most relevant to 
information security: (1) Employee training and management; (2) 
information systems, including network and software design, as well as 
information processing, storage, transmission and disposal; and (3) 
detecting, preventing and responding to attacks, intrusions, or other 
systems failures. See section 314.3(b).

3. Description and Estimate of the Number of Small Entities to Which 
the Rule Will Apply or an Explanation of Why No Such Estimate Is 
Available

    As previously discussed in the IRFA accompanying the Proposed Rule, 
it is difficult to estimate accurately the number of small entities 
that are financial institutions subject to the Rule. The definition of 
''financial institution,'' as under the Privacy Rule, includes any 
institution the business of which is engaging in a financial activity, 
as described in section 4(k) of the Bank Holding Company Act, which 
incorporates by reference the activities listed in 12 CFR 225.28 and 12 
CFR 211.5(d), consolidated in 12 CFR 225.86. See 65 FR 14433 (Mar. 17, 
2000).
    The G-L-B Act does not specify the categories of financial 
institutions subject to the Commission's jurisdiction; rather, section 
505(a)(5) vests the Commission with enforcement authority with respect 
to ''any other financial institution or other person that is not 
subject to the jurisdiction of any [other] agency or authority [charged 
with enforcing the statute].'' Financial institutions covered by the 
Rule will include many of the same lenders, financial advisors, loan 
brokers and servicers, collection agencies, financial advisors, tax 
preparers, real estate settlement services, and others that are subject 
to the Privacy Rule. Many of these financial institutions will not be 
subject to the Safeguards Rule to the extent that they do not have any 
''customer information'' within the meaning of the Safeguards Rule. The 
Commission did not receive comments that helped it to identify in any 
comprehensive manner the small entities that will be affected by the 
rule. However, one commenter, the National Association of Automobile 
Dealers Association (''NADA'') submitted 1999 data showing that, at 
that time, 5,292 franchised new automobile dealers had 30 or fewer 
employees; 1,706 had 20 or fewer employees; and 575 had 10 or fewer 
employees.\91\ In addition, the Commission is aware that many small 
businesses, such as individual tax preparers or mortgage brokers, will 
be covered by the Rule.
---------------------------------------------------------------------------

    \91\ NADA at 1.

---------------------------------------------------------------------------

[[Page 36493]]

4. Description of the Projected Reporting, Recordkeeping and Other 
Compliance Requirements of the Rule, Including an Estimate of the 
Classes of Small Entities That Will Be Subject to the Requirement and 
the Type of Professional Skills Necessary for Preparation of the Report 
or Record

    As explained in the Commission's IRFA and the Paperwork Reduction 
Act discussion that appears elsewhere in this document, the Safeguards 
Rule does not impose any specific reporting or recordkeeping 
requirements. Accordingly, compliance with the Rule does not entail 
expenditures for particular types of professional skills that might be 
needed for the preparation of such reports or records.
    The Rule, however, requires each covered institution to develop a 
written information security program covering customer information that 
is appropriate to its size and complexity, the nature and scope of its 
activities, and the sensitivity of the customer information at issue. 
The institution must designate an employee or employees to coordinate 
its safeguards; identify reasonably foreseeable risks and assess the 
effectiveness of any existing safeguards for controlling these risks; 
design and implement a safeguards program and regularly monitor its 
effectiveness; require service providers (by contract) to implement 
appropriate safeguards for the customer information at issue; and 
evaluate and adjust its program to material changes that may affect its 
safeguards, such as new or emerging threats to information security. As 
discussed above, these requirements will apply to institutions of all 
sizes that are subject to the FTC's jurisdiction pursuant to the Rule, 
including small entities, although the Commission did not receive 
comments that would enable a reliable estimate of the number of such 
small entities.
    In light of concerns that compliance with these requirements might 
require the use of professional consulting skills that could be costly, 
the Commission, as explained in its IRFA, fashioned the Rule's 
requirements to be as flexible as possible consistent with the purposes 
of the G-L-B Act, so that entities subject to the Rule, including small 
entities, could simplify their information security program to the same 
extent that their overall operations are simplified. Furthermore, the 
Commission invited comments on the costs of establishing and operating 
an information security program for such entities, particularly any 
costs stemming from the proposed requirements to: (1) Regularly test or 
otherwise monitor the effectiveness of the safeguards' key controls, 
systems, and procedures, and (2) develop a comprehensive information 
security program in written form. In response to comments that raised 
concerns that many businesses would not possess the required resources 
or expertise to fulfill the Rule's requirements, the Commission notes 
that the Rule is not intended to require that entities hire outside 
experts or consultants in order to comply. Further, the Commission has 
noted that it intends to provide educational materials that will assist 
such entities in compliance. In addition, in response to concerns that 
the preparation of a written plan could be burdensome, the Commission 
amended this requirement slightly to emphasize the flexibility of the 
writing requirement and make clear that the writing need not be 
contained in a single document.

