Gramm-Leach-Bliley: FTC Privacy and Safeguard Changes?


The Federal Trade Commission earlier this month announced that it is seeking comment on proposed changes to the FTC’s Safeguards Rule and Privacy Rule under the Gramm-Leach-Bliley Act (“GLB”).

The proposed amendments to the Safeguards Rule, which went into effect in 2003 and imposes data security obligations on financial institutions over which the Commission has jurisdiction, are based primarily on the cybersecurity regulations issued by the New York Department of Financial Services and the insurance data security model law issued by the National Association of Insurance Commissioners. The proposed changes would add more detailed requirements on how financial institutions must protect customer information.

Notably, the proposed amendments would require covered financial institutions to encrypt all customer data held or transmitted by the institution both in transit over external networks and at rest. The proposed amendments would also require the use of multi-factor authentication for any individual accessing customer information on the institution’s internal networks. Covered financial institutions would need to submit periodic reports to their Boards of Directors.

The Privacy Rule, which went into effect in 2000, requires a financial institution to provide privacy notices to customers and the ability to opt out of having their information shared with certain third parties. The proposed changes primarily would align the Privacy Rule with changes implemented by Congress through the Dodd-Frank Act in 2010 and the FAST Act in 2015, which modified the annual privacy notice requirement under GLB.

The FTC plans to publish separate notices in the Federal Register on the proposed changes soon. The FTC vote to submit the Privacy Rule notice for publication in the Federal Register was 5-0. The Commission vote to submit the Safeguards Rule notice for publication in the Federal Register was 3-2. Commissioners Noah Joshua Phillips and Christine S. Wilson issued a dissenting statement.

Blog courtesy of Hunton Andrews Kurth, a U.S.-based law firm with a Global Privacy and Cybersecurity practice that’s known throughout the world for its deep experience, breadth of knowledge and outstanding client service. Read the company’s privacy blog here.