Data Privacy Rules Step Up to the Next Level

Blake Koloseike

Associate Editor

Loyola University Chicago School of Law, JD 2020

The Federal Trade Commission (FTC) recently proposed two amendments to the Privacy Rule and Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA). The Safeguards Rule requires financial institutions to develop, implement, and maintain a comprehensive information security system. This rule went into effect in 2003. The Privacy Rule requires financial institutions to inform customers about its information-sharing practices and allows customers to opt out of having their information shared with certain third parties. This rule went into effect in 2000. The recent amendments to these two rules are intended to further protect consumers’ data from third parties. However, the changes could also adversely affect businesses.

The Expansion of Data Privacy Will Likely Protect Consumers

The proposed changes include encryption of all consumer data, implementing access controls to prevent unauthorized uses from accessing consumer information, implementing multifactor authentication to access consumer data, and requiring period reports submitted to the boards of directors to ensure compliance. Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, said, “we are proposing to amend our data security rules for financial institutions to better protect consumers and provide more certainty for business.” The proposals are intended to align with technological advancements. The FTC has said that having access controls, such as encryption and multifactor authentication, is a fundamental requirement of all information security programs and encryption is a necessary protection for customer information.

The FTC’s proposed changes to the Privacy Rule would bring the rules into line with changes implemented by Congress through the Dodd-Frank Act in 2010 and the FAST Act in 2015, which modified the annual privacy notice requirement under the GLBA. Further, the amendments would revise the scope of the Privacy Rule, altering the definition of “financial institution” under the Safeguards and Privacy Rule. This would expand the definition to include companies engaged in activities “incidental to financial activities.” This would also include “finders” or those who charge a fee to connect consumers looking for a loan to a lender.

The proposed amendments are also designed to ensure that non-bank financial technology entities, or “fintechs, are subject to the same cyber security requirements as banks are under the Federal Financial Institutions Examination Council (“FFIEC”) interagency guidelines. These proposed regulations could impose a new minimum security standard that implicates many businesses, including those outside the coverage of the current Safeguards and Privacy Rule.

FTC Commissioners Concerned by the Proposed Changes

Two of the FTC commissioners, Noah Phillips and Christine Wilson, voted against increasing the requirements. They believe that it may not be appropriate to mandate such prescriptive standards for all market participants. Some of the specific proposals are in response to shortcomings in data security enforcement cases and investigations. The commissioners argue that not all of the shortcomings concern firms covered by the Safeguard and Privacy Rules. Further, these prescriptive standards impose a one-size-fits-all approach, which they believe could be troublesome. Phillips and Wilson also believe that the regulations may be premature. The proposed regulations are based on regulations by the New York State Department of Financial Services that were enacted just two years ago with no data regarding the efficacy of those regulations. They believe it is too early to adopt them at a federal level.

Furthermore, the current regulations are flexible in their approach, determined by the company’s size and complexity. The proposed regulations would move away from that flexibility. Phillips and Wilson believe the expansion could lead to traps for small and innovative businesses. Large companies can more easily absorb regulatory compliance costs than smaller companies. These regulations could potentially decrease competition in the marketplace. Additionally, the prescriptive standards may have unintended consequences of diluting data security measures under the existing Safeguard Rule, such as… [include an example]. Finally, the Commissioners believe that firms, rather than federal regulators, are in a better position of deciding board engagement on data security. The Commissioners are aware that these regulations are merely being proposed currently, but they believe that if these new regulations pass, there may be unplanned negative repercussions.

Overall, the FTC is seeking comment on the proposed amendments for sixty days. Phillips and Wilson are encouraging those in the industry, academia, and civil society with expertise in data privacy to comment and provide evidence on the proposal. Although these regulations protect consumers’ data, they could prove to have negative effects on businesses that must comply with them.