5. Description of the Steps the Agency Has Taken To Minimize the 
Significant Economic Impact on Small Entities, Consistent with the 
Stated Objectives of Applicable Statutes, Including a Statement of the 
Factual, Policy, and Legal Reasons for Selecting the Alternative 
Adopted in the Final Rule and Why Each of the Other Significant 
Alternatives to the Rule Considered by the Agency That Affect the 
Impact on Small Entities Was Rejected

    The G-L-B Act requires the FTC to issue a rule that establishes 
standards for safeguarding customer information. The G-L-B Act requires 
that standards be developed for institutions of all sizes. Therefore, 
the Rule applies equally to entities with assets of $100 million or 
less, and not just to larger entities.
    As previously noted, the Commission does not believe the Safeguards 
Rule imposes a significant economic impact on a substantial number of 
small entities. Nonetheless, to the extent that small entities are 
subject to the Rule, it imposes flexible standards that allow each 
institution to develop an information security program that is 
appropriate to its size and the nature of its operations. In this way, 
the impact of the Rule on small entities and any other entities subject 
to the Rule is no greater than necessary to effectuate the purposes and 
objectives of the G-L-B Act, which requires that the Commission adopt a 
rule specifying procedures sufficient to safeguard the privacy of 
customer information protected under the Act. To the extent that 
commenters suggested alternative regulatory approaches-such as that 
compliance with alternative standards be deemed compliance with the 
Rule-that could affect the Rule's impact on small entities, those 
comments and the Commission's responses are discussed above in the 
statement of basis and purpose for the Final Rule.

List of Subjects for 16 CFR Part 314

    Consumer protection, Credit, Data protection, Privacy, Trade 
practices.

Final Rule

    For the reasons set forth in the preamble, the Federal Trade 
Commission amends 16 CFR chapter I, subchapter C, by adding a new part 
314 to read as follows:

PART 314-STANDARDS FOR SAFEGUARDING CUSTOMER INFORMATION

Sec.
314.1  Purpose and scope.
314.2  Definitions.
314.3  Standards for safeguarding customer information.
314.4  Elements.
314.5  Effective date.

    Authority: 15 U.S.C. 6801(b), 6805(b)(2).


 314.1  Purpose and scope.

    (a) Purpose. This part, which implements sections 501 and 505(b)(2) 
of the Gramm-Leach-Bliley Act, sets forth standards for developing, 
implementing, and maintaining reasonable administrative, technical, and 
physical safeguards to protect the security, confidentiality, and 
integrity of customer information.
    (b) Scope. This part applies to the handling of customer 
information by all financial institutions over which the Federal Trade 
Commission (''FTC'' or ''Commission'') has jurisdiction. This part 
refers to such entities as ''you.'' This part applies to all customer 
information in your possession, regardless of whether such information 
pertains to individuals with whom you have a customer relationship, or 
pertains to the customers of other financial institutions that have 
provided such information to you.


