Richard G. Goerss
October 8, 2001
Re: Gramm-Leach-Bliley Act Privacy Safeguards Rule, 16 CFR Part 314--Comment
Dear Mr. Secretary:
Equifax Information Services, LLC ("Equifax") is
pleased to provide the following comments to the FTC's proposed Safeguard Rules under the
Gramm-Leach-Bliley Act. Equifax is one of the largest consumer reporting agencies in the
country. We serve both financial institutions and businesses that are not financial
institutions, such as retailers and employers.
Summary of the Proposed Safeguard Rules with the Issues Raised by the FTC
Sec. 314.1 Purpose and Scope - The purpose of the rule is to set forth the standards for developing, implementing, and maintaining reasonable administrative, technical, and physical safeguards to protect the security, confidentiality and integrity of customer information. The rule applies to all customer information in a financial institution's possession, whether it pertains to its own customers or to customers of other financial institutions that have provided this information to it.
1. FTC feels the rule should cover financial institutions that receive customer information from other financial institutions, as this will assure greater safeguards for customer information.
FTC requested comments on the benefits and burdens of this requirement and/or other issues or concerns that it raises.
We agree that customer information that is received from other financial institutions should be protected and covered by safeguard protections. However, the recipients of customer information from other financial institutions should not have to comply with more than one set of safeguard rules or guidelines. For example, some entities that are themselves financial institutions and be required to comply with the FTC's Safeguard Rules will also be covered as a "service provider" to a financial institution and would be required to address the safeguard requirements of that financial institution. Additionally, a consumer reporting agency is in this situation and must comply with all the FCRA requirements, including those on accuracy, confidentiality and permissible purposes. It would be a significant burden for such an entity to have to comply with all of these various safeguard obligations, in terms of preparing possibly two, three or more different "information security programs". Preparing and complying with all of these different "information security programs" would not provide any incremental benefit to the protection or safeguarding of the "customer information".
Accordingly, an entity that receives customer information from a financial institution should comply with some safeguard requirements/rules. If the entity that receives the customer information is not itself a financial institution and not otherwise directly required to comply with specific safeguard guidelines/rules, then the entity or service provider should have the option to comply with the safeguard requirements of the federal regulatory body for the financial institution that provided the customer information to it or to comply with the safeguard requirements of one of the federal regulatory bodies that the entity or service provider selects. This can be done through its contract with that financial institution. However, if the entity that receives the customer information is within the FTC's jurisdiction or that of some other federal regulatory agency that issued safeguard guidelines/rules, compliance with the FTC Safeguard Rules or those of the other federal agency should be sufficient for the source financial institution to be in compliance with its safeguard requirements. This is appropriate, especially for consumer reporting agencies, which generally receive information from numerous financial institutions covered by the four Financial Institution Safeguard Guidelines. It would be extremely burdensome, with no increase in data safeguards, to require a consumer reporting agency to comply with the safeguard rules of the four federal financial regulatory bodies, in addition to the FTC Safeguard Rules and the FCRA.
To address this, the following wording should be added to the end of current sub-section 314.1(b):
The FTC should work with the other federal regulatory bodies that issued Safeguard Guidelines or Rules regarding any revisions or modifications to their respective Safeguard Guidelines or Rules in order for this to be implemented.
2. The proposed rule requires financial institutions to ensure that customer information remains protected when it is shared with a financial institution's affiliates ("customer information" includes information handled or maintained by or on behalf of affiliates) and service providers (financial institution must select and retain appropriate service providers and have contracts in place requiring the service provider to maintain appropriate safeguards). The financial institution's affiliates and service providers may not be financial institutions themselves.
FTC requested comments on the various issues raised by this definition of customer information and requirements regarding service providers.
We agree that customer information that is provided to "affiliates" and "service providers" should be covered by some form of safeguard rules. However, this raises the same concerns identified in No. 1 above. An entity, either an affiliate or a service provider, should only have to comply with one set of safeguard rules. The affiliate or the service provider should comply with the safeguard rules that apply directly to it, if it is a "financial institution". Again, if the entity is not a financial institution and there are no other safeguard rules that apply to it directly, then the entity or service provider should have the option to comply with the safeguard requirements of the federal regulatory body for financial institution that provided the customer information to it or to comply with the safeguard requirements of one of the federal regulatory bodies that it selects. This is addressed by the additional wording to be added to sub-section 314.1(b) provided in the response to Comment 1 above.
Additionally, if an organization has several affiliates that are service providers, its own information security program should be sufficient across the organization, except as may be appropriate for individual variances between the businesses of the affiliates. The organization should be able to have a "standard" level, overall safeguard program, but have an information security program that is tailored to the specific activities of the affiliate or service provider involved. This is consistent with the need for flexibility that is recognized in Section 313.3 (a) of the proposed safeguard rules, which states that information security programs should be appropriate to the size and complexity, nature and scope of activities of the entity receiving the customer information and the sensitivity of the customer information itself.
3. Compliance by a financial institution with alternative standards should constitute compliance with the Safeguards Rule.
FTC requested comments on whether and how compliance with other laws and rules relating to information security should be addressed in the proposed rule.
We agree that an entity's compliance with the other safeguard rules, such as the FTC's Safeguard Rules, and other laws, such as the FCRA for consumer reporting agencies, should be taken into account regarding that entity's safeguard protections for customer information it receives from other financial institutions. If the entity that receives customer information from another financial institution is itself directly covered by the safeguard requirements of a federal regulatory body, its compliance with those safeguard requirements should be accepted for compliance by the financial institution that provided the customer information to it. As stated above, this is especially appropriate for consumer reporting agencies, which generally receive information from numerous financial institutions that are covered by the four Financial Institution Safeguard Guidelines. It would be extremely burdensome, with no increase in information safeguards, to require a consumer reporting agency to comply with the safeguard rules of the four federal financial regulatory bodies, the FTC Safeguard Rules and the FCRA. This is addressed by the additional wording to be added to sub-section 314.1(b) provided in the response to Comment 1 above. Further, it is questionable under the FCRA and GLB that the FTC has the authority to issue rules regulating consumer reporting activities.
Sec. 314.2 Definitions - The rule uses the same definitions as in the Privacy Rule but adds definitions for "customer information", "information security program", and "service provider".
4. "Customer information" is any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates.
FTC recognizes that another agency's safeguards standard may also cover certain entities that meet the definition of "affiliate". Although not intending to duplicate existing requirements on affiliates, FTC does not want the protections to be lost because the customer information is maintained by an affiliate that is not required to meet other safeguard standards.
FTC requested comments on 1) benefits and burdens, including any compliance burdens imposed on entities already covered by the safeguard rules of other Agencies; 2) whether any additional guidance is needed on what safeguards are appropriate for affiliates; 3) other issues or concerns raised by this requirement; and 4) whether information shared with affiliates is already adequately protected by other provisions of the proposed rule.
#1 - Equifax believes that customer information in the possession of affiliates or other third parties, such as service providers, should be covered by appropriate safeguard rules. However, as stated above, Equifax also believes that an affiliate or service provider should only have to comply with one set of safeguard rules.
#2 - No additional guidance is needed, other than that the final rule should specifically state that an affiliate or service provider only needs to comply with one set of safeguard rules. The safeguard rules should be those that apply directly to it or a sister affiliate that received customer information originally. If neither the affiliate nor its sister affiliate that received the customer information is directly covered by its own respective safeguard rules, then the affiliate should have the option to comply with the safeguard requirements of the federal regulatory body for financial institution that provided the customer information or to comply with the safeguard requirements of one of the federal regulatory bodies that it selects.
#3 - We do not see any other issues or concerns raised by this requirement.
#4 - If the rule is revised to address the points raised above and an affiliate just needs to comply with one set of safeguard rules, the rules would adequately address these issues.
5. "Information security program" is the administrative, technical, or physical safeguards that a financial institution uses to access, collect, process, store, use, transmit, dispose of, or otherwise handle customer information.
FTC requested comment on this definition.
