81 FR 61632 - Standards for Safeguarding Customer Information

FEDERAL TRADE COMMISSION

Federal Register Volume 81, Issue 173 (September 7, 2016)

Page Range		61632-61636
FR Document		2016-21231

The Federal Trade Commission (``FTC'' or ``Commission'') requests public comment on its Standards for Safeguarding Customer Information (``Safeguards Rule'' or ``Rule''). The Commission is soliciting comment as part of the FTC's systematic review of all current Commission regulations and guides.

Federal Register, Volume 81 Issue 173 (Wednesday, September 7, 2016)

[Federal Register Volume 81, Number 173 (Wednesday, September 7, 2016)]
[Proposed Rules]
[Pages 61632-61636]
From the Federal Register Online [www.thefederalregister.org]
[FR Doc No: 2016-21231]

=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

16 CFR Part 314

RIN 3084-AB35

Standards for Safeguarding Customer Information

AGENCY: Federal Trade Commission.

ACTION: Request for public comment.

-----------------------------------------------------------------------

SUMMARY: The Federal Trade Commission (``FTC'' or ``Commission'')
requests public comment on its Standards for Safeguarding Customer
Information (``Safeguards Rule'' or ``Rule''). The Commission is
soliciting comment as part of the FTC's systematic review of all
current Commission regulations and guides.

[[Page 61633]]

DATES: Comments must be received on or before November 7, 2016.

ADDRESSES: Interested parties may file a comment online or on paper by
following the Instructions for Submitting Comments part of the
SUPPLEMENTARY INFORMATION section below. Write ``Safeguards Rule, 16
CFR 314, Project No. P145407,'' on your comment and file your comment
online at https://ftcpublic.commentworks.com/ftc/safeguardsrulenprm by
following the instructions on the web-based form. If you prefer to file
your comment on paper, mail your comment to the following address:
Federal Trade Commission, Office of the Secretary, 600 Pennsylvania
Avenue NW., Suite CC-5610 (Annex B), Washington, DC 20580, or deliver
your comment to the following address: Federal Trade Commission, Office
of the Secretary, Constitution Center, 400 7th Street SW., 5th Floor,
Suite 5610 (Annex B), Washington, DC 20024.

FOR FURTHER INFORMATION CONTACT: David Lincicum or Katherine McCarron,
Division of Privacy and Identity Protection, Bureau of Consumer
Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW.,
Washington, DC 20580, (202) 326-2773 or (202) 326-2333.

SUPPLEMENTARY INFORMATION:

I. Background

The Gramm-Leach-Bliley Act (``G-L-B Act'' or ``Act'') was enacted
in 1999 to reform and modernize the banking industry by eliminating
existing barriers between banking and commerce. The Act permits banks
to engage in a broad range of activities, including insurance and
securities brokering, with new affiliated entities. Subtitle A of Title
V of the Act, captioned ``Disclosure of Nonpublic Personal
Information,'' limits the instances in which a financial institution
may disclose nonpublic personal information about a consumer to
nonaffiliated third parties, and requires a financial institution to
disclose certain information sharing practices. In 2000, the Commission
issued a final rule that implemented Subtitle A as it relates to these
requirements (hereinafter ``Privacy Rule'').
Subtitle A of Title V also required the Commission and other
federal agencies to establish standards for financial institutions
relating to administrative, technical, and physical safeguards for
certain information. See 15 U.S.C. secs. 6801(b), 6805(b)(2).
Pursuant to the Act's directive, the Commission promulgated the
Safeguards Rule in 2002. The Safeguards Rule applies to all ``financial
institutions'' over which the Commission has jurisdiction. The
Safeguards Rule uses the definition of ``financial institution'' from
the Privacy Rule.\1\ The Privacy Rule defines ``financial institution''
as ``any institution the business of which is engaging in financial
activities as described in section 4(k) of the Bank Holding Company Act
of 1956 (12 U.S.C. 1843(k)). An institution significantly engaged in
financial activities is a financial institution.'' \2\ The term
``financial activities'' includes not only a number of traditional
financial activities specified in 12 U.S.C. 1843(k), but also those
activities found by the Federal Reserve Board (``the Fed'') to be
closely related to banking by regulation ``in effect on the date of the
enactment'' of the G-L-B Act.\3\
---------------------------------------------------------------------------

\1\ 16 CFR 314.2(a) (terms in the Safeguards Rule have the same
meanings as set forth in the Commission's Privacy Rule). Under the
Dodd-Frank Wall Street Reform and Consumer Protection Act (Pub. L.
111-203, 124 Stat. 1376 (2010)), the majority of the Commission's
rulemaking authority for the Privacy Rule was transferred to the
Consumer Financial Protection Bureau (CFPB), with the exception of
rulemaking authority pertaining to certain motor vehicle dealers (15
U.S.C. 6804(a)(1)(C)). Accordingly, the Commission's Privacy Rule
applies only to certain motor vehicle dealers, while the CFPB's
Privacy Rule (12 CFR part 1016) applies to all other entities under
the Commission's jurisdiction as well as other financial
institutions for which the CFPB has rulemaking authority. The FTC
continues to enforce the CFPB Privacy Rule with respect to all
entities within the FTC's jurisdiction. Under the Dodd-Frank Act,
the Commission retained rulemaking authority for the Safeguards Rule
(15 U.S.C. 6804(a)(1)(A)). Thus, for purposes of the Safeguards
Rule, the definition of ``financial institution'' in the
Commission's Privacy Rule applies to all entities within the
Commission's jurisdiction. Other agencies also continue to have
rules or guidelines implementing the G-L-B safeguards requirements
for entities within their jurisdiction. See 12 CFR part 30, app. B
(Office of the Comptroller of the Currency); 12 CFR part 208, app.
D-2 and 12 CFR part 225, app. F (Board of Governors of the Federal
Reserve System); 12 CFR part 364, app. B (Federal Deposit Insurance
Corporation); 12 CFR part 748, app. A (National Credit Union
Administration); 17 CFR 248.30 (Securities and Exchange Commission).
\2\ 16 CFR 313.3(k)(1) (definition of ``financial institution''
in the Privacy Rule).
\3\ 65 FR 33,646, 33,647 (May 24, 2000) (discussing scope of
Privacy Rule); see also id. at 33,654-55 (discussing definition of
``financial institution'').
---------------------------------------------------------------------------

