The Federal Trade Commission (“FTC” or “Commission”) is soliciting public comments on its Standards for Safeguarding Customer Information (“Safeguards Rule”) as part of the systematic review of all FTC rules and guides on a 10-year schedule. The Safeguards Rule was promulgated by the Commission pursuant to the Gramm-Leach-Bliley Act’s (“GLBA”) directive for federal agencies to establish standards for financial institutions relating to administrative, technical, and physical safeguards for certain information.
The notice requests comment on a variety of general issues, including the costs and benefits of the Safeguards Rule and what modifications, if any, should be made to the rule. It also requests comment on several specific issues. These include whether information security plans should include a breach response plan or other more specific and prescriptive requirements and whether the rule should incorporate other information security standards or frameworks (such as the NIST Cybersecurity Framework or PCI-DSS).
Finally, the FTC seeks comment on whether the definitions in the Safeguards Rule should be amended to include (1) activities that are “incidental” to financial activities within the scope of the rule; or (2) activities determined to be financial in nature or incidental to financial activities after the enactment of the GLBA in 1999. Comments are due on or before November 7, 2016.