October 9, 2001
Re: Gramm-Leach-Bliley Act Privacy Safeguards Rule, 16 CFR Part 314 - Comment
The National Automobile Dealers Association ("NADA") submits the following comments to the Federal Trade Commission's ("FTC" or "Commission") proposed standards for safeguarding customer information that implement section 501(b) of the Gramm-Leach-Bliley ("GLB") Act.
NADA represents over 19,000 franchised automobile and truck dealers who sell new and used motor vehicles and engage in service, repair and parts sales. Together our members employ in excess of 1,000,000 people nationwide. More than 60% of our members are small businesses as defined by the Small Business Administration.
NADA supports the FTC's intent to provide a flexible approach to safeguarding customer information in order to minimize the rule's burdens on small entities. The wide range of financial institutions regulated by the FTC clearly requires safeguards that account for their respective size, structure and resources. This approach would be undermined if the FTC mandated that all financial institutions adhere to certain fixed minimum procedures.
Although NADA supports the adoption of flexible standards, we believe several portions of the proposed rule need to be clarified to promote regulatory compliance and lessen the burden on small entities.
The Need for Guidelines and Examples
In the Notice of Proposed Rulemaking, the Commission expresses concern about the potential impact of the proposed standards on small institutions and "invites comment on the costs of establishing and operating an information security program for such entities, particularly any costs stemming from the proposed requirements to: (1) Designate an employee or employees to coordinate safeguards; (2) regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems and procedures; (3) develop a comprehensive information security program in written form; and (4) ensure that affiliates with which the entities share information maintain adequate safeguards." 66 Fed. Reg. 41168. We share the Commission's concern since many small entities lack the in-house resources to perform these measures with any assurance that they will have met the standards for safeguarding customer information.
This concern stems largely from the size limitations of many entities governed by the proposed regulation. According to 1999 data maintained by NADA, 5,292 franchised new automobile dealerships have 30 or fewer employees, 1,706 have 20 or fewer employees, and 575 have 10 or fewer employees. These "financial institutions" must comply with an array of regulations from numerous federal and state agencies usually without the assistance of a governmental compliance department or other in-house office that can monitor recent developments and ensure their business is adhering to the multitude of requirements placed upon them. Without this type of support, an owner or manager frequently must oversee these requirements while fulfilling other unrelated duties. Consequently, many dealers and other small entities are forced to retain outside assistance, often at considerable expense, to determine the necessary changes to their existing business practices.
Although this burden cannot be completely eliminated, it can be reduced by providing guidelines that may assist small entities. For instance, the requirement contained in proposed section 314.4(c) to "design and implement information safeguards " should specify that it is fulfilled if the financial institution employs safeguards that are commercially reasonable. This should account for the resource limitations of a financial institution and the technological limitations of the service providers that support it. The FTC should further assist small entities by setting forth illustrative guidelines as to how they may conduct their risk assessments (beyond the steps specified in the proposed rule) and by providing non-exclusive examples of how they may comply with the implementation and monitoring requirements contained in proposed section 314.4(c). These guidelines should consider customer information that is contained in both paper and electronic form and should further consider the existing record retention requirements that apply to that information. Each guideline should be clear, practical and, to the maximum extent possible, designated by the FTC as a safe harbor.
The definition of a "service provider" and the requirements applicable to service providers should be consistent with the service provider requirements in 16 CFR Part 313. Any other result will inject confusion and uncertainty about a financial institution's obligations with respect to service providers. This will occur if a financial institution has to distinguish between a "Part 313 service provider" and a "Part 314 service provider." Both parts implement Title V of the GLB Act and are intended to "respect the privacy of customers and protect the security and confidentiality of those customers' nonpublic personal information." 15 U.S.C. § 6801(a). The FTC will enhance understanding and compliance with the GLB requirements by applying uniform treatment to this term.
Consistent with this approach, financial institutions should not be required to ensure that service providers "are capable of maintaining appropriate safeguards for the customer information at issue." Proposed 16 CFR § 314.4(d)(1). Many financial institutions will be unable to make such a determination about a nonaffiliated entity since it will lack direct knowledge of the service provider's practices and procedures for safeguarding customer information. Consequently, they either will have to conduct a thorough review of those procedures to make this determination (which is a practical impossibility for many automobile dealerships that utilize multiple service providers) or, if a more limited review is mandated, it will fail to enhance the intended protection of the customer information at issue. In addition, the proposed requirement departs from the Commission's approach in 16 CFR § 313.13(a)(1)(ii) that does not require such oversight, but rather limits the financial institution's responsibility to entering into the necessary contractual agreement. The proposed oversight requirement at 16 CFR § 314.4(d)(1) therefore should be deleted from the final rule.
The Commission also should clarify the relationship between this contractual restriction and that imposed by 16 CFR § 313.13(a)(1)(ii). Are service provider contracts that contain the 16 CFR § 313.13(a)(1)(ii) contractual restriction sufficient to fulfill the proposed 16 CFR § 314.4(d)(2) contractual restriction? If not and the financial institution must ensure that both the Part 313 and proposed Part 314 restrictions are contained in its contract with the service provider, can the Commission provide an example of the language that would satisfy the requirements of both? In addition, will the Commission, similar to its approach in 16 CFR § 313.18(c), allow financial institutions a longer period to fulfill this requirement if they entered into contracts with service providers before the effective date of the proposed regulation? The reasons for providing the "grandfather" period in the Part 313 context are equally compelling in the Part 314 context.
Similar to the definition of "service provider," the definition of "customer information" in proposed Part 314 should be consistent with the definition of "nonpublic personal information" in Part 313. Any expansion of the term "nonpublic personal information" in the proposed safeguarding rule will create confusion amongst financial institutions and customers about the scope and application of the GLB privacy protections. If the final rule retains the proposed definition "to ensure that customer information does not lose its protections merely because it is shared with affiliates ," 66 Fed. Reg. 41164, it should state that it has the same meaning of "nonpublic personal information" in Part 313 in all other respects.
The Commission should extend the proposed one-year effective date contained in proposed section 314.5 to at least 18 months after the final rule is issued. The time required to educate financial institutions about the new requirements and the time it will take financial institutions to conduct risks assessments, develop and implement information safeguards, create comprehensive written information security programs, train personnel and adjust their operations necessitates an implementation period significantly longer than the one year period in the proposed rule.
NADA appreciates the opportunity to comment on the FTC's proposed customer information safeguards.
Paul D. Metrey