The FISMA Focus IPD

The FTC today announced a request for public comment on the Standards for Safeguarding Consumer Information Rule (the Safeguards Rule). The FTC promulgated the Safeguards Rule in 2002, implementing Title V of the Gramm-Leach-Bliley Act (GLBA), which required federal agencies to establish standards for the administrative, technical, and physical safeguards employed by financial institutions for certain information. In addition to general requests for comment, the FTC requested that five specific issues be addressed, which we have outlined below. Comments are due by November 7, 2016.

The Safeguards Rule

The FTC’s Safeguards Rule applies to the treatment of “customer information” by “financial institutions.” The FTC now seeks comment on the scope of the Rule; particularly the definition of “financial institution.” The Safeguards Rule currently only applies to those financial institutions over which the FTC has jurisdiction—not all financial institutions—for example, banks, credit unions, thrifts, investment advisers, broker-dealers, and insurance companies (for much of their activities). For purposes of the Safeguards Rule, a financial institution is “any institution the business of which is engaging in financial activities as described in section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. § 1843(k)).” Any institution that is “significantly engaged” in financial activities would qualify as a financial institution. Unlike other agencies, the FTC restricted its understanding of the term “financial activities” to those activities that are truly financial in nature, and excluded activities that were incidental or complementary to financial activities. The FTC Request for Comment seeks comment on whether to amend the Rule to include “incidental” activities or activities that were determined to be financial in nature after 1999 (when the GLBA was enacted) or incidental to those activities.