When promulgating the Privacy Rule, the Commission determined to
include as ``financial activities'' only those activities that the Fed
found to be ``financial in nature,'' and not to include those
activities that the Fed found to be ``incidental'' or ``complementary''
to financial activities.\4\ Other agencies included ``incidental''
activities when promulgating their rules. In addition, the Commission
decided that activities that were determined to be financial in nature
after the enactment of the G-L-B Act would not be automatically
included in its Privacy Rule; rather, the Commission would have to take
additional action to include them. The effect of these two decisions
was to limit the activities covered by the Commission's rules to those
set out in 12 CFR 225.28 as it existed in 1999. As indicated below, the
Commission seeks comment on whether the Safeguards Rule should be
amended to include either (1) ``incidental'' activities, or (2)
activities determined after 1999 to be financial in nature or
``incidental'' to financial activities.
---------------------------------------------------------------------------

\4\ Id. at 33,654.
---------------------------------------------------------------------------

The Safeguards Rule applies to the handling of ``customer
information'' by financial institutions. ``Customer information'' is
defined as ``any record containing nonpublic personal information . . .
about a customer of a financial institution, whether in paper,
electronic, or other form'' that is ``handled or maintained by or on
behalf of'' a financial institution or its affiliates.\5\ The Rule does
not apply to all consumer information handled by a financial
institution; it applies only to the information of customers, which are
consumers that have a continuing relationship with a financial
institution that provides one or more financial products or services to
be used primarily for personal, family, or household purposes.\6\ The
Rule is not limited to protecting a financial institution's own
customers, but also applies to all customer information in the
financial institution's possession, including information about the
customers of other financial institutions.\7\
---------------------------------------------------------------------------

\5\ 16 CFR 314.2(b). ``Nonpublic personal information'' is
defined as personally identifiable financial information and any
list, description, or other grouping of consumers (and publicly
available information pertaining to them) that is derived using any
personally identifiable financial information that is not publicly
available. 16 CFR 313.3(n)(1). The Safeguards Rule uses the
definition of ``nonpublic personal information'' from the Privacy
Rule. 16 CFR
\6\ 16 CFR 313.3(h), (i). The Safeguards Rule uses the
definitions of ``customer'' and ``customer relationship'' from the
Privacy Rule. 16 CFR 314.2(a).
\7\ 16 CFR 314.1(b).
---------------------------------------------------------------------------

The Safeguards Rule requires financial institutions to develop,
implement, and maintain a comprehensive information security
program.\8\ An information security program consists of the
administrative, technical, or physical safeguards the financial
institution uses to access, collect, distribute, process, protect,
store, use, transmit, dispose of, or

[[Page 61634]]

otherwise handle customer information.\9\ The information security
program must be written in one or more readily accessible parts and
contain administrative, technical, and physical safeguards.\10\ The
safeguards must be appropriate to the size and complexity of the
financial institution, the nature and scope of its activities, and the
sensitivity of any customer information at issue.\11\ The safeguards
must also be reasonably designed to insure the security and
confidentiality of customer information, protect against any
anticipated threats or hazards to the security or integrity of the
information, and protect against unauthorized access to or use of such
information that could result in substantial harm or inconvenience to
any customer.\12\
---------------------------------------------------------------------------

\8\ 16 CFR 314.3(a).
\9\ 16 CFR 314.2(c).
\10\ 16 CFR 314.3(a).
\11\ Id.
\12\ 16 CFR 314.3(a), (b).
---------------------------------------------------------------------------

In order to develop, implement, and maintain its information
security program, a financial institution must identify reasonably
foreseeable internal and external risks to the security,
confidentiality, and integrity of customer information that could
result in the unauthorized disclosure, misuse, alteration, destruction,
or other compromise of such information, including in the areas of: (1)
Employee training and management; (2) information systems, including
network and software design, as well as information processing,
storage, transmission, and disposal; and (3) detecting, preventing, and
responding to attacks, intrusions, or other systems failures.\13\ The
financial institution must then design and implement information
safeguards to control the risks identified through the risk assessment,
and regularly test or otherwise monitor the effectiveness of the
safeguards' key controls, systems, and procedures.\14\ The financial
institution is also required to evaluate and adjust its information
security program in light of the results of this testing and
monitoring, as well as any material changes in its operations or
business arrangements, or any other circumstances that it knows or has
reason to know may have a material impact on its information security
program.\15\ The financial institution must also designate an employee
or employees to coordinate the information security program.\16\
---------------------------------------------------------------------------

\13\ 16 CFR 314.4(b).
\14\ 16 CFR 314.4(c).
\15\ 16 CFR 314.4(e).
\16\ 16 CFR 314.4(a).
---------------------------------------------------------------------------

The Safeguards Rule also requires financial institutions to take
reasonable steps to select and retain service providers that are
capable of maintaining appropriate safeguards for customer information
and require those service providers by contract to implement and
maintain such safeguards.\17\
---------------------------------------------------------------------------

\17\ 16 CFR 314.4(d).
---------------------------------------------------------------------------

The Safeguards Rule became effective on May 23, 2003.

II. Regulatory Review of the Safeguards Rule

The Commission periodically reviews all of its rules and guides.
These reviews seek information about the costs and benefits of the
agency's rules and guides, and their regulatory and economic impact.
The information obtained assists the Commission in identifying those
rules and guides that warrant modification or rescission. Therefore,
the Commission solicits comments on, among other things, the economic
impact and benefits of the Rule; possible conflict between the Rule and
state, local, or other federal laws or regulations; and the effect on
the Rule of any technological, economic, or other industry changes.

III. Issues for Comment

The Commission requests written comment on any or all of the
following questions. These questions are designed to assist the public
and should not be construed as a limitation on the issues about which
public comment may be submitted. The Commission requests that responses
to its questions be as specific as possible, including a reference to
the question being answered, and refer to empirical data or other
evidence upon which the comment is based whenever available and
appropriate. Please also provide evidence of the prevalence of any
unfair acts or practices that any proposed modification would address.

A. General Issues

1. Is there a continuing need for specific provisions of the Rule?
Why or why not?
2. What benefits has the Rule provided to consumers? What evidence
supports the asserted benefits?
3. What modifications, if any, should be made to the Rule to
increase its benefits to consumers?
a. What evidence supports the proposed modifications?
b. How would these modifications affect the costs the Rule imposes
on businesses, including small businesses?
4. What significant costs, if any, has the Rule imposed on
consumers? What evidence supports the asserted costs?
5. What modifications, if any, should be made to the Rule to reduce
any costs imposed on consumers?
a. What evidence supports the proposed modifications?
b. How would these modifications affect the benefits provided by
the Rule?
6. What benefits, if any, has the Rule provided to businesses,
including small businesses? What evidence supports the asserted
benefits?
7. What modifications, if any, should be made to the Rule to
increase its benefits to businesses, including small businesses?
a. What evidence supports the proposed modifications?
b. How would these modifications affect the costs the Rule imposes
on businesses, including small businesses?
c. How would these modifications affect the benefits to consumers?
8. What significant costs, if any, including costs of compliance,
has the Rule imposed on businesses, including small businesses? What
evidence supports the asserted costs?
9. What modifications, if any, should be made to the Rule to reduce
the costs imposed on businesses, including small businesses?
a. What evidence supports the proposed modifications?
b. How would these modifications affect the benefits provided by
the Rule?
10. What evidence is available concerning the degree of industry
compliance with the Rule?
11. What modifications, if any, should be made to the Rule to
account for changes in relevant technology or economic conditions? What
evidence supports the proposed modifications?
12. Does the Rule overlap or conflict with other federal, state, or
local laws or regulations? If so, how?
a. What evidence supports the asserted conflicts?
b. With reference to the asserted conflicts, should the Rule be
modified? If so, why, and how? If not, why not?

B. Specific Issues

1. Should the elements of an information security program include a
response plan in the event of a breach that affects the security,
integrity, or confidentiality of customer information? Why or why not?
If so, what should such a plan contain?
a. What evidence supports such a modification?
b. How would this modification affect the costs the Rule imposes on
businesses, including small businesses?
c. How would this modification affect the benefits to businesses?
d. How would this modification affect the costs the Rule imposes on
consumers?

[[Page 61635]]

e. How would this modification affect the benefits to consumers?
2. Should the Rule be modified to include more specific and
prescriptive requirements for information security plans? Why or why
not? If so, what requirements should be included and what sources
should they be drawn from?
a. What evidence supports such a modification?
b. How would this modification affect the costs the Rule imposes on
businesses, including small businesses?
c. How would this modification affect the benefits to businesses?
d. How would this modification affect the costs the Rule imposes on
consumers?
e. How would this modification affect the benefits to consumers?
3. Should the Rule be modified to reference or incorporate any
other information security standards or frameworks, such as the
National Institute of Standards and Technology's Cybersecurity
Framework or the Payment Card Industry Data Security Standards? If so,
which standards should be incorporated or referenced and how should
they by referenced or incorporated by the Rule?
a. What evidence supports such a modification?
b. How would this modification affect the costs the Rule imposes on
businesses, including small businesses?
c. How would this modification affect the benefits to businesses?
d. How would this modification affect the costs the Rule imposes on
consumers?
e. How would this modification affect the benefits to consumers?
4. For the purpose of clarity, should the Rule be modified to
include its own definitions of terms, such as ``financial
institution'', rather than incorporating the definitions found in the
Privacy Rule?
a. What evidence supports such a modification?
b. How would this modification affect the costs the Rule imposes on
businesses, including small businesses?
c. How would this modification affect the benefits to businesses?
d. How would this modification affect the costs the Rule imposes on
consumers?
e. How would this modification affect the benefits to consumers?
5. The current Safeguards Rule incorporates the Privacy Rule's
definition of ``financial institutions'' as entities that are
significantly engaged in financial activities, including activities
found to be closely related to banking by regulation or order in effect
at the time of enactment of the G-L-B Act. Should the Safeguards Rule's
definition of ``financial institution'' be modified to also include
entities that are significantly engaged in activities that the Federal
Reserve Board has found to be incidental to financial activities?
Should it also include activities that have been found to be closely
related to banking or incidental to financial activities by regulation
or order in effect after the enactment of the G-L-B Act? \18\ If so,
should all such activities be included in the modified definition? What
evidence supports such a modification?
---------------------------------------------------------------------------

\18\ See 65 FR 80,735 (Dec. 22, 2000) (determining the activity
of ``finding'' to be an activity incidental to financial activity).
---------------------------------------------------------------------------

a. How would this modification affect the costs the Rule imposes on
businesses, including small businesses?
b. How would this modification affect the benefits to businesses?
c. How would this modification affect the costs the Rule imposes on
consumers?
d. How would this modification affect the benefits to consumers?

