FIRST NATIONAL BANK
July 22, 2004
Jennifer J. Johnson
Secretary
Board of Governors of the Federal
Reserve System
20th Street and Constitution Avenue, NW
Washington, DC 20551
Attention: Docket No. R-1199
Office of the Comptroller of the Currency
250 E Street, SW
Public Reference Room
Mail Stop 1-5
Washington, DC 20219
Attention: Docket No. 04-13
Robert E. Feldman
Executive Secretary
Federal Deposit Insurance Corporation
550 17th Street, NW
Washington, DC 20429
Attention: RIN No. 3064-AC77
Regulation Comments
Chief Counsel's Office
Office of Thrift Supervision
1700 G Street, NW
Washington, DC 20552
Attention: Docket No. 2004-26
Re: Proper Disposal of Consumer Information Under FACT Act, Section
216
Ladies and Gentlemen:
This comment letter is submitted on behalf of First National Bank of
Omaha in response to the joint notice of proposed rulemaking ("Proposed
Rule") and request for public comment by the Federal Deposit Insurance
Corporation, the Federal Reserve Board, the Office of the Comptroller of
the Currency and the Office of Thrift Supervision (collectively, the
"Agencies"), published in the Federal Register on June 8, 2004. The
Proposed Rule would require financial institutions under the Agencies'
jurisdiction to develop, implement and maintain appropriate measures to
properly dispose of consumer information. First National Bank of Omaha
supports the Agencies' Proposed Rule and appreciates the opportunity to
comment on this important topic.
Section 216 of the Fair and Accurate Credit Transactions Act of 2003
added section 628 to the Fair Credit Reporting Act ("FCRA") in order "to
protect a consumer against the risks associated with unauthorized access
to information about the consumer contained in a consumer report," such
as the risk of identity theft or fraud.1 Section 628 of the
FCRA requires the Agencies, the Federal Trade Commission, the National
Credit Union Administration and the Securities and Exchange Commission
to prescribe consistent and comparable regulations that require "any
person that maintains or otherwise possesses consumer information, or
any compilation of consumer information, derived from consumer reports"
to properly dispose of this information or compilation.2
Section 628 also directs the agencies to ensure that these regulations
are consistent with the requirements and regulations issued under the
Gramm-Leach-Bliley Act ("GLBA") and other federal law.3
The Final Rule Should State that "Consumer Information" Must
Identify a Particular Consumer
The Proposed Rule would define "consumer information" as "any record
about an individual, whether in paper, electronic, or other form, that
is a consumer report or is derived from a consumer report and that is
maintained or otherwise possessed by or on behalf of [financial
institutions] for a business purpose."4 The Supplementary
Information to the Proposed Rule states that records that are "derived
from consumer reports" would include any "information about a consumer
that is taken from a consumer report," but that records that do "not
identify a particular consumer" would not qualify as "consumer
information."5 We support the proposed definition of
"consumer information." This definition will allow financial
institutions and companies providing services to financial institutions
to apply consistent disposal procedures and, therefore, a consistent
level of protection for all consumer information nationwide.
We are concerned, however, that the proposed definition of "consumer
information" itself does not provide guidance as to the coverage of
information that may identify a particular consumer. We believe that the
text of the final rule should state expressly that information that does
not identify a particular consumer does not qualify as "consumer
information." This express statement would promote clarity and eliminate
any ambiguity surrounding the phrase "any record about an individual."
Information that does not identify a particular consumer poses little or
no risk of consumer fraud or identity theft and, as a result, financial
institutions should not be required to properly dispose of such
information.
The Final Rule Should Harmonize the Disposal Rule with the
Interagency Guidelines Establishing Standards for Safeguarding Customer
Information
In order to implement section 628, the Proposed Rule would amend the
Agencies' FCRA rules and the Interagency Guidelines Establishing
Standards for Safeguarding Customer Information ("Guidelines"). The
Proposed Rule would add a new section to the FCRA rules that would
require financial institutions to "properly dispose of any consumer
information that [financial institutions] maintain or otherwise possess
in accordance with the [Guidelines]."6 The Guidelines,
promulgated pursuant to sections 501 and 505 of the GLBA, provide that
financial institutions must assess the risks to their customer
information and customer information systems and implement appropriate
security measures to control these risks. This "responsibility to
safeguard customer information continues through the disposal process."7
The Proposed Rule would amend the Guidelines to require financial
institutions to "develop, implement, and maintain as part of [their]
information security program[s], appropriate measures to properly
dispose of consumer information in a manner consistent with the disposal
of customer information."8
We support the Agencies' determination that "consumer information"
should be disposed of in a manner consistent with the disposal of
"customer information." This standard would allow financial institutions
to employ different standards based on the individual financial
institution's risk assessment and circumstances in order to ensure
appropriate disposal of consumer information. This standard would
promote flexibility and would allow financial institutions to avoid
disrupting existing practices under their information security programs,
except where necessary to do so. This approach also would respond to the
statutory mandate that the regulations issued be consistent with those
issued under the GLBA by harmonizing the disposal rule with the
Guidelines. This harmonization is essential because inconsistent
requirements would result in confusion and poor implementation. In
conclusion, we strongly support the Agencies' determination that the
requirements for the disposal of consumer information should be part of
financial institutions' larger information security programs.
First National Bank of Omaha appreciates the opportunity to comment
on this important topic. If you have any questions concerning these
comments, or if we may otherwise be of assistance in connection with
this matter, please do not hesitate to contact Eric Durham, Director of
Corporate Compliance at (402) 636-6647.
Sincerely,
Eric Durham
Director, Corporate Compliance
First National Bank of Omaha
P.O. Box 3331
Omaha, NE 68103
1 69 Fed. Reg. 31,913, 31,914 (June 8, 2004).
2 FCRA §§ 628(a)(1)-(2).
3 FCRA § 628(a)(2)(B).
4 69 Fed. Reg. at 31,918, 31,919, & 31,921.
5 Id. at 31,915.
6 Id. at 31,918, 31,919, 31,920 & 31,922.
7 66 Fed. Reg. 8616, 8618 (Feb. 1, 2001).
8 69 Fed. Reg. at 31,918, 31,919, 31,921 & 31,922.