CUNA Regulatory Comment Call


August 9, 2001

FTC’s Proposed Rule on Safeguarding Information

(MAJOR RULE FOR NON-FEDERALLY-INSURED CREDIT UNIONS. OTHER CREDIT UNIONS MAY ALSO BE INTERESTED IN NOTING THE DIFFERENCES BETWEEN THIS RULE AND THE NCUA RULE THAT APPLIES TO FEDERALLY-INSURED CREDIT UNIONS)

EXECUTIVE SUMMARY

Please feel free to fax your responses to CUNA at 202-371-8240; e-mail them to Associate General Counsel Mary Dunn at mdunn@cuna.com or to Assistant General Counsel Jeffrey Bloch at jbloch@cuna.com; or mail them to Mary or Jeff in c/o CUNA’s Regulatory Advocacy Department, 805 15th Street, NW, Suite 300, Washington, DC 20005. Please contact us if you need more information. You may also contact us if you would like a copy of the proposed rule or you may access it on the Internet at the following address:
http://www.ftc.gov/os/2001/07/stansafecustinfofrn.htm

BACKGROUND

The Gramm-Leach-Bliley Act (Act) requires the financial institution regulators and certain other agencies, including the FTC, to issue rules regarding privacy and the safeguarding of consumer information. Last year, NCUA issued privacy rules for federally-insured credit unions. These privacy rules require that credit unions disclose their policies and practices with respect to protecting the confidentiality, security, and integrity of nonpublic personal information as part of the initial and annual privacy notices that are sent to members. The FTC has issued similar rules that apply to financial institutions that are not covered by the rules of the other agencies, including non-federally insured credit unions and CUSOs. In connection with this requirement, the privacy provisions of the Act require the agencies to establish appropriate standards relating to the administrative, technical, and physical safeguards for consumer records and information.

NCUA issued a final rule in January 2001 regarding the safeguarding of member information. It also applies to federally-insured credit unions and was effective as of July 1, 2001. The FTC has now issued a proposed rule that will apply to non-federally insured credit unions.

DESCRIPTION OF THE PROPOSED RULE

An information security program must be established and include administrative, technical, and physical safeguards appropriate to the size and complexity of the financial institution, the nature and scope of its activities, and the sensitivity of the information. The objectives of the program are to ensure the safety and confidentiality of member’s records, protect against anticipated threats or hazards to the security or integrity of such records, and protect against unauthorized access to or use of such records that could result in substantial harm or inconvenience to a member.

Here are the requirements regarding the information security program:

The FTC rule differs from and is less detailed than NCUA’s rule. Here are the differences:

QUESTIONS TO CONSIDER REGARDING THE FTC’s PROPOSED RULE ON SAFEGUARDING INFORMATION
(Most of these are issues raised by the FTC)

Eric Richard • General Counsel • (202) 508-6742 • erichard@cuna.com
Mary Mitchell Dunn • SVP & Associate General Counsel • (202) 508-6736 • mdunn@cuna.com
Jeffrey Bloch • Assistant General Counsel • (202) 508-6732 • jbloch@cuna.com
Catherine Orr • Senior Regulatory Counsel • (202) 508-6743 • corr@cuna.com