IV. Instructions for Submitting Comments

You can file a comment online or on paper. For the Commission to
consider your comment, we must receive it on or before November 7,
2016. Write ``Safeguards Rule, 16 CFR 314, Matter No. P145407'' on the
comment. Your comment, including your name and your state, will be
placed on the public record of this proceeding, including, to the
extent practicable, on the public Commission Web site, at https://www.ftc.gov/policy/public-comments. As a matter of discretion, the
Commission tries to remove individuals' home contact information from
comments before placing them on the Commission Web site. Because your
comment will be made public, you are solely responsible for making sure
that your comment does not include any sensitive personal information,
such as a Social Security number, date of birth, driver's license
number or other state identification number or foreign country
equivalent, passport number, financial account number, or payment card
number. You are also solely responsible for making sure that your
comment does not include any sensitive health information, such as
medical records or other individually identifiable health information.
In addition, do not include any ``[t]rade secret or any commercial
or financial information which is . . . privileged or confidential,''
as discussed in Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC
Rule 4.10(a)(2), 16 CFR 4.10(a)(2). In particular, do not include
competitively sensitive information such as costs, sales statistics,
inventories, formulas, patterns, devices, manufacturing processes, or
customer names.
If you want the Commission to give your comment confidential
treatment, you must file it in paper form, with a request for
confidential treatment, and you must follow the procedure explained in
FTC Rule 4.9(c), 16 CFR 4.9(c). In particular, the written request for
confidential treatment that accompanies the comment must include the
factual and legal basis for the request, and must identify the specific
portions of the comments to be withheld from the public record. Your
comment will be kept confidential only if the FTC General Counsel
grants your request in accordance with the law and the public interest.
Postal mail addressed to the Commission is subject to delay due to
heightened security screening. As a result, we encourage you to submit
your comment online. To make sure that the Commission considers your
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/safeguardsrulenprm by following the instructions on the web-based
form. If this document appears at http://www.regulations.gov/#!home,
you also may file a comment through that Web site.
If you file your comment on paper, write ``Safeguards Rule, 16 CFR
314, Matter No. P145407'' on your comment and on the envelope, and mail
your comment to the following address: Federal Trade Commission, Office
of the Secretary, 600 Pennsylvania Avenue NW., Suite CC-5610 (Annex B),
Washington, DC 20580, or deliver your comment to the following address:
Federal Trade Commission, Office of the Secretary, Constitution Center,
400 7th Street SW., 5th Floor, Suite 5610 (Annex B), Washington, DC
20024.
Visit the Commission Web site at http://www.ftc.gov to read this
document and the news release describing it. The FTC Act and other laws
that the Commission administers permit the collection of public
comments to consider and use in this proceeding as appropriate. The
Commission will consider all timely and responsive public comments that
it receives on or before November 7, 2016. For information on the
Commission's privacy policy, including routine uses permitted by the
Privacy Act, see http://www.ftc.gov/ftc/privacy.htm.

[[Page 61636]]

By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2016-21231 Filed 9-6-16; 8:45 am]
BILLING CODE 6750-01-P

61632 Federal Register / Vol. 81, No. 173 / Wednesday, September 7, 2016 / Proposed Rules

(b) Contents of request. A request to practicable, the system manager shall (2) File a statement setting forth their
amend a record in a CIGIE system of send a copy of the amended record to reasons for disagreeing with the
records must include: previous recipients. decision.
(1) The name of the system of records (2) If CIGIE denies the request in (d) Requester’s disagreement
and a brief description of the record whole or in part, the reasons for the statement. A requester’s disagreement
proposed for amendment. In the event denial will be stated in the response statement must be concise. CIGIE has
the request to amend the record is the letter. In addition, the response letter the authority to determine the
result of the requester having gained will state: ‘‘conciseness’’ of the statement, taking
access to the record in accordance with (i) The name and address of the into account the scope of the
the provisions concerning access to official with whom an appeal of the disagreement and the complexity of the
records as set forth in subpart B of this denial may be lodged; and issues.
part, copies of previous correspondence (ii) A description of any other (e) Provision of requester’s
between the requester and CIGIE will procedures which may be required of disagreement statement. In any
serve in lieu of a separate description of the requester in order to process the disclosure of information about which
the record. appeal. an individual has filed a proper
(2) The exact portion of the record the § 9801.303 Appeal from adverse statement of disagreement, CIGIE will
requester seeks to have amended should determination on amendment. clearly note any disputed portion(s) of
be indicated clearly. If possible, (a) How addressed. A requester may the record(s) and will provide a copy of
proposed alternative language should be submit a written appeal of the decision the statement to persons or other
set forth, or, at a minimum, the reasons by CIGIE to deny an initial request to agencies to whom the disputed record
why the requester believes the record is amend a record in a CIGIE system of or records has been disclosed and for
not accurate, relevant, timely, or records to the Chairperson, Council of whom an accounting of disclosure has
complete should be set forth with the Inspectors General on Integrity and been maintained. A concise statement of
enough particularity to permit CIGIE to Efficiency, 1717 H Street NW., Suite the reasons for not making the
not only to understand the requester’s 825, Washington, DC 20006. The words amendments requested may also be
basis for the request, but also to make ‘‘Privacy Act Appeal’’ should be provided.
an appropriate amendment to the included on the envelope and at the top
record. § 9801.305 Assistance in preparing
of the letter of appeal. request to amend a record or to appeal an
(c) Burden of proof. The requester has (b) Deadline and content. The appeal initial adverse determination.
the burden of proof when seeking the must be received by CIGIE within 60
amendment of a record. The requester Requesters may seek assistance in
days of the date of the letter denying the preparing a request to amend a record
must furnish sufficient facts to persuade request and should contain a brief
the appropriate system manager of the or an appeal of an initial adverse
description of the record(s) involved or determination, or to learn further of the
inaccuracy, irrelevance, untimeliness, or copies of the correspondence from
incompleteness of the record. provisions for judicial review, by
CIGIE and the reasons why the requester contacting CIGIE’s Privacy Officer by
(d) Identification requirement. When believes that the disputed information
the requester’s identity has been email at privacy@cigie.gov or by mail at
should be amended. Privacy Officer, Council of the
previously verified pursuant to
§ 9801.201, further verification of § 9801.304 Response to appeal of adverse Inspectors General on Integrity and
identity is not required as long as the determination on amendment; Efficiency, 1717 H Street NW., Suite
communication does not suggest a need disagreement statements. 825, Washington, DC 20006.
for verification. If the requester’s (a) Response timing. The Chairperson Dated: August 31, 2016.
identity has not been previously should make a final determination in Michael E. Horowitz,
verified, the appropriate system writing not later than 30 days from the Chairperson of the Council of the Inspectors
manager may require identification date the appeal was received. The 30- General on Integrity and Efficiency.
validation as described in § 9801.201. day period may be extended for good [FR Doc. 2016–21473 Filed 9–6–16; 8:45 am]
cause. Notice of the extension and the BILLING CODE 6820–C9–P
§ 9801.302 Response to requests. reasons therefor will be sent to the
(a) Time limit for acknowledging a requester within the 30-day period.
request for amendment. To the extent (b) Amendment granted. If the
possible, CIGIE will acknowledge FEDERAL TRADE COMMISSION
Chairperson determines that the
receipt of a request to amend a record record(s) should be amended in 16 CFR Part 314
or records within 10 working days. accordance with the requester’s request,
(b) Determination on an amendment the Chairperson will take the necessary RIN 3084–AB35
request. The decision of CIGIE in steps to advise the requester and to
response to a request for amendment of Standards for Safeguarding Customer
direct the appropriate system manager: Information
a record in a system of records may (1) To amend the record(s); and
grant in whole or deny any part of the (2) To notify previous recipients of AGENCY: Federal Trade Commission.
request to amend the record. the record(s) for which there is an ACTION: Request for public comment.
(1) If CIGIE grants the request, the accounting of disclosure that the
appropriate system manager will amend record(s) have been amended. SUMMARY: The Federal Trade
the record(s) and provide a copy of the Commission (‘‘FTC’’ or ‘‘Commission’’)
ehiers on DSK5VPTVN1PROD with PROPOSALS

(c) Denial affirmed. If the appeal
amended record(s) to the requester. To decision does not grant in full the requests public comment on its
the extent an accounting of disclosure request for amendment, the decision Standards for Safeguarding Customer
has been maintained, the system letter will notify the requester that the Information (‘‘Safeguards Rule’’ or
manager shall advise all previous requester may: ‘‘Rule’’). The Commission is soliciting
recipients of the record that an (1) Obtain judicial review of the comment as part of the FTC’s systematic
amendment has been made and give the decision in accordance with the terms of review of all current Commission
substance of the amendment. Where the Privacy Act at 5 U.S.C. 552a(g); and regulations and guides.

VerDate Sep<11>2014 15:04 Sep 06, 2016 Jkt 238001 PO 00000 Frm 00005 Fmt 4702 Sfmt 4702 E:\FR\FM\07SEP1.SGM 07SEP1

Federal Register / Vol. 81, No. 173 / Wednesday, September 7, 2016 / Proposed Rules 61633

DATES: Comments must be received on Safeguards Rule applies to all ‘‘financial that were determined to be financial in
or before November 7, 2016. institutions’’ over which the nature after the enactment of the G-L-B
ADDRESSES: Interested parties may file a Commission has jurisdiction. The Act would not be automatically
comment online or on paper by Safeguards Rule uses the definition of included in its Privacy Rule; rather, the
following the Instructions for ‘‘financial institution’’ from the Privacy Commission would have to take
Submitting Comments part of the Rule.1 The Privacy Rule defines additional action to include them. The
SUPPLEMENTARY INFORMATION section ‘‘financial institution’’ as ‘‘any effect of these two decisions was to limit
below. Write ‘‘Safeguards Rule, 16 CFR institution the business of which is the activities covered by the
314, Project No. P145407,’’ on your engaging in financial activities as Commission’s rules to those set out in
comment and file your comment online described in section 4(k) of the Bank 12 CFR 225.28 as it existed in 1999. As
at https://ftcpublic.commentworks.com/ Holding Company Act of 1956 (12 indicated below, the Commission seeks
ftc/safeguardsrulenprm by following the U.S.C. 1843(k)). An institution comment on whether the Safeguards
instructions on the web-based form. If significantly engaged in financial Rule should be amended to include
you prefer to file your comment on activities is a financial institution.’’ 2 either (1) ‘‘incidental’’ activities, or (2)
paper, mail your comment to the The term ‘‘financial activities’’ includes activities determined after 1999 to be
following address: Federal Trade not only a number of traditional financial in nature or ‘‘incidental’’ to
Commission, Office of the Secretary, financial activities specified in 12 financial activities.
600 Pennsylvania Avenue NW., Suite U.S.C. 1843(k), but also those activities The Safeguards Rule applies to the
CC–5610 (Annex B), Washington, DC found by the Federal Reserve Board handling of ‘‘customer information’’ by
20580, or deliver your comment to the (‘‘the Fed’’) to be closely related to financial institutions. ‘‘Customer
following address: Federal Trade banking by regulation ‘‘in effect on the information’’ is defined as ‘‘any record
Commission, Office of the Secretary, date of the enactment’’ of the G-L-B containing nonpublic personal
Constitution Center, 400 7th Street SW., Act.3 information . . . about a customer of a
5th Floor, Suite 5610 (Annex B), When promulgating the Privacy Rule, financial institution, whether in paper,
Washington, DC 20024. the Commission determined to include electronic, or other form’’ that is
FOR FURTHER INFORMATION CONTACT: as ‘‘financial activities’’ only those ‘‘handled or maintained by or on behalf
David Lincicum or Katherine McCarron, activities that the Fed found to be of’’ a financial institution or its
Division of Privacy and Identity ‘‘financial in nature,’’ and not to include affiliates.5 The Rule does not apply to
Protection, Bureau of Consumer those activities that the Fed found to be all consumer information handled by a
Protection, Federal Trade Commission, ‘‘incidental’’ or ‘‘complementary’’ to financial institution; it applies only to
600 Pennsylvania Avenue NW., financial activities.4 Other agencies the information of customers, which are
Washington, DC 20580, (202) 326–2773 included ‘‘incidental’’ activities when consumers that have a continuing
or (202) 326–2333. promulgating their rules. In addition, relationship with a financial institution
the Commission decided that activities that provides one or more financial
