The U.S. Federal Trade Commission (FTC) is considering a new set of security rules that could affect the information security practices at a swath of businesses. And although the FTC says the hallmark of the rules will be flexibility, industry analysts say it will still give IT managers something to worry about.
The FTC this week began seeking comment from businesses and trade groups concerning its so-called Safeguards Rule aimed at ensuring adequate protection of customer information, including records that are handled electronically. The information security component of the rule is part of privacy requirements set by the Gramm-Leach-Bliley financial modernization law in 1999.
The impact on businesses is potentially broad: Gramm-Leach-Bliley is targeted at banks, brokerages and insurance firms, but it also covers a large number of companies not traditionally thought of as financial services, such as legal offices that handle customer financial records, companies that extend credit and any data processing services involving financial data.
That means a lot of companies could be required to undertake new assessments of the measures they now use to safeguard data security.
Among the IT issues on which the FTC is now seeking comment:
Should financial institutions be required to reassess the threats or hazards to their information security systems, and, if so, at what intervals?
When assessing threats and hazards, should a financial institution be required to classify the value and sensitivity of the records to be protected and/or the gravity of the threats? Under what circumstances, if any, should financial institutions be required to conduct these assessments in writing?
Should the rule require that the effectiveness of existing safeguards be evaluated through appropriate tests?
The proposal offers "a lot of flexibility," said Laura Berger, an FTC attorney in its division of financial practices. "We took a lot of care not to undermine peoples' flexibility by putting in specific objectives."
The questions under consideration aren't all that different from ones already reviewed by banking regulators such as the Federal Reserve and Comptroller of the Currency. Earlier this year, those agencies issued a set of information security requirements under Gramm-Leach-Bliley as "guidelines," which recommend that those institutions consider practices such as penetration testing and encryption.
The FTC will focus its attention on businesses not already regulated by other government entities, said analysts.
"The FTC has sort of the last jurisdictional bite," said Gary Clayton, CEO of Privacy Council Inc., a consulting firm in Richardson, Texas. "If you are not regulated by the other agencies, it falls to the FTC."
The FTC can bring action against companies that fail to protect their data or customer privacy under Gramm-Leach-Bliley, said Clayton. But customers and states can also sue companies under deceptive trade practices if they have privacy policies that pledge customer privacy and security and then suffer a breach, he said.
Dennis Behrman, an analyst at Meridien Research Inc. in Newton, Massachusetts, said the expectation, based on the action of regulators so far, is that the FTC won't issue guidelines requiring use of specific technologies. But they may ask for specific business practices, such as encryption of transported or stored data.
"The people that need to be concerned about it is anyone managing customer data," he said.
The FTC will be seeking comment on the proposed rules for the next two months.