July 23, 2004
Office of the Comptroller of the Currency
250 E Street, S.W., Mail Stop 1-5
Washington, DC 20219
Attention: Docket No. 04-13
Jennifer J. Johnson, Secretary
Board of Governors of the Federal Reserve System
20th Street and Constitution Avenue, N.W.
Washington, D.C. 20551
Attention: Docket No. R-1199
Robert E. Feldman
Executive Secretary
Attention: Comments
Federal Deposit Insurance Corporation
550 17th Street, N.W.
Washington, D.C. 20429
RIN No. 3064-AC77
Regulation Comments
Chief Counsel's Office
Office of Thrift Supervision
1700 G Street, N.W.
Washington, D.C. 20552
Attention: No. 2004-26
Re: FACT Act Disposal Rule
To Whom It May Concern:
MasterCard International Incorporated ("MasterCard")1
submits this comment letter in response to the Proposed Rule
("Proposal") issued by the Federal Reserve Board, the Office of the
Comptroller of the Currency, the Federal Deposit Insurance
Corporation, and the Office of Thrift Supervision (collectively, the
"Agencies") regarding the proper disposal of consumer information. The
Agencies have issued the Proposal pursuant to Section 628 of the Fair
Credit Reporting Act ("FCRA"), requiring the Agencies to require
entities subject to their respective jurisdiction ("banks") to dispose
of "consumer information" properly. MasterCard appreciates the
opportunity to comment on the Proposal.
In General
MasterCard believes that the Agencies have taken the proper
approach toward the mandate included in Section 628 of the FCRA. In
this regard, the Agencies recognize that banks are already required to
maintain comprehensive information security programs designed to
protect customer data. The Agencies have made the Proposal a logical
extension of this existing requirement and have specifically amended
their information safeguarding requirements ("GLBA Safeguarding Rule")
to incorporate the new FCRA requirement. We applaud the Agencies for
taking this approach, and urge that it be retained in the final rule
("Final Rule"). However, we ask that the Agencies clarify some of the
compliance issues regarding the Proposal to assist banks in
understanding their obligations.
No Obligation to Destroy Consumer Information
Section 628 of the FCRA states that it does not "require a person
to maintain or destroy any record pertaining to a consumer that is not
imposed under other law" and that it does not "alter or affect any
requirement imposed under any other provision of law to maintain or
destroy such a record." Said differently, Section 628 does not require
a bank to destroy any data. Rather, the regulations should address
only those situations in which the bank has decided to destroy
consumer information. The Proposal reflects this approach in the
portion amending the Agencies' FCRA regulations by essentially
restating the rule of construction quoted above. We urge the Agencies
to retain this provision in the Final Rule. However, we urge the
Agencies to add similar clarifications in its provisions amending the
GLBA Safeguarding Rule. In this regard, the Proposal suggests that a
bank must develop "measures to properly dispose of consumer
information." While the bank should dispose of such information
properly if the bank decides to dispose of the information, the Final
Rule should not imply a requirement to dispose of the information.
Definition of "Consumer Information"
Congress directed the Agencies to implement regulations pertaining
to the disposal of "consumer information, or any compilation of
consumer information, derived from consumer reports for a business
purpose." The Proposal terms this information as "consumer
information" and defines it in a manner consistent with the statutory
language. The Agencies also clarify that information that does not
identify a particular consumer would not be "consumer information" for
purposes of the Proposal. We urge the Agencies to retain this
interpretation of "consumer information" because anonymous information
is not the type intended to be protected by Congress in the FCRA
(e.g., it is not personally identifiable, it cannot be used to commit
identity theft or other fraud, etc.). MasterCard also urges the
Agencies to clarify that "consumer information" includes only that
information which the bank knows is information derived from consumer
reports. It would not be reasonable to hold banks accountable for not
disposing of information in a certain way if the bank did not know
that the information was, at one time, derived from a consumer report.
Security Program Requirements
The Proposal contemplates banks making changes to their information
security programs required by the GLBA Safeguarding Rule. In light of
the fact that banks already address data disposal as part of their
information security programs, the Agencies "believe that any changes
to an institution's existing information security program to properly
dispose of `consumer information' likely will be minimal." MasterCard
appreciates the Agencies' recognition that the Final Rule will likely
not require significant new changes to information security programs,
and we urge the Agencies to retain this statement in the Supplementary
Information to the Final Rule.