SUPPLEMENTARY INFORMATION:
products or services to be used
I. Background 1 16 CFR 314.2(a) (terms in the Safeguards Rule
primarily for personal, family, or
have the same meanings as set forth in the household purposes.6 The Rule is not
The Gramm-Leach-Bliley Act (‘‘G-L-B Commission’s Privacy Rule). Under the Dodd-Frank
Act’’ or ‘‘Act’’) was enacted in 1999 to Wall Street Reform and Consumer Protection Act limited to protecting a financial
reform and modernize the banking (Pub. L. 111–203, 124 Stat. 1376 (2010)), the institution’s own customers, but also
industry by eliminating existing barriers majority of the Commission’s rulemaking authority applies to all customer information in
for the Privacy Rule was transferred to the the financial institution’s possession,
between banking and commerce. The Consumer Financial Protection Bureau (CFPB), with
Act permits banks to engage in a broad the exception of rulemaking authority pertaining to including information about the
range of activities, including insurance certain motor vehicle dealers (15 U.S.C. customers of other financial
and securities brokering, with new 6804(a)(1)(C)). Accordingly, the Commission’s institutions.7
Privacy Rule applies only to certain motor vehicle The Safeguards Rule requires
affiliated entities. Subtitle A of Title V dealers, while the CFPB’s Privacy Rule (12 CFR part
of the Act, captioned ‘‘Disclosure of 1016) applies to all other entities under the financial institutions to develop,
Nonpublic Personal Information,’’ limits Commission’s jurisdiction as well as other financial implement, and maintain a
the instances in which a financial institutions for which the CFPB has rulemaking comprehensive information security
authority. The FTC continues to enforce the CFPB program.8 An information security
institution may disclose nonpublic Privacy Rule with respect to all entities within the
personal information about a consumer FTC’s jurisdiction. Under the Dodd-Frank Act, the program consists of the administrative,
to nonaffiliated third parties, and Commission retained rulemaking authority for the technical, or physical safeguards the
requires a financial institution to Safeguards Rule (15 U.S.C. 6804(a)(1)(A)). Thus, for financial institution uses to access,
purposes of the Safeguards Rule, the definition of collect, distribute, process, protect,
disclose certain information sharing ‘‘financial institution’’ in the Commission’s Privacy
practices. In 2000, the Commission Rule applies to all entities within the Commission’s store, use, transmit, dispose of, or
issued a final rule that implemented jurisdiction. Other agencies also continue to have
rules or guidelines implementing the G-L-B 5 16 CFR 314.2(b). ‘‘Nonpublic personal
Subtitle A as it relates to these safeguards requirements for entities within their information’’ is defined as personally identifiable
requirements (hereinafter ‘‘Privacy jurisdiction. See 12 CFR part 30, app. B (Office of financial information and any list, description, or
Rule’’). the Comptroller of the Currency); 12 CFR part 208, other grouping of consumers (and publicly available
Subtitle A of Title V also required the app. D–2 and 12 CFR part 225, app. F (Board of information pertaining to them) that is derived
Governors of the Federal Reserve System); 12 CFR using any personally identifiable financial
Commission and other federal agencies part 364, app. B (Federal Deposit Insurance information that is not publicly available. 16 CFR
ehiers on DSK5VPTVN1PROD with PROPOSALS

to establish standards for financial Corporation); 12 CFR part 748, app. A (National 313.3(n)(1). The Safeguards Rule uses the definition
institutions relating to administrative, Credit Union Administration); 17 CFR 248.30 of ‘‘nonpublic personal information’’ from the
technical, and physical safeguards for (Securities and Exchange Commission). Privacy Rule. 16 CFR
2 16 CFR 313.3(k)(1) (definition of ‘‘financial 6 16 CFR 313.3(h), (i). The Safeguards Rule uses
certain information. See 15 U.S.C. secs.
institution’’ in the Privacy Rule). the definitions of ‘‘customer’’ and ‘‘customer
6801(b), 6805(b)(2). 3 65 FR 33,646, 33,647 (May 24, 2000) (discussing relationship’’ from the Privacy Rule. 16 CFR
Pursuant to the Act’s directive, the scope of Privacy Rule); see also id. at 33,654–55 314.2(a).
Commission promulgated the (discussing definition of ‘‘financial institution’’). 7 16 CFR 314.1(b).

Safeguards Rule in 2002. The 4 Id. at 33,654. 8 16 CFR 314.3(a).

VerDate Sep<11>2014 15:04 Sep 06, 2016 Jkt 238001 PO 00000 Frm 00006 Fmt 4702 Sfmt 4702 E:\FR\FM\07SEP1.SGM 07SEP1

