NP Privacy Partner
Search Nixon Peabody's Data Privacy and Cybersecurity blog  Nixon Peabody on Twitter Nixon Peabody on YouTube
Subscribe:Nixon Peabody's Data Privacy and Cybersecurity blog  Nixon Peabody's Data Privacy and Cybersecurity blog
Share Print View
FTC seeks public comment on financial institution safeguards rule
On August 29, the Federal Trade Commission (“FTC”) announced that it seeks public comment on the Standards for Safeguarding Customer Information (“Safeguards Rule”), as part of its systematic review of all FTC rules and guides. The Safeguards Rule requires financial institutions to develop, implement and maintain a comprehensive information security program to handle customer information.
The FTC promulgated the Safeguards Rule pursuant to the Gramm-Leach-Bliley Act, which was enacted in 1999 to reform and modernize the banking industry. In 2000, the FTC issued a Privacy Rule under the Act to limit disclosure of non-public information. Three years later, the FTC promulgated the Safeguards Rule, applicable to all financial institutions.
The Safeguards Rule applies to financial institutions’ handling of customer information, defined as “any record containing nonpublic personal information . . . about a customer of a financial institution, whether in paper, electronic, or other form” that is “handled or maintained by or on behalf of” a financial institution or its affiliates. The Safeguards Rule does not apply to all consumer information; it applies to information of customers, which are consumers with a continuing relationship with a financial institution providing financial products or services used primarily for personal, family or household purposes. Also, the Safeguards Rule is not limited to a financial institution’s own customers, but extends to all customer information in the financial institution’s possession, including information about other financial institutions’ customers.
The required comprehensive information security program requires the identification of reasonably foreseeable internal and external risks. The program must be a continual process and designate employees to coordinate its effectiveness. The financial institution must also take reasonable steps to select and retain service providers who can appropriately safeguard customer information.
In its evaluation of the Safeguards Rule, the FTC seeks public comment on a series of questions, focusing on its benefits, costs and necessary modifications. Also, the FTC is evaluating whether specific measures should be prescribed as part of the required comprehensive information security program, including response plans and the incorporation of other standards such as those promulgated by the National Institute of Standards and Technology’s Cybersecurity Framework or the Payment Card Industry Data Security Standards.
Comments may be filed online or on paper, which the FTC must receive by November 7. Comments will be made public on the FTC’s website, so commentators should pay careful attention to excluding any sensitive information or trade secrets. Information about the FTC’s request for comments and the process is available on the FTC’s website.


There are no comments yet for this post.
Items on this list require content approval. Your submission will not appear in public views until approved by someone with proper rights. More information on content approval.
* indicates a required field


Body *

Date *


Privacy Policy | Terms of Use and Conditions | Statement of Client Rights
This website contains attorney advertising. Prior results do not guarantee a similar outcome. © 2018 Nixon Peabody LLP
Sort by AttachmentsParentCategory