BEFORE THE FEDERAL TRADE
COMMENTS OF THE NATIONAL ASSOCIATION
The National Association of Consumer Agency Administrators ("NACAA") submits the following commentary in response to the Federal Trade Commission's ("FTC" or "Commission") Notice seeking comments on its proposed standards relating to administrative, technical and physical information safeguards for financial institutions subject to the Commission's jurisdiction, pursuant to sections 501(b) and 505 (a)(7) of the Gramm-Leach-Bliley Act ("the Act").
NACAA is a non-profit association representing over 160 consumer agencies at all levels of government in the United States and several other countries. Member agencies provide direct constituent services, including consumer complaint mediation, consumer education, the provision of information to both consumers and businesses about their respective legal rights and responsibilities, and the enforcement of consumer protection laws and regulations. NACAA supports public agencies responsible for ensuring a fair and informed marketplace, and those representing the rights of consumers.
SECURITY OF CUSTOMER INFORMATION HELD BY "AFFILIATE"
Within 16 CFR section 313.3(a), the Commission has defined "affiliate" to mean broadly "any company that controls, is controlled by, or is under common control with another company," and in 16 CFR 314.2, defines "customer information" as "any record containing nonpublic personal information, as defined in 16 CFR 3.13(n), about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates." These definitions clearly require even non-financial affiliates to maintain the security of customer information. NACAA believes that these provisions create appropriate safeguards for customer information that should not burden affiliates beyond a "pass along" of the obligations of the financial institution that shares the information with them. However, NACAA would urge that consideration be given by the Commission to extending these protections to "consumer information," as well as customer information. NACAA notes that it may be difficult for a financial institution (or its affiliate) to distinguish between customer and consumer information, and further notes that it is unlikely in the extreme that a mere "consumer" will recognize the distinction between the privacy afforded his or her nonpublic personal information, and that afforded "customer information."
INFORMATION SECURITY PROGRAM AND SERVICE PROVIDERS
In 16 CFR part 314.2, the Commission has defined "Information security program" to mean the "administrative, technical or physical safeguards you use to access, collect, process, store, use, transmit, dispose of, or otherwise handle customer information," and "service provider" to mean "any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a financial institution that is subject to the rule." NACAA understands and approves the "plain meaning" of these terms to include, for the security program administrative safeguards, to include the written protocols given to staff pursuant to 16 CFR 314.3, for direction in securing customer information. NACAA believes, however, that a service provider may receive, maintain or process "consumer information" as well as customer information, and that this term should be added to the definition of service provider, unless a service provider does not, in fact, access this information at any point.
DESIGNATION OF EMPLOYEE FOR PROGRAM COORDINATION, INSTITUTIONAL RISK ASSESSMENTS, OVERSIGHT OF SERVICE PROVIDER
NACAA believes that the Commission has struck the appropriate balance on the side of consumer privacy by requiring a financial institution to designate a specific employee or employees to coordinate its security information program. While a financial institution of whatever size may intend to keep a close watch on security of nonpublic information, this task can go unfulfilled unless a specific employee bears the responsibility both to assess risks and guard against them. Changes in security measures over time, developments in the industries that process, store, transmit and dispose of information, must be tracked by an individual familiar with the financial institution's past and current security measures, in order to ensure that changes are made for the sake of improvement, and are not unduly burdensome for the institution as well. Designating at least one employee also means that interpretations within the institution will be consistent, and if a question arises, others will know where to go for help.
NACAA also believes that the requirement that a service provider enter into a written contract concerning the maintenance of the privacy of nonpublic personal information demonstrates the seriousness of the issue to the provider, and provides a measure by which the institution and its designated employee can review the conduct of the service provider for compliance.
NACAA further agrees that it is important that a financial institution, pursuant to 16 CFR 314.4(e), have a continuing obligation to evaluate and adjust its information security program in light of any material changes to its business that may affect its safeguards. As noted above, changes in technology, as well as changes in lines of business in which a financial institution subject to the rule may engage, require that the rule and its requirements be reviewed at a time of change, as for example, when a business that previously issued its own credit cards ceases doing so--its obligations under the rule may well change, and it may, in fact, no longer either maintain or share the nonpublic personal information it previously gathered. Toward that end, NACAA encourages the Commission to define what a financial institution under its jurisdiction must do to maintain or destroy the information previously gathered if it no longer fits within the rule.
NACAA appreciates the opportunity to provide these comments to the Commission to assist in the development and implementation of the Safeguards Rule. NACAA invites the Commission to contact our Association for further clarification of our position, or to request that NACAA respond to any questions that the Commission may have regarding these comments.
Dated: October 5, 2001