MBA Offers FTC Recommendations on Safeguarding Customer Information

Mike Sorohan msorohan@mba.org

August 01, 2019

In the wake of yet another high-profile data security breach, this time involving Capital One, the Mortgage Bankers Association this week sent a letter to the Federal Trade Commission offering recommendations on a proposed rulemaking on standards for safeguarding customer information.

The proposed rulemaking (https://www.ftc.gov/news-events/press-releases/2019/03/ftc-seeks-comment-proposed-amendments-safeguards-privacy-rules) would amend the Safeguards Rule, which went into effect in 2003. It requires a financial institution to develop, implement and maintain a comprehensive information security program.

Under the Gramm-Leach-Bliley Act, financial institutions are obligated to respect the privacy of their customers and to protect the security and confidentiality of those customers' nonpublic personal information. The Safeguards Rule provided general requirements and guidance for an information security program without imposing rigid, checklist-like descriptions of a program's components. In its proposed rulemaking, the FTC has proposed expanding coverage of the Safeguards Rule and several new additional requirements.

"While the FTC has laudably aimed to maintain the general process-based approach, there are few instances where the FTC's proposed changes should be tailored to ensure financial institutions remain adaptable," wrote MBA Senior Vice President of Residential Policy and Member Engagement Pete Mills. "It is imperative that the FTC maintains its original ‘process-based' approach to ensure businesses retain the flexibility necessary to adapt to rapidly evolving attacks and to adopt developing technologies to protect consumer information."

MBA offered five key recommendations:

The Safeguards Rule should provide a safe harbor for covered entities that adopt a cybersecurity framework.
MBA noted the National Institute of Standards and Technology developed its Cybersecurity Framework as a means to provide guidance to entities on how to protect their computer systems. The Safeguards Rule appropriately has not imposed any particular framework on financial institutions.

MBA said the FTC should consider modifying the Safeguards Rule so that financial institutions that use the NIST CSF would be in de facto compliance with the Rule. "This safe harbor should protect those that adhere to the recognized framework but also make clear that adherence to any other framework or the rule's stated requirements is still in compliance so long as the requirements of the FTC's rule are met," MBA said.

The definition of "financial institution" should remain within the FTC's purview.
When the Privacy Rule was promulgated in 2000, the FTC determined that companies engaged in activities that are "incidental to financial activities" would not be considered "financial institutions." Rather, the FTC felt adding the requirement that entities be "significantly engaged" in financial activity was the appropriate decision.10 This had the practical impact that any decisions made by the Federal Reserve Board to expand the scope of "incidental activities" would not impact the Safeguards Rule and its subject entities.11

The Proposed Rule puts forth the question of whether the FTC should adopt the broader "incidental activities" definition. MBA said unfortunately, this broader definition would produce uncertainty that relies upon decisions made by the Fed for purposes that may be unrelated to privacy and data security. "As authors of the Rule and primary regulator for nonbank financial institutions on this matter, the FTC is best situated to assess new business models and whether they warrant being deemed ‘significantly engaged' with financial activities for coverage under the Safeguards Rule," MBA said, urging the Commission to retain its original definition of "financial institution" as it appears in the FTC's Privacy Rule to ensure any new business models are properly assessed by the appropriate regulator.

The FTC should tailor its Incident Response Plan requirement to account for the diversity of covered entities and adopt the model definition of a "cybersecurity event."
MBA said while well intentioned, the FTC's proposal to require financial institutions to establish incident response plans must be fine-tuned due to the breadth of entities potentially subject to this requirement. The proposed IRP sets a checklist of items that has failed to account for the size and scope of the covered entity. "These goals would be ambitious for a well-equipped institution," MBA said. "However, institutions of smaller sizes may not necessarily be capable of addressing all seven of the proposed goals."

MBA said any proposed IRP should address the nature of the information involved and the breadth of the event that triggered the IRP in the first place. "Failing to do so would have the potential to cripple small businesses under the pressure of repeatedly checking the boxes for potentially harmless events," the letter said.

The letter noted an incident response plan naturally raises the question of what constitutes a "security event." In defining "security event," MBA said the proposal casts an excessively large net that will create long-standing negative effects.

"There are significant concerns revolving around incorporating harmless data with this broad definition," MBA said. "Namely, this would have the potential to skew assessments and audits that must be conducted under the proposed changes. Resources and attention would be diverted to address harmless issues with immaterial consequences, potentially to the detriment of severe issues."

MBA said the FTC should adopt the NAIC Model Law definition of "cybersecurity event" and its accompanying exemption, rather than the overly broad proposed definition of "security event."

The FTC should provide greater clarity to its definition of "encryption."
The FTC adds several provisions to the elements of an information security program. Notably, one of the many risk assessment controls that must be designed and implemented includes data encryption. The proposal requires that entities "protect by encryption all customer information held or transmitted by you both in transit over external networks and at rest." MBA said while the FTC has avoided requiring any particular technology or technique, the proposal raises two issues.

"First, the focus on encryption is misguided," MBA said. "The Proposed Rule requires the encryption of all customer information in transit and at rest. For purposes of safeguarding customer information, data at rest is a point of concern, however the transmission of data that is a key vulnerability."

MBA noted data at rest is protected at multiple levels and said the FTC should define "encryption" to focus on the necessity to protect data in transit.

Second, the proposal's attempt to provide flexibility raises concerns. MBA said though the FTC is seeking to model this requirement after the Health Insurance Portability and Accountability Act Security Rule 23 it creates a different standard for variation.

"Simply because encryption may be feasible, or could be done in practice, does not mean that encryption would be the reasonable route for businesses of varying sizes," MBA said. "The FTC should model their approach to flexibility after HIPAA, and allow entities to secure information by other effective means if encryption is ‘unreasonable.'"

The FTC should provide greater clarity to its definition of "multi-factor authentication."
The FTC proposed an additional access control to require multi-factor authentication. Specifically, the proposal would mandate financial institutions "implement multi-factor authentication for any individual accessing customer information" or "internal networks that contain customer information."

MBA said to properly implement MFA, the FTC should provide more clarity to this requirement and address security necessities as opposed to extraneous access controls. "The FTC should provide greater clarity on MFA by indicating that the control is necessary for access to a single local area network, and not necessarily for each individual database that must be accessed," MBA said. "Similarly, on-site access to internal networks should be clearly differentiated from accessing an entity's local area network via an external network."

Share this article