Tech & Sourcing @ Morgan Lewis


The Federal Trade Commission (FTC) is requesting comments on proposed amendments to two rules addressing the privacy and security of customer information under the Gramm-Leach-Bliley Act. The FTC plans to publish the notices in the Federal Register in the near future.

The “Safeguards Rule” requires a financial institution under the FTC’s jurisdiction to develop, implement, and maintain a comprehensive security program that is appropriate to its size and complexity, the nature and scope of its activities, and the sensitivity of the customer information at issue. Under the rule, financial institutions must designate an employee or employees to coordinate their information security program in order to ensure accountability and establish adequate safeguards. In addition, the rule further requires financial institutions to consider risks in each area of their operations, including three areas that the FTC believes are particularly relevant to information security: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) detecting, preventing, and responding to attacks, intrusions, or other systems failures.

The FTC is proposing changes to the Safeguards Rule to add more detailed requirements of the safeguards that financial institutions must include in their comprehensive security programs mandated by the rule. As an example, the FTC is proposing requiring financial institutions to encrypt all customer data, to implement access controls to prevent unauthorized users from accessing customer information, and to use multifactor authentication to access customer data. The FTC is also proposing that financial institutions submit period reports to their boards of directors to improve oversight and compliance with the rule.

The ”Privacy Rule” requires car dealerships to notify customers of the dealer’s privacy policies and practices and provide a customer with an opportunity to opt out of disclosures of certain information to non-affiliated third parties. The proposed amendments would clarify that the Privacy Rule only applies to car dealerships and would also clarify when they need to provide annual privacy notices.

The FTC is also proposing to expand the definition of “financial institution” in both rules to expressly include persons who charge a fee to connect customers who are looking for a loan to a lender.

Instructions for filing comments will appear in the published notices. The FTC must receive comments within 60 days after publication. Once processed, the comments will be published on