The Federal Trade Commission (FTC) has finalized its Gramm-Leach-Bliley Safeguards Rule, which requires financial institutions under the FTC’s jurisdiction to develop and implement appropriate physical, technical, and procedural safeguards to protect customer information. The rule becomes effective on May 23.
The rule implements the safeguards provisions of the Gramm-Leach-Bliley Act (GLB Act), which requires the FTC to establish standards for financial institutions relating to customer information.
It requires financial institutions to designate an employee or employees to coordinate its information security program, identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information, and assess the sufficiency of any safeguards in place to control the risks.
Howard Beales, Director of the FTC’s Bureau of Consumer Protection, told the House Financial Services Committee Thursday the rule will prove to be an “important tool” to ensure greater security for consumers’ financial information.
“The rule could go far towards reducing risks to this information, including identity theft,” Beales told lawmakers.
Beales said the rule is one of a variety of initiatives the agency has launched to combat identity theft, including expanding the FTC’s role in educating consumers, private industry, and law enforcement.
The FTC also has worked with industry and consumer advocates to create a single, standard form consumers can use in absolving identity theft debts with creditors with whom identity thieves had opened accounts.
“From its release in August 2001 through February 2003, the FTC has distributed more than 264,000 print copies of the ID Theft Affidavit. There also have been more than 351,000 hits to the Web version,” Beales said.
In 1998, Congress gave the FTC responsibility to establish and maintain a database of identity theft complaints and to provide victim assistance and consumer education. To implement the mandates, the FTC established a toll-free telephone hotline consumers can call to report identity theft and to obtain information; set up a centralized database, accessible to more than 600 law enforcement organizations nationwide, to aid law enforcement; and engaged in an aggressive public education campaign for consumers and businesses.
Last August the FTC announced a settlement with Microsoft regarding misleading claims about the security of information collected from consumers through its Passport, Passport Wallet, and KidsPassport. An earlier settlement with Eli Lilly Co. also involved alleged misrepresentations regarding the security provided for sensitive consumer health information.
“It is not enough to make promises about protecting personal information, and then just hope that nothing bad happens or, if it does, that nobody finds out,” Beales said. “Fulfilling privacy and security promises requires affirmative steps to ensure that personal information is appropriately protected from identity theft and other risks to consumers’ personal information.”
The FTC also is working with institutions that maintain personal information, including financial institutions, credit issuers, universities, and retailers to identify ways to help keep that information safe from identity theft. As part of that effort, Beales said his agency will soon publish a self-audit guide to make businesses and organizations more aware of how they are managing personal information and to aid them in assessing their security protocols.
“As awareness of the FTC’s role in identity theft has grown, businesses and organizations who have suffered compromises of personal information have begun to contact the FTC for assistance. For example, in the cases of TriWest and Ford/Experian, in which massive numbers of individuals’ personal information was taken, the Commission provided advice on notifying those individuals and on what steps they should take to protect themselves,” Beales said.
