October 14, 2003
|
Public
Information Room
Office of
the Comptroller of the Currency
250 E Street, SW,
Mail stop 1-5
Washington, D.C. 20219
Attention: Docket No. 03-18 |
Regulation Comments
Chief Counsel's Office
Office of Thrift Supervision
1700 G. Street, N.W.
Washington, DC 20522
Attention: No. 03-35 |
Ms. Jennifer J. Johnson, Secretary
Board of Governors of the
Federal Reserve
System
20th Street and Constitution Ave, NW
Washington, D.C. 20551
Docket No. OP-1155 |
Robert E. Feldman
Executive Secretary
Attention: Comments/OES
Federal Deposit Insurance Corporation
550 17th Street, N.W.
Washington, D.C. 20429 |
Re: Interagency Guidance on Response Programs for Unauthorized Access
to Customer Information and Customer Notice, Docket Nos. 03-18 (OCC),
OP1155 (FRB), 03-35 (OTS)
Ladies and Gentlemen:
On behalf of the National Coalition on Privacy and E-Commerce, we are
pleased to have the opportunity to submit a comment on the proposed
Interagency Guidance on Response Programs for Unauthorized Access to
Customer Information and Customer Notice ("Proposed Guidance" or
"Guidance").
The National Business Coalition on E-Commerce and Privacy is
comprised of nationally recognized companies from diverse economic
sectors dedicated to the pursuit of a balanced and uniform national
policy pertaining to electronic commerce and privacy. Our member
companies are top competitors in the e-commerce marketplace, and are
strongly committed to ensuring the privacy of our customers, both
on-line and off-line.
Overall, we believe the Proposed Guidance is a thoughtful and
reasoned attempt to prevent unauthorized access and to mitigate the
adverse consequences of such access. We would nevertheless urge the
agencies to make clear that the Proposed Guidance would apply only to
consumer information and not to information from or about business or
commercial customers. We believe that the Proposed Guidance intends this
result, but in order to ensure that the Guidance has the same scope as
the law and regulations on which it relies, a clarification would be
useful.
The Proposed Guidance is clear that it is based on and interprets
section 501(b) of the Gramm-Leach-Bliley Act, and, additionally, that it
interprets the Interagency Guidelines Establishing Standards for
Safeguarding Customer Information ("Security Guidelines"). Section
501(b) directs the relevant agencies to establish standards that insure
the security of "customer records and information" and that protect
against threats, hazards, or unauthorized access to such records.1
The Security Guidelines represent the first set of standards under
section 501(b) and contain a comprehensive set of standards to protect
customer information.2
Although Title V of the Gramm-Leach-Bliley Act does not itself define
"customer records and information," the Security Guidelines define the
term as "any record containing nonpublic personal information [as
defined in the banking agencies' privacy rules] about a customer."3
"Customer" is defined in those rules as a "consumer who has a customer
relationship,"4 and a "consumer" is an "individual who
obtains or has obtained a financial product or service ... that is to be
used primarily for personal, family, or household purposes."5
These definitions do not purport to encompass commercial information
that an institution has received from or about a business (whether that
business is a corporation or a sole proprietorship).
The Proposed Guidance is designed to protect "customer information,"
which the Guidance notes is "the same term used in the Security
Guidelines." The Proposed Guidance goes on to state that customer
information "means any record containing nonpublic personal information
whether in paper, electronic, or other form, maintained by or on behalf
of the institution."6 Accordingly, we believe that the
Proposed Guidance is limited to information received from or about
individuals in relation to products or services obtained for personal,
family, or household reasons. Other information regarding products or
services that have a commercial or business purpose is not so covered.
This distinction makes eminent sense. The laws and regulations on
which the Proposed Guidance is based make the same distinction, and
there are long-established public policy reasons for treating business
customers differently from consumers, among them that business customers
have greater resources and knowledge to protect their information.
We would ask the agencies to confirm specifically in the preamble to
the release of final guidelines that the guidelines do not address
information received from or about a business or other commercial
enterprise.
John A. Schall
Executive Director
The National Business Coalition on E-Commerce and Privacy
Washington, DC
1 See 15 U.S.C. § 6801(b).
2 See 66 Fed. Reg. 8616 (Feb. 1, 2001).
3 Id. at 8633 (Feb. 1, 2001).
4 See, e.g., 12 C.F.R. § 40.3(h).
5 See, e.g., 12 C.F.R. § 40.3(e)(1).
6 68 Fed. Reg. at 47958 n. 3.
|