 314.2  Definitions.

    (a) In general. Except as modified by this part or unless the 
context otherwise requires, the terms used in this part have the same 
meaning as set forth in the Commission's rule governing the Privacy of 
Consumer Financial Information, 16 CFR part 313.
    (b) Customer information means any record containing nonpublic 
personal information as defined in 16 CFR 313.3(n), about a customer of 
a financial institution, whether in paper, electronic, or other form, 
that is handled or maintained by or on behalf of you or your 
affiliates.

[[Page 36494]]

    (c) Information security program means the administrative, 
technical, or physical safeguards you use to access, collect, 
distribute, process, protect, store, use, transmit, dispose of, or 
otherwise handle customer information.
    (d) Service provider means any person or entity that receives, 
maintains, processes, or otherwise is permitted access to customer 
information through its provision of services directly to a financial 
institution that is subject to this part.


 314.3  Standards for safeguarding customer information.

    (a) Information security program. You shall develop, implement, and 
maintain a comprehensive information security program that is written 
in one or more readily accessible parts and contains administrative, 
technical, and physical safeguards that are appropriate to your size 
and complexity, the nature and scope of your activities, and the 
sensitivity of any customer information at issue. Such safeguards shall 
include the elements set forth in  314.4 and shall be 
reasonably designed to achieve the objectives of this part, as set 
forth in paragraph (b) of this section.
    (b) Objectives. The objectives of section 501(b) of the Act, and of 
this part, are to:
    (1) Insure the security and confidentiality of customer 
information;
    (2) Protect against any anticipated threats or hazards to the 
security or integrity of such information; and
    (3) Protect against unauthorized access to or use of such 
information that could result in substantial harm or inconvenience to 
any customer.


 314.4  Elements.

    In order to develop, implement, and maintain your information 
security program, you shall:
    (a) Designate an employee or employees to coordinate your 
information security program.
    (b) Identify reasonably foreseeable internal and external risks to 
the security, confidentiality, and integrity of customer information 
that could result in the unauthorized disclosure, misuse, alteration, 
destruction or other compromise of such information, and assess the 
sufficiency of any safeguards in place to control these risks. At a 
minimum, such a risk assessment should include consideration of risks 
in each relevant area of your operations, including:
    (1) Employee training and management;
    (2) Information systems, including network and software design, as 
well as information processing, storage, transmission and disposal; and
    (3) Detecting, preventing and responding to attacks, intrusions, or 
other systems failures.
    (c) Design and implement information safeguards to control the 
risks you identify through risk assessment, and regularly test or 
otherwise monitor the effectiveness of the safeguards' key controls, 
systems, and procedures.
    (d) Oversee service providers, by:
    (1) Taking reasonable steps to select and retain service providers 
that are capable of maintaining appropriate safeguards for the customer 
information at issue; and
    (2) Requiring your service providers by contract to implement and 
maintain such safeguards.
    (e) Evaluate and adjust your information security program in light 
of the results of the testing and monitoring required by paragraph (c) 
of this section; any material changes to your operations or business 
arrangements; or any other circumstances that you know or have reason 
to know may have a material impact on your information security 
program.


 314.5  Effective date.

    (a) Each financial institution subject to the Commission's 
jurisdiction must implement an information security program pursuant to 
this part no later than May 23, 2003.
    (b) Two-year grandfathering of service contracts. Until May 24, 
2004, a contract you have entered into with a nonaffiliated third party 
to perform services for you or functions on your behalf satisfies the 
provisions of  314.4(d), even if the contract does not include 
a requirement that the service provider maintain appropriate 
safeguards, as long as you entered into the contract not later than 
June 24, 2002.

    By direction of the Commission.

Donald S. Clark,
Secretary.
[FR Doc. 02-12952 Filed 5-22-02; 8:45 am]
BILLING CODE 6750-01-P