The current wording in the proposed rule does not address the fact that "customer information" can be provided to others other than by "transmitting" it. "Customer information" can, for example, be provided to others by mail, in person review of a hard copy, or orally. So as not to leave a hole, for which customer information is not protected, we feel the word "distribute" should be added between "transmit" and "dispose of". This covers the various other ways in which customer information can or could be provided to others. Otherwise, the definition is fine.
6. "Service provider" is any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a financial institution that is subject to the rule.
FTC requested comment on this definition.
Employees of service providers and financial institutions and individuals that are contracted to do limited activities for service providers and financial institutions, such as individual programmers, should not have to have their own "information security program". Doing so would be very burdensome and not add any additional protection to the customer information. It should be appropriate for these individuals to sign a confidentiality agreement. The information security program of the financial institution or service provider for which the employee or independent contractor is performing their work would address this requirement.
Accordingly, the definition of "service provider" should be revised to include the following additional wording:
Sec. 314.3 Standards for safeguarding customer information - A financial institution must develop, implement, and maintain a comprehensive written information security program with administrative, technical, and physical safeguards that are appropriate to the size and complexity of the financial institution, the nature and scope of the financial institutions activities, and the sensitivity of the customer information that the financial institution has in its possession. The safeguards are to be reasonably designed to meet the following objectives of GLB Sec. 501(b):
(1) Insure the security and confidentiality of customer information;
(2) Protect against any anticipated threats or hazards to the security or integrity of such information; and
(3) Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
7. The requirement of a written information security program is to ensure a comprehensive, coordinated approach to security. However, the program does not need to be set forth in a single document, provided all parts of the program are coordinated and can be identified and readily accessed.
FTC requested comments on the benefits and burdens of the requirement that the program be written and any other issues/concerns that this section raises; whether any burden is disproportionate for smaller entities; and how the burden can be reduced while still ensuring that each financial institution develops an effective program for which it is accountable.
The adjective "comprehensive" should be deleted before "written" as is it unnecessary and could lead to questions about whether the "writing" describing the "information security program" is comprehensive, i.e., detailed enough. The real issue is the information security program itself and whether it sufficiently safeguards customer information. Otherwise, the requirement that the "information security program" be in writing is acceptable.
The wording "appropriate to the size and complexity" is appropriate. It provides flexibility for different entities to have different information security programs and this is desirable.
Stating that the "safeguards are to be reasonably designed to meet" specified objectives is also appropriate. It recognizes that security programs can not guarantee absolute security of the information if that information is to be available in a manner that is acceptable to the business purposes for which the information is provided and used. Security programs could be made very tight and rigid, but the information would be much more difficult, burdensome and expensive to access and use and could take significantly longer to do so. The wording "reasonably designed" provides for the proper level of safeguards and is appropriate.
The rule should recognize that an entity's "written information security program" is highly confidential, proprietary information that should also be protected. The protection of the information security program itself should be addressed in the final rule.
One means of protecting the information security program is that the information security program not be in one document. In this regard, the final rule should specifically state that the "information security program" not be in one written document. This, in itself, is a security issue. If the complete information security program is set out in one master document and this document is improperly accessed or otherwise compromised, the whole security program, itself, is likewise compromised.
Another aspect of the security of the written information security program is that it should not be provided to any third parties except as necessary for self-review or self-monitoring or to enforce the security program. There should be restrictions to whom an entity is required to provide access to its information security program. Under almost no circumstances should a copy of the written security program be provided to third parties, unless they are an agent of, or working on behalf of, the entity to which the security program applies, such as the entity's own attorneys, auditors and security consultants.
To address these issues, after the enumerated objectives in Section 313.3 (b) the following wording should be added as a new sub-section (c):
The areas identified in the proposed rule to be addressed in the information security program and that the program be written are appropriate as minimum standards. There should be these minimum standards or floor that apply to all entities under the FTC's jurisdiction but flexibility in meeting these minimum standards should also be permitted. We feel the proposed rule accomplishes this.
Sec. 314.4 Elements - To develop, implement and maintain the information security program, the financial institution shall:
(a) Designate an employee or employees to coordinate it;
8. The designation of an employee or employees to coordinate a financial institution's information security program is intended to ensure accountability for achieving adequate safeguards.
