Skip to main content
U.S. flag
An official website of the United States government
Dot gov
The .gov means it’s official. 
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
Https
The site is secure. 
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
Federal Register Publications

FDIC Federal Register Citations

MASTERCARD INTERNATIONAL

July 23, 2004

Office of the Comptroller of the Currency 
250 E Street, S.W., Mail Stop 1-5 
Washington, DC 20219 
Attention: Docket No. 04-13

 

Jennifer J. Johnson, Secretary
Board of Governors of the Federal Reserve System 
20th Street and Constitution Avenue, N.W. 
Washington, D.C. 20551
Attention: Docket No. R-1199

Robert E. Feldman
Executive Secretary
Attention: Comments
Federal Deposit Insurance Corporation 
550 17th Street, N.W.
Washington, D.C. 20429 
RIN No. 3064-AC77

Regulation Comments
Chief Counsel's Office 
Office of Thrift Supervision
1700 G Street, N.W.
Washington, D.C. 20552
Attention: No. 2004-26

Re: FACT Act Disposal Rule

To Whom It May Concern:

MasterCard International Incorporated ("MasterCard")1 submits this comment letter in response to the Proposed Rule ("Proposal") issued by the Federal Reserve Board, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, and the Office of Thrift Supervision (collectively, the "Agencies") regarding the proper disposal of consumer information. The Agencies have issued the Proposal pursuant to Section 628 of the Fair Credit Reporting Act ("FCRA"), requiring the Agencies to require entities subject to their respective jurisdiction ("banks") to dispose of "consumer information" properly. MasterCard appreciates the opportunity to comment on the Proposal.

In General

MasterCard believes that the Agencies have taken the proper approach toward the mandate included in Section 628 of the FCRA. In this regard, the Agencies recognize that banks are already required to maintain comprehensive information security programs designed to protect customer data. The Agencies have made the Proposal a logical extension of this existing requirement and have specifically amended their information safeguarding requirements ("GLBA Safeguarding Rule") to incorporate the new FCRA requirement. We applaud the Agencies for taking this approach, and urge that it be retained in the final rule ("Final Rule"). However, we ask that the Agencies clarify some of the compliance issues regarding the Proposal to assist banks in understanding their obligations.

No Obligation to Destroy Consumer Information

Section 628 of the FCRA states that it does not "require a person to maintain or destroy any record pertaining to a consumer that is not imposed under other law" and that it does not "alter or affect any requirement imposed under any other provision of law to maintain or destroy such a record." Said differently, Section 628 does not require a bank to destroy any data. Rather, the regulations should address only those situations in which the bank has decided to destroy consumer information. The Proposal reflects this approach in the portion amending the Agencies' FCRA regulations by essentially restating the rule of construction quoted above. We urge the Agencies to retain this provision in the Final Rule. However, we urge the Agencies to add similar clarifications in its provisions amending the GLBA Safeguarding Rule. In this regard, the Proposal suggests that a bank must develop "measures to properly dispose of consumer information." While the bank should dispose of such information properly if the bank decides to dispose of the information, the Final Rule should not imply a requirement to dispose of the information.

Definition of "Consumer Information"

Congress directed the Agencies to implement regulations pertaining to the disposal of "consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose." The Proposal terms this information as "consumer information" and defines it in a manner consistent with the statutory language. The Agencies also clarify that information that does not identify a particular consumer would not be "consumer information" for purposes of the Proposal. We urge the Agencies to retain this interpretation of "consumer information" because anonymous information is not the type intended to be protected by Congress in the FCRA (e.g., it is not personally identifiable, it cannot be used to commit identity theft or other fraud, etc.). MasterCard also urges the Agencies to clarify that "consumer information" includes only that information which the bank knows is information derived from consumer reports. It would not be reasonable to hold banks accountable for not disposing of information in a certain way if the bank did not know that the information was, at one time, derived from a consumer report.

Security Program Requirements

The Proposal contemplates banks making changes to their information security programs required by the GLBA Safeguarding Rule. In light of the fact that banks already address data disposal as part of their information security programs, the Agencies "believe that any changes to an institution's existing information security program to properly dispose of `consumer information' likely will be minimal." MasterCard appreciates the Agencies' recognition that the Final Rule will likely not require significant new changes to information security programs, and we urge the Agencies to retain this statement in the Supplementary Information to the Final Rule.