The Proposal would require a bank to "[d]evelop, implement, and
maintain, as part of its information security program, appropriate
measures to properly dispose of consumer information in a manner
consistent with the disposal of customer information, in accordance
with" the provisions of the GLBA Safeguarding Rule. Furthermore, the
Agencies state that "it is not necessary to propose a prescriptive
rule describing proper methods of disposal." We applaud the Agencies
for allowing banks to dispose of consumer information in a manner
consistent with how banks dispose of customer information, and
recognizing that a prescriptive list would not be appropriate. The
approach espoused by the Agencies correctly relies on a bank's
assessment of risk and the bank's decision as to how to manage and
control that risk. Just as the GLBA Safeguarding Rule relies on
individual risk assessments without prescriptive rules as to how to
address those risks, the Final Rule should take the same approach.
MasterCard urges the Agencies to revise the Proposal with respect
to its amendment to the objectives of the GLBA Safeguarding Rule
("Objectives"). The Proposal would create a new Objective for the GLBA
Safeguarding Rule, stating that a bank's information security program
should be designed to "ensure the proper disposal of consumer
information in a manner consistent with the disposal of customer
information." We do not feel that the Objectives should be amended by
the Proposal. We believe that the existing Objectives, including the
Objective to "[p]rotect against unauthorized access to or use of
[customer] information that could result in substantial harm or
inconvenience to any customer," already encompass the goal of the
Proposal. Therefore, the additional Objective appears to be fairly
redundant to the existing Objectives. Furthermore, the Objectives
describe broad goals which set the framework for a bank's information
security program. The specific items to be addressed by a bank's
information security program, such as access controls and encryption
requirements, are described elsewhere in the GLBA Safeguarding Rule.
We do not believe it is appropriate to elevate the disposal of
consumer information to one of an Objective when other, similar issues
are addressed elsewhere in the GLBA Safeguarding Rule.
The Agencies note that one of the byproducts of listing the
disposal of consumer information as an Objective is that banks'
contracts with service providers must address the disposal of consumer
information. We do not believe that such a requirement is justified.
First, contracts with service providers are required to address the
broad concepts in the existing Objectives. They, appropriately, are
not required to address specifically the details of a bank's
information security program, such as data disposal. We do not see any
reason to require service provider contracts to address the disposal
of consumer information, but not the disposal of other customer
information, or the encryption of data, or any of the other items to
be addressed in a bank's information security program. We also note
that this requirement appears to be a contradiction to the Agencies'
stated goal of disposing consumer information in a manner consistent
with customer information—the disposal of consumer information will
receive inconsistent treatment vis-a-vis service provider contracts.
Second, service providers will be covered by regulations imposing
independent obligations on the service provider to dispose of the
consumer information properly.2 Therefore, it would not
appear that the Proposal would fill a compliance gap with respect to
service providers. Finally, the Proposal would impose a compliance
burden on banks, many of which recently revised all of their contracts
with service providers as a result of the GLBA Safeguarding Rule. We
do not believe there to be any corresponding consumer benefit that
justifies revising service provider contracts a second time when it
would provide little, if any, benefit to the consumer.3
Compliance Deadlines
The Agencies have proposed that the Final Rule be effective three
months after the Final Rule is published in the Federal Register.
The Agencies justify this relatively short compliance period by noting
that banks will likely not need to make significant adjustments to
their information security programs. We agree that banks should not be
required to make significant adjustments to their information security
programs as a result of the Proposal. However, banks may need
additional time to review the types of information covered by the
Final Rule, since the scope of the Final Rule is not co-extensive with
the GLBA Safeguarding Rule. Banks may need more than three months to
complete a thorough review of the new information to be subject to
their information security requirements. Due to this need, as well as
the many other regulatory changes being implemented as a result of the
recent amendments to the FCRA, we ask the Agencies to provide at least
six months to comply with the Final Rule. Furthermore, if the Agencies
retain an approach that requires banks to obtain new contractual
agreements with service providers, we ask that the requirement be
effective in a year for new contracts and in two years for contracts
that were in effect prior to the effective date of the Final Rule.
Once again, we appreciate the opportunity to comment on the
Proposal. If you have any questions concerning our comments, or if we
may otherwise be of assistance in connection with this issue, please
do not hesitate to call me, at the number indicated above, or Michael
F. McEneney at Sidley Austin Brown & Wood LLP, at (202) 736-8368, our
counsel in connection with this matter.
Sincerely,
Jodi Golinsky
Vice President and
Senior Regulatory Counsel
MasterCard International
2000 Purchase Street
Purchase, NY 10577
cc: Michael F. McEneney, Esq.
1 MasterCard is a SEC-registered private share
corporation that licenses financial institutions to use the MasterCard
service marks in connection with a variety of payments systems.
2 The Federal Trade Commission's proposed rule with respect to
Section 628 of the FCRA would go so far as to cover even trash
collectors.
3 The contracts must already address the issue of
unauthorized access to information, which should include unauthorized
access through improper disposal of information.