FTC requested comments on the benefits and burdens of this requirement and/or other issues or concerns that it raises, as well as whether there are other effective means to achieve accountability for compliance with the rule.
Designating an employee or employees to coordinate the information security program may well be appropriate in many circumstances. However, consistent with the overall approach of flexibility and tailoring the requirements of the information security program to each specific situation, more flexibility should be permitted. For instance, one entity may want to assign the responsibility to specifically named individuals, another may want to assign the responsibility to a specific job position, and another small entity may not have the need to designate either a person or job position. Accordingly, it is suggested that the wording be revised to the following:
4. To provide guidance in conducting a risk assessment, the proposed rule requires financial institutions to consider such risks in each relevant area of their operations. Beyond the core areas of operations that a financial institution must consider, each financial institution has discretion to determine what additional areas of its operation are relevant to risk assessment.
FTC requested comments on the benefits and burdens of these specific requirements and/or other issues or concerns that these requirements raise; whether specifying certain areas of operation is helpful and appropriate; and/or whether additional guidance would be useful.
The guidance of this section in the proposed rule is helpful. However, due to the flexibility that should be allowed each entity to address its specific situation, the specific areas of risk assessment that are identified in the proposed rule should be illustrative rather than mandatory. By requiring that "risks in each relevant area of operations" be assessed, it is not necessary to then require that certain identified areas be addressed. If the areas are "relevant" then they are already required to be addressed, and it is the entity itself that is best able to determine the relevancy of any particular area.
Accordingly, the word "including" should be replaced with the words, "such as", so that it reads:
The FTC should allow financial institutions to satisfy the requirement that they "identify reasonably foreseeable risks . . . to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure . . . and assess the safeguards in place to control these risks" through a "safe harbor" process. Financial institutions should be able to satisfy the above-mentioned regulatory requirement by adhering to industry risk assessment guidelines that have been approved by the FTC. One possible method by which financial institutions could qualify for "safe harbor" status would be through the implementation of a thorough, periodic (such as annual) security review. As part of such a security review, financial institutions would identify reasonably foreseeable security, confidentiality, and information integrity risks in each relevant area of operation and assess the safeguards in place to control these risks. Financial institutions that complete a "safe harbor" review process would be presumed to have met this regulatory requirement.
(c) Design and implement safeguards to control the risks identified in the risk assessment and regularly test or otherwise monitor the effectiveness of the key controls, systems, and procedures of the safeguards.
4. Each financial institution must address each relevant area of its operation in developing its program. Further, it must also test or monitor its program to make sure that it continues to meet changing operations and businesses. The FTC supports the use of testing. However, due to concern about the potential costs and effectiveness of such procedures, the proposed rule does not require that specific audit procedures or tests be used.
FTC requested comments on the benefits and burdens of the requirements of this section and/or other issues or concerns that it raises.
Due to changes in technology, there may be safeguards that technologically could be implemented but that are not reasonable to implement at the time they can be identified due to costs or adverse impact on others that use or access the information. There needs to be an assessment of the benefit of the change and what is appropriate from usefulness and cost perspectives. It could be that a technologically available change would not provide much additional protection and make the information very difficult to access and administer and be at a very high financial cost. The implementation of safeguards needs to take all of the many issues involved into account. To address these realities this section should be revised to read:
The wording on "regular testing or otherwise monitoring" is appropriate in that it requires that one of these takes place, but allows discretion and flexibility as to what is appropriate in each specific situation. The rules should also provide for a "safe harbor" approach, discussed above, in this circumstance.
(d) Oversee service providers, by:
(1) only using service providers that can maintain appropriate safeguards for the customer information in their possession; and
(2) requiring that they maintain appropriate safeguards by contract.
3. This provision is intended to ensure that customer information remains protected when it is shared/provided with another entity to carry out processing, servicing, and similar functions on behalf of the financial institution. It also ensures that the safeguard obligations are not reduced just because certain functions are outsourced rather than performed in-house.
