Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Aug. 29 — The Federal Trade Commission announced Aug. 29 that it is opening a public comment period to evaluate its rules for safeguarding customer information under the Gramm-Leach-Bliley Act (GLB).
The Safeguards Rule, 16 C.F.R. § 314.3, requires financial institutions to have mechanisms to secure customer information. The financial institutions covered by the rule must also ensure that their affiliates and service providers protect consumer data. The FTC has enforcement powers over the privacy provisions of the GLB.
In addition to the Safeguards Rule, the FTC may regulate unfair and deceptive acts or practices under Section 5 of the FTC Act. The FTC has used Section 5 to bring data security enforcement actions against companies whose data security practices are unfair or deceptive to consumers.
The FTC is seeking comment on the economic impact and benefit of the Safeguards Rule as well as whether state and local laws conflict with the rule. The agency also wants to analyze whether technology, economic or industry changes have affected the rule.
But no changes to the Safeguards Rule may be necessary given its flexibility, Nathan D. Taylor, a privacy and data security partner at Morrison & Foerster LLP in Washington, told Bloomberg BNA Aug. 29.
The Safeguards Rule “by design puts in place a risk-based process that is both flexible and adaptable.” The rule, instead of requiring specific safeguards, calls for “risk assessments and the implementation of safeguards to address identified risk,” he said.
Because of this flexibility, “the rule is specifically designed to be able to respond to changes in technology and changes in the threat landscape,” Taylor said.
The Safeguards Rule review is part of an agency-wide assessment of all FTC rules. The public comment period will run until Nov. 7.
Although the FTC has seen increased challenges from other federal agencies to be the primary privacy and data security federal regulator, the changes to the Safeguards Rule is just “part of the FTC's ongoing regulatory review,” Taylor said.
The Federal Communications Commission increased its data security enforcement actions in 2015 by collecting $30 million in fines against telecommunications companies for data breaches (14 PVLR 2192, 12/7/15). In addition, the FCC March. 31 proposed a general data security standard for broadband internet service providers (15 PVLR 717, 4/4/16). The agency hopes the broadband data security rules will be completed by the end of 2016, even with pushback from some U.S. legislators (15 PVLR 1486, 7/18/16).
The Consumer Finance Protection Bureau in 2016 issued its first data security enforcement action against a financial services company. The CFPB March 2 levied a $100,00 fine on Dwolla Inc. for making false representations about the company's data security practice in violation of the Consumer Finance Protection Act (15 PVLR 503, 3/7/16).
The Dwolla decision didn't necessarily motivate the FTC to look at the financial services data security rule, Taylor said. However, it's possible “the FTC identified GLB data security as a candidate for this round of regulatory review based on the federal banking agencies' recent indications that they will update their own safeguards rule,” he said.
The FTC has also seen challenges from companies that don't think the agency has broad authority to enforce allegedly lax data security standards. However, the agency July 29 reasserted it's data security authority in an enforcement action against medical testing company LabMD Inc.
The FTC ruled that to demonstrate unfairness to consumers under Section 5 of the FTC Act its enforcement staff needn't demonstrate specific harm to consumers from a data breach in order to take action against a company. Allegedly lax data security leading to a breach is enough on its own without more to show unfair business practices, the commission held (15 PVLR 1593, 8/8/16).
The LabMD decision followed the U.S. Court of Appeals for the Third Circuit's Aug. 24, 2015 decision in FTC v. Wyndham Worldwide Corp., where the court held the Commission has authority under the unfairness prong of Section 5 of FTC Act to take enforcement action against companies over their alleged lax data security practices (14 PVLR 1592, 9/7/15).
Unlike many European Union countries that have a designated data security regulator, the FTC may continue to face challenges from consumer and other U.S. regulators over who has the power to enforce and regulate data security practices.
To contact the reporter on this story: Daniel R. Stoller in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Donald G. Aplin at email@example.com
Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)