61634 Federal Register / Vol. 81, No. 173 / Wednesday, September 7, 2016 / Proposed Rules

otherwise handle customer steps to select and retain service 5. What modifications, if any, should
information.9 The information security providers that are capable of be made to the Rule to reduce any costs
program must be written in one or more maintaining appropriate safeguards for imposed on consumers?
readily accessible parts and contain customer information and require those a. What evidence supports the
administrative, technical, and physical service providers by contract to proposed modifications?
safeguards.10 The safeguards must be implement and maintain such b. How would these modifications
appropriate to the size and complexity safeguards.17 affect the benefits provided by the Rule?
of the financial institution, the nature The Safeguards Rule became effective 6. What benefits, if any, has the Rule
and scope of its activities, and the on May 23, 2003. provided to businesses, including small
sensitivity of any customer information businesses? What evidence supports the
II. Regulatory Review of the Safeguards asserted benefits?
at issue.11 The safeguards must also be
Rule 7. What modifications, if any, should
reasonably designed to insure the
security and confidentiality of customer The Commission periodically reviews be made to the Rule to increase its
information, protect against any all of its rules and guides. These reviews benefits to businesses, including small
anticipated threats or hazards to the seek information about the costs and businesses?
security or integrity of the information, benefits of the agency’s rules and a. What evidence supports the
and protect against unauthorized access guides, and their regulatory and proposed modifications?
economic impact. The information b. How would these modifications
to or use of such information that could
obtained assists the Commission in affect the costs the Rule imposes on
result in substantial harm or
identifying those rules and guides that businesses, including small businesses?
inconvenience to any customer.12 c. How would these modifications
In order to develop, implement, and warrant modification or rescission.
Therefore, the Commission solicits affect the benefits to consumers?
maintain its information security 8. What significant costs, if any,
program, a financial institution must comments on, among other things, the
economic impact and benefits of the including costs of compliance, has the
identify reasonably foreseeable internal Rule imposed on businesses, including
and external risks to the security, Rule; possible conflict between the Rule
and state, local, or other federal laws or small businesses? What evidence
confidentiality, and integrity of supports the asserted costs?
customer information that could result regulations; and the effect on the Rule
9. What modifications, if any, should
in the unauthorized disclosure, misuse, of any technological, economic, or other
be made to the Rule to reduce the costs
alteration, destruction, or other industry changes.
imposed on businesses, including small
compromise of such information, III. Issues for Comment businesses?
including in the areas of: (1) Employee a. What evidence supports the
training and management; (2) The Commission requests written
proposed modifications?
information systems, including network comment on any or all of the following
b. How would these modifications
and software design, as well as questions. These questions are designed
affect the benefits provided by the Rule?
information processing, storage, to assist the public and should not be 10. What evidence is available
transmission, and disposal; and (3) construed as a limitation on the issues concerning the degree of industry
detecting, preventing, and responding to about which public comment may be compliance with the Rule?
attacks, intrusions, or other systems submitted. The Commission requests 11. What modifications, if any, should
failures.13 The financial institution must that responses to its questions be as be made to the Rule to account for
then design and implement information specific as possible, including a changes in relevant technology or
safeguards to control the risks identified reference to the question being economic conditions? What evidence
through the risk assessment, and answered, and refer to empirical data or supports the proposed modifications?
regularly test or otherwise monitor the other evidence upon which the 12. Does the Rule overlap or conflict
effectiveness of the safeguards’ key comment is based whenever available with other federal, state, or local laws or
controls, systems, and procedures.14 and appropriate. Please also provide regulations? If so, how?
The financial institution is also required evidence of the prevalence of any unfair a. What evidence supports the
to evaluate and adjust its information acts or practices that any proposed asserted conflicts?
security program in light of the results modification would address. b. With reference to the asserted
of this testing and monitoring, as well A. General Issues conflicts, should the Rule be modified?
as any material changes in its operations If so, why, and how? If not, why not?
1. Is there a continuing need for
or business arrangements, or any other B. Specific Issues
specific provisions of the Rule? Why or
circumstances that it knows or has
why not? 1. Should the elements of an
reason to know may have a material 2. What benefits has the Rule information security program include a
impact on its information security provided to consumers? What evidence response plan in the event of a breach
program.15 The financial institution supports the asserted benefits? that affects the security, integrity, or
must also designate an employee or 3. What modifications, if any, should confidentiality of customer information?
employees to coordinate the information be made to the Rule to increase its Why or why not? If so, what should
security program.16 benefits to consumers? such a plan contain?
The Safeguards Rule also requires a. What evidence supports the a. What evidence supports such a
financial institutions to take reasonable proposed modifications? modification?
ehiers on DSK5VPTVN1PROD with PROPOSALS

9 16
b. How would these modifications b. How would this modification affect
CFR 314.2(c).
10 16
affect the costs the Rule imposes on the costs the Rule imposes on
CFR 314.3(a).
11 Id. businesses, including small businesses? businesses, including small businesses?
12 16 CFR 314.3(a), (b). 4. What significant costs, if any, has c. How would this modification affect
13 16 CFR 314.4(b). the Rule imposed on consumers? What the benefits to businesses?
14 16 CFR 314.4(c). evidence supports the asserted costs? d. How would this modification affect
15 16 CFR 314.4(e). the costs the Rule imposes on
16 16 CFR 314.4(a). 17 16 CFR 314.4(d). consumers?

VerDate Sep<11>2014 15:04 Sep 06, 2016 Jkt 238001 PO 00000 Frm 00007 Fmt 4702 Sfmt 4702 E:\FR\FM\07SEP1.SGM 07SEP1

