FTC Invites Comments on GLBA Safeguards Rule

Chief Executive Officer at NetWatcher
September 11, 2016

We would encourage all credit unions and community banks to take the opportunity to provide the FEDERAL TRADE COMMISSION feedback on the GLBA Safeguards Rule.

The FTC Posted “16 CFR Part 314 RIN 3084–AB35” in the 9/7/2016 Federal Register / Vol. 81, No. 173 / Proposed Rules Inviting Comments on Gramm-Leach-Bliley Act (GLB) Safeguards Rule.  Comments must be received on or before November 7, 2016 and can be posted with this form.   The FTC is seeking information about the costs and benefits of the Safeguards rule, and it’s regulatory and economic impact.  The Commission requests written comment on any or all of the questions.

Many community banks we’ve talked to speak to the cost of compliance and how it is audited as compared to other compliance authorities like PCI-DSS that segregate small, medium and large businesses and their levels of compliance (see more on how PCI-DSS attempts it here).   We would encourage those with strong opinions to comment.

Here are all of the questions:

General Issues

  1. Is there a continuing need for specific provisions of the Rule? Why or why not?
  2. What benefits has the Rule provided to consumers? What evidence supports the asserted benefits?
  3. What modifications, if any, should be made to the Rule to increase its benefits to consumers?
    1. What evidence supports the proposed modifications?
    2. How would these modifications affect the costs the Rule imposes on businesses, including small businesses?
  4. What significant costs, if any, has the Rule imposed on consumers? What evidence supports the asserted costs?
  5. What modifications, if any, should be made to the Rule to reduce any costs imposed on consumers?
    1. What evidence supports the proposed modifications?
    2. How would these modifications affect the benefits provided by the Rule?
  6. What benefits, if any, has the Rule provided to businesses, including small businesses? What evidence supports the asserted benefits?
  7. What modifications, if any, should be made to the Rule to increase its benefits to businesses, including small businesses?
    1. What evidence supports the proposed modifications?
    2. How would these modifications affect the costs the Rule imposes on businesses, including small businesses?
    3. How would these modifications affect the benefits to consumers?
  8. What significant costs, if any, including costs of compliance, has the Rule imposed on businesses, including small businesses? What evidence supports the asserted costs?
  9. What modifications, if any, should be made to the Rule to reduce the costs imposed on businesses, including small businesses?
    1. What evidence supports the proposed modifications?
    2. How would these modifications affect the benefits provided by the Rule?
  10. What evidence is available concerning the degree of industry compliance with the Rule?
  11. What modifications, if any, should be made to the Rule to account for changes in relevant technology or economic conditions? What evidence supports the proposed modifications?
  12. Does the Rule overlap or conflict with other federal, state, or local laws or regulations? If so, how?
    1. What evidence supports the asserted conflicts?
    2. With reference to the asserted conflicts, should the Rule be modified? If so, why, and how? If not, why not?

 

Specific Issues

  1. Should the elements of an information security program include a response plan in the event of a breach that affects the security, integrity, or confidentiality of customer information? Why or why not? If so, what should such a plan contain?
    1. What evidence supports such a modification?
    2. How would this modification affect the costs the Rule imposes on businesses, including small businesses?
    3. How would this modification affect the benefits to businesses?
    4. How would this modification affect the costs the Rule imposes on consumers?
    5. How would this modification affect the benefits to consumers?
  2. Should the Rule be modified to include more specific and prescriptive requirements for information security plans? Why or why not? If so, what requirements should be included and what sources should they be drawn from?
    1. What evidence supports such a modification?
    2. How would this modification affect the costs the Rule imposes on businesses, including small businesses?
    3. How would this modification affect the benefits to businesses?
    4. How would this modification affect the costs the Rule imposes on consumers?
    5. How would this modification affect the benefits to consumers?
  3. Should the Rule be modified to reference or incorporate any other information security standards or frameworks, such as the National Institute of Standards and Technology’s Cybersecurity Framework or the Payment Card Industry Data Security Standards? If so, which standards should be incorporated or referenced and how should they by referenced or incorporated by the Rule?
    1. What evidence supports such a modification?
    2. How would this modification affect the costs the Rule imposes on businesses, including small businesses?
    3. How would this modification affect the benefits to businesses?
    4. How would this modification affect the costs the Rule imposes on consumers?
    5. How would this modification affect the benefits to consumers?
  4. For the purpose of clarity, should the Rule be modified to include its own definitions of terms, such as ‘‘financial institution’’, rather than incorporating the definitions found in the Privacy Rule?
    1. What evidence supports such a modification?
    2. How would this modification affect the costs the Rule imposes on businesses, including small businesses?
    3. How would this modification affect the benefits to businesses?
    4. How would this modification affect the costs the Rule imposes on consumers?
    5. How would this modification affect the benefits to consumers?
  5. The current Safeguards Rule incorporates the Privacy Rule’s definition of ‘‘financial institutions’’ as entities that are significantly engaged in financial activities, including activities found to be closely related to banking by regulation or order in effect at the time of enactment of the G-L-B Act. Should the Safeguards Rule’s definition of ‘‘financial institution’’ be modified to also include entities that are significantly engaged in activities that the Federal Reserve Board has found to be incidental to financial activities? Should it also include activities that have been found to be closely related to banking or incidental to financial activities by regulation or order in effect after the enactment of the G-L-B Act? 18 If so, should all such activities be included in the modified definition? What evidence supports such a modification?
    1. How would this modification affect the costs the Rule imposes on businesses, including small businesses?
    2. How would this modification affect the benefits to businesses?
    3. How would this modification affect the costs the Rule imposes on consumers?
    4. How would this modification affect the benefits to consumers?

From our perspective, wouldn’t it be nice if HIPAA, PCI-DSS, GLBA, FINRA and all of the other compliance regimes standardized on the NIST cyber security framework?   They all basically look for the same issues and deal with the same recommended policies, procedures and protections.

Download our eBook here: