AFSA Submits Comments on FTC’s Safeguards Rule
On February 7, AFSA responded to the Federal Trade Commission’s (FTC) supplemental rulemaking further amending the Standards for Safeguarding Customer Information (Safeguards Rule). A provision of the Gramm Leach Bliley Act (GLBA), which among other things, requires financial institutions (FIs) to provide customers with information regarding institutions’ privacy practices and customer opt-out rights, the Safeguards Rule requires FIs to have data security standards (or safeguards) in place to protect customers’ personal information. The rule has gained significant attention in recent years following widespread data breaches and cyberattacks.
Specifically, the supplemental rulemaking amends the Safeguards Rule by requiring FIs to report to the FTC the misuse (or suspected misuse) of customer information affecting at least 1,000 consumers. AFSA expressed its support for the agency’s efforts to protect customers’ information, but stressed that the rulemaking is duplicative and unnecessary. As outlined in the letter, FIs are already required to notify customers about data breaches under state law. Additionally, AFSA advocated for a carve-out in the reporting requirement for security events involving encrypted data (unless the key is also disclosed) as this type of data removes elements which personally identify an individual.
February 8th, 2022