GLBA and Consumer Data: FTC Signals Less Flexibility and More Uniform Standards in Proposed Safeguards Rule Amendments
On March 5, 2019, the Federal Trade Commission announced the first substantial proposed amendments to the Safeguards Rule — which mandates that financial institutions create, implement, and maintain a comprehensive information security program — in more than 15 years. The proposed amendments, due to be published in the Federal Register for notice and comment, would transition the generally flexible Rule to impose more detailed minimum requirements on financial institutions and their service providers.
Since Congress passed and President Clinton signed it into law in 1999, the Gramm-Leach-Bliley Act (GLBA) has governed the privacy and safeguarding of consumers’ personal financial information and remains today relatively unchanged from its original text. Two key elements of the GLBA, the Privacy Rule (in effect since 2000) and the Safeguards Rule  (in effect since 2003), have given financial institutions and their service providers only loose guidance and wide latitude in determining what protections to implement to keep consumers’ personal financial information private.
In the twenty years since the GLBA’s passage, however, the manner of compliance with these requirements has evolved. The volume and exchange of financial information in the marketplace has increased significantly, especially given the proliferation of new ways of using consumer data in FinTech applications and Internet of Things. Further, as technology has advanced, causing an exponential increase in the number of businesses in the consumer financial ecosystem, the definition of financial institutions subject to the GLBA’s requirements has expanded to include broad categories of businesses that come into contact with consumers’ personal financial information. But the Safeguards Rule in particular has continued to impose only loose baseline requirements on financial institutions’ protection of consumers’ personal financial information.
The FTC’s proposed amendments to the Safeguards Rule would clarify many compliance questions and implement enhanced, specific cybersecurity requirements that would, according to proponents of the amendments, modernize the Safeguards Rule and make it on par with the current cybersecurity regime that many financial institutions already are required to follow. The amendments propose, in part, new specific requirements for companies’ information-security programs, including the encryption of all consumer data, the implementation of employee-access controls to consumer information to prevent unauthorized access, and the addition of multifactor authentication protocols. Such requirements reflect similar enhanced minimum cybersecurity protocols, known as the New York Department of Financial Services (NYDFS) Cybersecurity Regulation,  which NYDFS finalized in late 2017 to further protect consumers’ personal financial information at NYDFS-regulated entities.
The road to an updated Safeguards Rule with NYDFS-style standards is likely to be anything but smooth, however, as two of the FTC Commissioners issued a dissenting opinion as part of the March 5 announcement, noting their opposition to the Commission’s move to change the Safeguards Rule standards through an agency rulemaking. Notably, the Commissioners asserted that the proposed amendments — if promulgated as written in the Notice of Proposed Rulemaking (NPRM) — could give rise to the following problematic outcomes:
Administrative rulemaking versus lawmaking. Congress is in the process of engaging in a larger debate regarding potential new standards governing justifications for consumer-data collection, and the NPRM and the NYDFS rule do not contemplate or provide an adequate vehicle through which new legislation could be passed. This sentiment is not only reflective of the ongoing tension between federal and state privacy legislation, but also highlights the complexity introduced when an agency (perhaps unnecessarily) wades into the fray.
Government restrictions mandating board involvement. For financial institutions and other entities covered by the rule, the dissenting Commissioners opined that the Commission should not substitute its own judgment for a private firm’s governance decisions. For instance, the Commissioners wrote: “whether and to what extent [the Commission] should command the regular attention and personal liability of a company’s board is precisely the kind of question [private] firms are in a better position to evaluate than federal regulators. . . . Maybe we want boards of financial institutions to spend more time assessing those risks. The point isn’t that the answer is easy—the point is that we may not be the best qualified to supply it.” The Commission is the federal agency tasked with consumer protection and oversight of anti-competitive corporate behavior. It is not a banking regulator, such as the Consumer Financial Protection Bureau, the Office of the Comptroller of the Currency, or the Board of Governors of the Federal Reserve, all of which benefit from commensurate banking expertise. The role of the Commission in the privacy framework continues to evolve in relation to financial institutions, and the NPRM represents a significant move by the Commission to assert its authority over the banking industry.
The requisite harm-benefit analysis. While the Commissioners did not expressly cite the statute in their dissent, their statements suggest a fidelity to the Commission’s enabling statute, which sets forth the “unfairness” standard in its Section 5. As is the case for either FTC or CFPB legal standards, a practice must (1) cause or be likely to cause a substantial injury to the consumer, that (2) the consumer cannot reasonably avoid, and that is (3) not outweighed by countervailing benefits to consumers or competition to be deemed “unfair” by the government. Thus, when the dissenting Commissioners wrote that the costs of enhanced private-sector security precautions are not supported by record evidence demonstrating that “those costs will significantly reduce data security risk or significantly increase consumer benefits,” they were expressing concerns that are squarely rooted in the fabric of the mandate of the Safeguards Rule’s enabling legislation. In other words, their statements cautioned against an agency rulemaking that will result in regulatory overreach or a statutory interpretation that renders prong (3) obsolete. After all, “the proliferation of procedural, technical, and governance requirements may have the unintended consequence of diluting core data security measures undertaken pursuant to the existing Safeguards Rule.”
While the shape of the final Safeguards Rule remains to be seen, financial institutions, their service providers, and other concerned parties will have a rare opportunity to engage in a vigorous, national public dialogue concerning critical data-security issues through the notice-and-comment process. Without these stakeholders’ participation to promote their views, the industry likely will soon face enhanced compliance requirements that were created in an agency vacuum rather than from a more-practical industry perspective.
Companies already complying with the NYDFS Cybersecurity Regulation likely will have a head start when it comes to complying with the updated Safeguards Rule, though it will be important to assess compliance with each rule, especially where the final federal rule’s individual requirements deviate from the NYDFS requirements.
 Under the current Safeguards Rule requirements, financial institutions must (1) designate an information security coordinator; (2) identify risks to consumer information and assess the effectiveness of existing safeguards to protect consumer information; (3) design, implement, monitor, and test their safeguards program; (4) diligently select responsible service providers to maintain similarly appropriate safeguards, require them to maintain these safeguards in contracts, and monitor their handling of consumer information; and (5) assess and adjust the safeguards program following any change in business or operations, or the identification of risks through security monitoring and testing. Similarly, service providers must maintain appropriate safeguards to protect consumer information. The FTC has issued a helpful compliance guide for the current requirements that provides further detail and divides compliance procedures into categories of employee management and training, information systems, and detecting and managing system failures.
 The NYDFS Cybersecurity Regulation began a phased rollout in early 2018 and mandates that companies subject to the requirements (1) draft and implement a cybersecurity policy that meets minimum specifications concerning information security, access controls, disaster recovery, systems and network security, customer data privacy, and regular risk assessments; (2) produce an annual report describing cybersecurity policies and procedures, known security risks, and an assessment of existing cybersecurity measures; (3) an audit trail of threat detection and response, written procedures and standards, a data retention policy and documentation of personal information disposal, and data encryption; and (4) create a cybersecurity policy for third-party providers that requires risk assessment, minimum security requirements, and a periodic evaluation process for the third-party provider’s security practices.
Arent Fox’s Consumer Financial Services group will continue to monitor developments in this area. For questions related to the Safeguards Rule and other financial sector consumer protection regulations, including questions regarding comment opportunities or compliance, please contact Jenny Lee, Jake Christensen, or the Arent Fox professional who usually handles your matters.
- Related Practices