Last week, the Federal Trade Commission (the “FTC”) announced plans to review the Safeguards Rule of the Gramm-Leach-Bliley Act (“GLBA”). The Safeguards Rule requires financial institutions to develop, implement, and maintain a comprehensive, written information security program which contains administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information. The areas in which the FTC seeks comment suggest that the FTC is evaluating a broader definition of financial institutions and security requirements, issues that could have important implications for FinTech companies.
Safeguards Rule Currently Not Prescriptive
As it stands, the Safeguards Rule is not terribly specific and may not capture all companies working with consumer financial data. In terms of requirements, it instructs financial institutions to identify reasonably foreseeable internal and external data security risks and to design and implement information safeguards to control those risks. In connection with those requirements, there is an expectation that there will be ongoing monitoring and assessment of security procedures and appropriate adjustments as needed.
Safeguards Rule Does Not Currently Reach All Companies Working in the Financial Sector
Another issue that seems to concern the FTC is that GLBA does not reach all companies tinkering in the financial space. It applies only to “financial institutions” (as defined in the Bank Holding Company Act of 1956 (12 U.S.C. § 1843(k)) which are significantly engaged in financial activities. Those companies engaging in activities that are considered to be “incidental” or “complementary” to financial activities are not subject to GLBA. In addition, activities that were determined to be financial in nature after the enactment of GLBA may also be excluded from the Safeguards Rule.
FTC Seeks Comments re Issues of Concern
In addition to more general questions of the relative cost and benefits of the Safeguards Rule to consumers and companies alike, the specific issues raised for comment show a focus on more explicit security and response requirements as well as broadening the reach of GLBA. In particular, the FTC is seeking comment on the following questions:
- Should the Safeguards Rule include the requirement of a breach response plan?
- Should the Safeguards Rule be more prescriptive in natures, for instance requiring compliance with the National Institute of Standards and Technology’s Cybersecurity Framework (i.e. the NIST standards) or the Payment Card Industry Data Security Standard (i.e. PCCI)?
- Should the term “financial institution” be expanded to include activities that the Federal Reserve Board had found to be “incidental” to financial activities”?
- Should the term “financial institution” also include companies engaged in activities that are closely related to banking but are currently not subject to GLBA because they were not identified as financial activities at the time GLBA was enacted?
While we don’t know what kind of feedback the FTC will receive, and what the ultimate review outcome will be, one thing is clear: the FTC is focused on whether the lack of specificity of the Safeguards Rule is problematic and whether too many companies in the finance sector are able to elude GLBA’s grasp. For those fintech companies either interpreting GLBA security and response requirements loosely, or not subject to GLBA at all, it is a warning shot that the FTC is increasingly concerned about security procedures in the the realm of finance.