Federal Deposit
Insurance Corporation

Re: Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, Docket Nos. 03-18 (OCC), OP1155 (FRB), 03-35 (OTS)

Ladies and Gentlemen:

On behalf of the National Coalition on Privacy and E-Commerce, we are pleased to have the opportunity to submit a comment on the proposed Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice ("Proposed Guidance" or "Guidance").

The National Business Coalition on E-Commerce and Privacy is comprised of nationally recognized companies from diverse economic sectors dedicated to the pursuit of a balanced and uniform national policy pertaining to electronic commerce and privacy. Our member companies are top competitors in the e-commerce marketplace, and are strongly committed to ensuring the privacy of our customers, both on-line and off-line.

Overall, we believe the Proposed Guidance is a thoughtful and reasoned attempt to prevent unauthorized access and to mitigate the adverse consequences of such access. We would nevertheless urge the agencies to make clear that the Proposed Guidance would apply only to consumer information and not to information from or about business or commercial customers. We believe that the Proposed Guidance intends this result, but in order to ensure that the Guidance has the same scope as the law and regulations on which it relies, a clarification would be useful.

The Proposed Guidance is clear that it is based on and interprets section 501(b) of the Gramm-Leach-Bliley Act, and, additionally, that it interprets the Interagency Guidelines Establishing Standards for Safeguarding Customer Information ("Security Guidelines"). Section 501(b) directs the relevant agencies to establish standards that insure the security of "customer records and information" and that protect against threats, hazards, or unauthorized access to such records.¹ The Security Guidelines represent the first set of standards under section 501(b) and contain a comprehensive set of standards to protect customer information.²

Although Title V of the Gramm-Leach-Bliley Act does not itself define "customer records and information," the Security Guidelines define the term as "any record containing nonpublic personal information [as defined in the banking agencies' privacy rules] about a customer."³ "Customer" is defined in those rules as a "consumer who has a customer relationship,"⁴ and a "consumer" is an "individual who obtains or has obtained a financial product or service ... that is to be used primarily for personal, family, or household purposes."⁵ These definitions do not purport to encompass commercial information that an institution has received from or about a business (whether that business is a corporation or a sole proprietorship).

The Proposed Guidance is designed to protect "customer information," which the Guidance notes is "the same term used in the Security Guidelines." The Proposed Guidance goes on to state that customer information "means any record containing nonpublic personal information whether in paper, electronic, or other form, maintained by or on behalf of the institution."⁶ Accordingly, we believe that the Proposed Guidance is limited to information received from or about individuals in relation to products or services obtained for personal, family, or household reasons. Other information regarding products or services that have a commercial or business purpose is not so covered.

This distinction makes eminent sense. The laws and regulations on which the Proposed Guidance is based make the same distinction, and there are long-established public policy reasons for treating business customers differently from consumers, among them that business customers have greater resources and knowledge to protect their information.

We would ask the agencies to confirm specifically in the preamble to the release of final guidelines that the guidelines do not address information received from or about a business or other commercial enterprise.

John A. Schall
Executive Director
The National Business Coalition on E-Commerce and Privacy
Washington, DC

¹ See 15 U.S.C. § 6801(b).
² See 66 Fed. Reg. 8616 (Feb. 1, 2001).
³ Id. at 8633 (Feb. 1, 2001).
⁴ See, e.g., 12 C.F.R. § 40.3(h).
⁵ See, e.g., 12 C.F.R. § 40.3(e)(1).
⁶ 68 Fed. Reg. at 47958 n. 3.