FTC requested comments on the benefits and burdens of this requirement and/or other issues or concerns that it raises, including: 1) whether additional guidance is needed on what safeguards are appropriate for service providers; 2) whether the contract requirement is necessary to ensure the protection of customer information or whether there is an equally protective alternative; 3) whether, for service providers, that are themselves financial institutions or are subject to other safeguards standards, the rule should offer an exception to the contract requirement; and 4) whether the rule should apply to all service providers, given that the Privacy Rule does not require financial institutions to enter into confidentiality contracts with service providers that receive information under the general exceptions in sections 313.14 and 313.15 of that rule.
There is no need for additional guidance on the safeguards that are appropriate for service providers, provided as addressed previously, the definition of "service provider" excludes employees and individual independent contractors of financial institutions and their service providers. These individuals should be covered by appropriate confidentiality agreements. In order to protect customer information all service providers should be required to comply with some safeguard rules. However, a service provider should only have to comply with one set of safeguard obligations. This is addressed by the additional wording to be added to sub-section 314.1(b) provided in the response to Comment 1 above.
However, service providers that receive customer information under the general exceptions in sections 313.14 and 313.15, should not be restricted in their use of the data as permitted in the Privacy Rule. This should be specifically addressed in the final rule.
4. The FTC understands that an entity providing services both to a financial institution subject to the FTC's Safeguard Rule and to one subject to the Banking Agency Guidelines could be subject to contractual obligations under both. In some cases, a service provider, such as data processor, that is subject to those contractual obligations would also be a financial institution subject to the FTC's Rule. The FTC believes, however, that the similarity of the FTC's proposed Safeguard Rule to the Banking Agency Guidelines, and the flexible standards of the FTC's proposed rule, should prevent any conflict.
FTC requested comment on any potential difficulty for service providers in complying simultaneously with these various requirements.
A service provider should only be required to comply with one set of safeguard rules and not multiple ones. If the service provider is not directly obligated to comply with the safeguard rules issued by one of the federal agencies, then it should be required by contract to comply some safeguard requirements that it selects, either those of the financial institution that provides customer information to it or those of some other federal regulatory body. Since consumer reporting agencies are within the jurisdiction of the FTC and also have privacy and information usage requirements of the FCRA, they should only have to comply with these requirements and not the safeguard guidelines or rules of other financial institutions. The FTC safeguard rules/guidelines should specifically state this and those for other financial institutions should also recognize this. This is addressed by the additional wording to be added to sub-section 314.1(b) provided in the response to Comment 1 as well as the final paragraph of that response.
(e) Review and revise the information security program because of any material changes in business that may affect the safeguards.
5. Material changes may include: changes in technology; changes to its operations or business arrangements, such as mergers and operations, alliances and joint ventures, outsourcing arrangements, or changes in the services provided; new or emerging internal or external threats to information security; or other circumstances that give the financial institution reason to know that its information security program is vulnerable to attack or compromise.
FTC requested comments on the benefits and burdens of this requirement and/or other issues or concerns that it raises.
This proposed wording is too specific and focuses more on the process and away from the objectives of the safeguard rules and the information security program. Using the term "material changes" could well lead to nonproductive disputes regarding whether a change is "material" or not. There should be a more general requirement to keep the information security program appropriate for the changing environment of the financial institution involved.
Suggested revised wording is as follows:
Further, the rule should provide a "safe harbor" for compliance with this requirement, such as through thorough annual reviews and updates of the information security program.
Sec. 314.5 Effective date - Each financial institution must implement its information security program pursuant to this rule within one year of the date the final rule is issued.
6. Each financial institution is to implement its information security program within one year after the final rule is issued.
FTC requested comments on whether one year is an appropriate amount of time for financial institutions to be in compliance with the Safeguard Rule. Also, should the Safeguard Rule contain a transition period to allow the continuation of existing contracts with service providers, even if they would not be compliance with the Safeguard Rule's requirements? This could be similar to the two-year period for grandfathering existing contracts in the Privacy Rule.
One year from the date the final rule is issued is an appropriate amount of time for financial institutions to be in compliance with the Safeguard Rule. However, there should be specific wording in the rule that provides for a two-year transition period for existing service providers and also that these contracts are grandfathered for this two-year transition period.
We hope that these comments will assist the FTC in its preparation of the final Safeguard Rules.
Richard G. Goerss