61636 Federal Register / Vol. 81, No. 173 / Wednesday, September 7, 2016 / Proposed Rules

By direction of the Commission. Substances Import and Export Act,’’ schedule I of the CSA.1 The
Donald S. Clark, respectively, and are collectively Administrator transmitted notice of his
Secretary. referred to as the ‘‘Controlled intent to place U–47700 in schedule I on
[FR Doc. 2016–21231 Filed 9–6–16; 8:45 am] Substances Act’’ or the ‘‘CSA’’ for the a temporary basis to the Assistant
BILLING CODE 6750–01–P purpose of this action. The DEA Secretary by letter dated April 18, 2016.
publishes the implementing regulations The Assistant Secretary responded to
for these statutes in title 21 of the Code this notice by letter dated April 28,
of Federal Regulations (CFR), chapter II. 2016, and advised that based on review
DEPARTMENT OF JUSTICE
The CSA and its implementing by the Food and Drug Administration
Drug Enforcement Administration regulations are designed to prevent, (FDA), there are currently no
detect, and eliminate the diversion of investigational new drug applications or
21 CFR Part 1308 controlled substances and listed approved new drug applications for U–
chemicals into the illicit market while 47700. The Assistant Secretary also
[Docket No. DEA–440] stated that the HHS has no objection to
providing for the legitimate medical,
scientific, research, and industrial needs the temporary placement of U–47700
Schedules of Controlled Substances: into schedule I of the CSA. U–47700 is
Temporary Placement of U–47700 Into of the United States. Controlled
not currently listed in any schedule
Schedule I substances have the potential for abuse
under the CSA, and no exemptions or
and dependence and are controlled to
AGENCY: Drug Enforcement approvals are in effect for U–47700
protect the public health and safety.
Administration, Department of Justice. under section 505 of the FDCA, 21
Under the CSA, each controlled U.S.C. 355. The DEA has found that the
ACTION: Notice of intent.
substance is classified into one of five control of U–47700 in schedule I on a
SUMMARY: The Administrator of the Drug schedules based upon its potential for temporary basis is necessary to avoid an
Enforcement Administration is issuing abuse, its currently accepted medical imminent hazard to public safety.
this notice of intent to temporarily use in treatment in the United States, To find that placing a substance
schedule the synthetic opioid, 3,4- and the degree of dependence the drug temporarily into schedule I of the CSA
dichloro-N-[2- or other substance may cause. 21 U.S.C. is necessary to avoid an imminent
(dimethylamino)cyclohexyl]-N- 812. The initial schedules of controlled hazard to the public safety, the
methylbenzamide (also known as U– substances established by Congress are Administrator is required to consider
47700), into schedule I pursuant to the found at 21 U.S.C. 812(c), and the three of the eight factors set forth in
temporary scheduling provisions of the current list of all scheduled substances section 201(c) of the CSA, 21 U.S.C.
Controlled Substances Act. This action is published at 21 CFR part 1308. 811(c): The substance’s history and
is based on a finding by the current pattern of abuse; the scope,
Section 201 of the CSA, 21 U.S.C. 811,
Administrator that the placement of this duration and significance of abuse; and
provides the Attorney General with the
synthetic opioid into schedule I of the what, if any, risk there is to the public
authority to temporarily place a
Controlled Substances Act is necessary health. 21 U.S.C. 811(h)(3).
substance into schedule I of the CSA for
to avoid an imminent hazard to the Consideration of these factors includes
two years without regard to the actual abuse, diversion from legitimate
public safety. Any final order will requirements of 21 U.S.C. 811(b) if she
impose the administrative, civil, and channels, and clandestine importation,
finds that such action is necessary to manufacture, or distribution. 21 U.S.C.
criminal sanctions and regulatory avoid imminent hazard to the public
controls applicable to schedule I 811(h)(3).
safety. 21 U.S.C. 811(h)(1). In addition, A substance meeting the statutory
controlled substances under the if proceedings to control a substance are
Controlled Substances Act on the requirements for temporary scheduling
initiated under 21 U.S.C. 811(a)(1), the may only be placed in schedule I. 21
manufacture, distribution, possession, Attorney General may extend the
importation, exportation, research, and U.S.C. 811(h)(1). Substances in schedule
temporary scheduling for up to one I are those that have a high potential for
conduct of, instructional activities of year. 21 U.S.C. 811(h)(2).
this synthetic opioid. abuse, no currently accepted medical
Where the necessary findings are use in treatment in the United States,
DATES: September 7, 2016.
made, a substance may be temporarily and a lack of accepted safety for use
FOR FURTHER INFORMATION CONTACT: under medical supervision. 21 U.S.C.
scheduled if it is not listed in any other
Michael J. Lewis, Office of Diversion schedule under section 202 of the CSA, 812(b)(1).
Control, Drug Enforcement 21 U.S.C. 812, or if there is no
Administration; Mailing Address: 8701 U–47700
exemption or approval in effect for the
Morrissette Drive, Springfield, Virginia substance under section 505 of the The substance U–47700 was first
22152; Telephone: (202) 598–6812. Federal Food, Drug, and Cosmetic Act described in 1978 in the patent
SUPPLEMENTARY INFORMATION: Any final (FDCA), 21 U.S.C. 355. 21 U.S.C. literature. Publications in the scientific
order will be published in the Federal 811(h)(1). The Attorney General has literature in the early 1980’s found that
Register and may not be effective prior delegated scheduling authority under 21 U–47700 behaved similarly to morphine
to October 7, 2016. U.S.C. 811 to the Administrator of the in animal models. No approved medical
Legal Authority DEA. 28 CFR 0.100. 1 As discussed in a memorandum of

The Drug Enforcement Background understanding entered into by the Food and Drug
ehiers on DSK5VPTVN1PROD with PROPOSALS

Administration (FDA) and the National Institute on
Administration (DEA) implements and Drug Abuse (NIDA), the FDA acts as the lead agency
enforces titles II and III of the Section 201(h)(4) of the CSA, 21
within the HHS in carrying out the Secretary’s
Comprehensive Drug Abuse Prevention U.S.C. 811(h)(4), requires the scheduling responsibilities under the CSA, with the
and Control Act of 1970, as amended. 21 Administrator to notify the Secretary of concurrence of NIDA. 50 FR 9518, Mar. 8, 1985.
the Department of Health and Human The Secretary of the HHS has delegated to the
U.S.C. 801–971. Titles II and III are Assistant Secretary for Health of the HHS the
referred to as the ‘‘Controlled Services (HHS) of his intention to authority to make domestic drug scheduling
Substances Act’’ and the ‘‘Controlled temporarily place a substance into recommendations. 58 FR 35460, July 1, 1993.

VerDate Sep<11>2014 15:04 Sep 06, 2016 Jkt 238001 PO 00000 Frm 00009 Fmt 4702 Sfmt 4702 E:\FR\FM\07SEP1.SGM 07SEP1

Document Created: 2016-09-07 11:50:07
Document Modified: 2016-09-07 11:50:07

Category		Regulatory Information
Collection		Federal Register
sudoc Class		AE 2.7: GS 4.107: AE 2.106:
Publisher		Office of the Federal Register, National Archives and Records Administration
Section		Proposed Rules
Action		Request for public comment.
Dates		Comments must be received on or before November 7, 2016.
Contact		David Lincicum or Katherine McCarron, Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW., Washington, DC 20580, (202) 326-2773 or (202) 326-2333.
FR Citation		81 FR 61632
RIN Number		3084-AB35