Blake Koloseike<\/i><\/p>\n
Associate Editor<\/i><\/p>\n
Loyola University Chicago School of Law, JD 2020<\/i><\/p>\n
T<\/ins><\/span>he Federal Trade Commission (\u201c<\/ins><\/span>FTC\u201d<\/ins><\/span>) recently <\/ins><\/span>proposed two amendments to the Privacy Rule and Safeguards Rule under the Gramm-Leach-Bliley Act<\/a> (\u201c<\/ins><\/span>GLBA\u201d<\/ins><\/span>). The Safeguards Rule<\/a> requires financial institutions to develop, implement, and maintain a comprehensive information security system. This rule went into effect in 2003<\/a>. The Privacy Rule<\/a> requires financial institutions to inform customers about its information-sharing practices and allows customers to opt out of having their information shared with certain third parties. This rule went into effect in 2000<\/a>. The recent amen<\/ins><\/span>dments to these two rules <\/ins><\/span>are intended to further protect consumers\u2019 data from third parties. However, <\/ins><\/span>the changes could also adversely affect businesses.<\/p>\n <\/p>\n The Expansion of Data Privacy Will Likely Protect Consumers<\/b><\/p>\n The proposed changes<\/a> include encryption of all consumer data, implementing access controls to prevent unauthorized uses from accessing consumer information, implementing multifactor authentication to access consumer data, and requiring period reports submitted to the boards of directors to ensure compliance. Andrew Smith<\/a>, Director of the FTC\u2019s Bureau of Consumer Protection, said, \u201cw<\/ins><\/span>e are proposing to amend our data security rules for financial institutions to better protect consumers and provide more certainty for business.\u201d The proposals are intended to align with technological advancements<\/a>. The FTC has said that having access controls, such as <\/ins><\/span>encryption and multifactor authentication,<\/ins><\/span> is a fundamental requirement<\/a> of all information security programs and encryption is a necessary protection for customer information.<\/p>\n The FTC\u2019s proposed changes to the Privacy Rule would bring the rules into line with changes implemented by Congress through the Dodd-Frank Act<\/a> in 2010 and the FAST Act in 2015, which modified the annual privacy notice requirement under the GLBA. Further, the amendments would revise the scope<\/a> of the Privacy Rule, altering the definition of \u201cfinancial institution\u201d under the <\/ins>Safeguards and <\/ins><\/span>Privacy<\/ins><\/span> Rule. This would expand the definition to include companies engaged in activities \u201cincidental to financial activities<\/a>.\u201d T<\/ins><\/span>his would also <\/ins><\/span>include \u201cfinders<\/a>\u201d or those who charge a fee to connect consumers looking for a loan to a lender.<\/p>\n The proposed amendments are also designed to ensure that non-bank financial technology entities<\/a>, or \u201c<\/ins><\/span>fintechs\u201d<\/ins><\/span>, are subject to the same cyber security requirements as banks are under the Federal Financial Institutions Examination Council (\u201c<\/ins><\/span>FFIEC\u201d)<\/ins><\/span> interagency guidelines. These proposed regulations could impose a new minimum security standard that implicates many businesses, including those outside the coverage of the current Safeguards and Privacy<\/ins><\/span> Rule.<\/p>\n FTC Commissioners Concerned by the Proposed Changes<\/b><\/p>\n Two of the FTC commissioners, Noah Phillips and Christine Wilson, voted against<\/a> increasing the requirements. They believe that it may not be appropriate to mandate such prescriptive standards<\/a> for all market participants. Some of the specific proposals are in response to shortcomings<\/a> in data security enforcement cases and investigations. The c<\/ins><\/span>ommissioners argue<\/a> that not all of the shortcomings concern firms covered by the Safeguard and Privacy Rules. Further, these prescriptive standards impose a one-size-fits-all<\/a> approach, which they believe could be troublesome. Phillips and Wilson also believe that the regulations may be premature. The proposed regulations are based on regulations by the New York State Department of Financial Services<\/a> that were enacted just two years ago with no data regarding the efficacy of those regulations. They believe it is too early to adopt them at a federal level.<\/p>\n Furthermore, the current regulations are flexible<\/a> in their approach, determined by the company\u2019s size and complexity. The proposed regulations would move away<\/a> from that flexibility. Phillips and Wilson believe the expansion could lead to traps<\/a> for small and innovative businesses. Large companies can more easily absorb regulatory compliance<\/a> costs than smaller companies. These regulations could potentially decrease competition<\/a> in the marketplace. Additionally, the prescriptive standards may have unintended consequences<\/a> of diluting data security measures under the existing Safeguard Rule, such as\u2026 [include an example]<\/ins><\/span>. Finally, the Commissioners believe that firms, rather than federal regulators, are in a better position of deciding board engagement<\/a> on data security. The Commissioners are aware that these regulations are merely being proposed currently, but they believe that if these new regulations pass, there may be unplanned negative repercussions<\/a>.<\/p>\n