The Proposal would require a bank to "[d]evelop, implement, and maintain, as part of its information security program, appropriate measures to properly dispose of consumer information in a manner consistent with the disposal of customer information, in accordance with" the provisions of the GLBA Safeguarding Rule. Furthermore, the Agencies state that "it is not necessary to propose a prescriptive rule describing proper methods of disposal." We applaud the Agencies for allowing banks to dispose of consumer information in a manner consistent with how banks dispose of customer information, and recognizing that a prescriptive list would not be appropriate. The approach espoused by the Agencies correctly relies on a bank's assessment of risk and the bank's decision as to how to manage and control that risk. Just as the GLBA Safeguarding Rule relies on individual risk assessments without prescriptive rules as to how to address those risks, the Final Rule should take the same approach.

MasterCard urges the Agencies to revise the Proposal with respect to its amendment to the objectives of the GLBA Safeguarding Rule ("Objectives"). The Proposal would create a new Objective for the GLBA Safeguarding Rule, stating that a bank's information security program should be designed to "ensure the proper disposal of consumer information in a manner consistent with the disposal of customer information." We do not feel that the Objectives should be amended by the Proposal. We believe that the existing Objectives, including the Objective to "[p]rotect against unauthorized access to or use of [customer] information that could result in substantial harm or inconvenience to any customer," already encompass the goal of the Proposal. Therefore, the additional Objective appears to be fairly redundant to the existing Objectives. Furthermore, the Objectives describe broad goals which set the framework for a bank's information security program. The specific items to be addressed by a bank's information security program, such as access controls and encryption requirements, are described elsewhere in the GLBA Safeguarding Rule. We do not believe it is appropriate to elevate the disposal of consumer information to one of an Objective when other, similar issues are addressed elsewhere in the GLBA Safeguarding Rule.
 

The Agencies note that one of the byproducts of listing the disposal of consumer information as an Objective is that banks' contracts with service providers must address the disposal of consumer information. We do not believe that such a requirement is justified. First, contracts with service providers are required to address the broad concepts in the existing Objectives. They, appropriately, are not required to address specifically the details of a bank's information security program, such as data disposal. We do not see any reason to require service provider contracts to address the disposal of consumer information, but not the disposal of other customer information, or the encryption of data, or any of the other items to be addressed in a bank's information security program. We also note that this requirement appears to be a contradiction to the Agencies' stated goal of disposing consumer information in a manner consistent with customer information—the disposal of consumer information will receive inconsistent treatment vis-a-vis service provider contracts. Second, service providers will be covered by regulations imposing independent obligations on the service provider to dispose of the consumer information properly.2 Therefore, it would not appear that the Proposal would fill a compliance gap with respect to service providers. Finally, the Proposal would impose a compliance burden on banks, many of which recently revised all of their contracts with service providers as a result of the GLBA Safeguarding Rule. We do not believe there to be any corresponding consumer benefit that justifies revising service provider contracts a second time when it would provide little, if any, benefit to the consumer.3
 

Compliance Deadlines

The Agencies have proposed that the Final Rule be effective three months after the Final Rule is published in the Federal Register. The Agencies justify this relatively short compliance period by noting that banks will likely not need to make significant adjustments to their information security programs. We agree that banks should not be required to make significant adjustments to their information security programs as a result of the Proposal. However, banks may need additional time to review the types of information covered by the Final Rule, since the scope of the Final Rule is not co-extensive with the GLBA Safeguarding Rule. Banks may need more than three months to complete a thorough review of the new information to be subject to their information security requirements. Due to this need, as well as the many other regulatory changes being implemented as a result of the recent amendments to the FCRA, we ask the Agencies to provide at least six months to comply with the Final Rule. Furthermore, if the Agencies retain an approach that requires banks to obtain new contractual agreements with service providers, we ask that the requirement be effective in a year for new contracts and in two years for contracts that were in effect prior to the effective date of the Final Rule.
 

Once again, we appreciate the opportunity to comment on the Proposal. If you have any questions concerning our comments, or if we may otherwise be of assistance in connection with this issue, please do not hesitate to call me, at the number indicated above, or Michael F. McEneney at Sidley Austin Brown & Wood LLP, at (202) 736-8368, our counsel in connection with this matter.

Sincerely,

Jodi Golinsky
Vice President and
Senior Regulatory Counsel 
MasterCard International
2000 Purchase Street
Purchase, NY 10577

cc: Michael F. McEneney, Esq.


1 MasterCard is a SEC-registered private share corporation that licenses financial institutions to use the MasterCard service marks in connection with a variety of payments systems.
2 The Federal Trade Commission's proposed rule with respect to Section 628 of the FCRA would go so far as to cover even trash collectors.
3 The contracts must already address the issue of unauthorized access to information, which should include unauthorized access through improper disposal of information.

 

Last Updated 07/26/2004regs@fdic.gov

Last Updated: August 23, 2024