Skip to main content

FTC’s Data Security Proposal Maintains State’s Role

CSBS supports a recent Federal Trade Commission’s (FTC) proposal that would increase consumer protections for nonbank customers and recognizes the role of state regulation, as noted in a comment letter sent today.

The proposal would bolster general safeguard requirements that nonbank financial institutions must apply to their information security systems, with concerns about data security for customers in mind. 

The FTC’s recent proposal gives implicit acknowledgement to the role of states in setting data security standards, as it is modeled in part on cyber-security regulations issued by the New York Department of Financial Services.

The proposal strengthens the Safeguards Rule, which since the enactment of the Gramm-Leach-Bliley Act in 2003 has required certain nonbank financial institutions to protect the financial information of their customers. The law explicitly preserved the rights of states to enact and enforce state laws that are more protective of consumers by ensuring that its regulations serve as a floor and not a ceiling for data breach and security protections.

Congress has shown an increased interest in addressing cybersecurity, particularly due to recent data breaches. In March, CSBS responded to a Senate Banking Committee request for feedback on the issue.

CSBS and state regulators strongly believe that any laws and regulations related to data privacy and security must continue to preserve a state’s ability to apply more stringent laws. In today’s comment letter, CSBS encourages the FTC to continue its policy of applying a two-part test to assess whether to preempt state laws, which the FTC has noted would be very rare.

States have, in fact, been a leader in enhancing consumer protections in the areas of data privacy, security and control. Not only have many state’s enacted regulations that tighten data security, states have also responded to data breaches. Notably, state regulators were the only regulators to examine and take action against Equifax following its large-scale data breach in 2018.

Featured Posts

Recent Posts