The SBA says the FTC’s proposed amendments to the Safeguards Rule on information security lack data on the potential economic impact to small entities.
8/20/2019 14:30
The U.S. Small Business Administration Office of Advocacy is seeking to reduce burdens for small businesses impacted by the Federal Trade Commission’s proposed rule on Standards for Safeguarding Consumer Information (Safeguards Rule.)
The Safeguards Rule, which went into effect in 2003, requires a financial institution to develop, implement, and maintain a comprehensive information security program.
As part of its periodic review of its rules and guides, the FTC sought comment in 2016 on the Safeguards Rule. In response to this review, and to keep the rule up to date, the FTC is proposing changes to the Safeguards Rule to add more detailed requirements for what should be included in the comprehensive information security program mandated by the rule.
For example, the proposal generally would require financial institutions to encrypt all customer data, to implement access controls to prevent unauthorized users from accessing customer information, and to use multifactor authentication to access customer data. The FTC also has proposed improving compliance with these programs by requiring companies to submit periodic reports to their boards of directors.
In comments to the FTC, the Office of Advocacy seeks revisions to the proposed rule similar to ACA International’s response submitted this summer.
“Advocacy is concerned that the FTC may not fully understand the potential economic impact of this rulemaking on small entities. Advocacy encourages the FTC to maintain the status quo for small entities until it has the data to access fully the potential economic impact on small entities,” the Office of Advocacy’s letter states.
For example, according to the letter, “In the NPRM, the FTC requests, but does not provide, data about the costs of the NPRM for small entities to comply and the costs to the newly covered financial institutions of establishing the and operating an information security program.”
The Office of Advocacy, reflecting trade associations’ concerns about the regulatory burden, also reports there is a lack of data on how the proposed rule will lower risks to consumers.
The proposed rule also creates burdens for small entities with only a few employees, such as the requirement to hire a chief information security officer, noted by two members of the FTC in their dissent on the amendments.
According to the Office of Advocacy, Commissioners Noah Phillips and Christine Wilson stated:
“… the Safeguards Rule today is a flexible approach, appropriate to a company’s size and complexity. This proposal would move us away from that approach. There are direct costs for enhanced precautions, but this record does not demonstrate that those costs will significantly reduce data security risks or significantly increase consumer benefits.”
ACA in its comments expressed concern that financial institutions collecting consumer debt and ACA members included in the Safeguards Rule will also incur additional costs to adopt the current proposed amendments when instead revising certain rule proposals would accomplish the mission of continuing to protect consumers.
“The current Safeguards Rule provides a sufficient data security framework to accomplish the commission’s data security goals. ACA International and its members understand the importance of reasonable data security practices, and members already devote significant resources to data security programs,” said Leah Dempsey, vice president and senior counsel of federal advocacy. “Amending the Safeguards Rule would unnecessarily raise costs on ACA members and other financial institutions without a material benefit to consumers or information security. To the extent that the commission nonetheless advances the proposed amendments, it should revise certain proposals to avoid unnecessarily burdening financial institutions while continuing to protect consumers.”
Read ACA International’s complete comments to the Federal Trade Commission.