67fr36585/Vol.67, No.100/Thursday, May 23, 2002/Rules and Regulations 314.3Standards for safeguarding 314.4Elements.314.5Effective date.12952 Filed 52202; 8:45 am] BILLING CODE 675001PVerDate May142002 20:58 May 22, 2002Jkt 197001PO 00000Frm 00012Fmt 4701Sfmt 4700E:\FR\FM\23MYR3.SGMpfrm17PsN: 23MYR3/Vol.67, No.
100/Thursday, May 23, 2002/Rules and Regulations 314.1Purpose and scope.314.2Definitions.314.3Standards for safeguarding customer 314.4Elements.
314.5Effective date.314.1Purpose and scope.314.2Definitions.VerDate May142002 20:58 May 22, 2002Jkt 197001PO 00000Frm 00011Fmt 4701Sfmt 4700E:\FR\FM\23MYR3.SGMpfrm17PsN: 23MYR3/Vol.
67, No.100/Thursday, May 23, 2002/Rules and Regulations 85FPA at 3; Paas at 2; see also OCUL (stating that the NCUAs safeguards rule is very burdensome for credit unions); Post at 1 (stating that Privacy Rule 86See supra n.81.87See, e.g., ICB at 2; Musgrove at 2; NADA at 2; NIADA at 9; Paas at 46.88Paas at 3.89See NIADA at 7; Paas at 45.90Paas at 5; see also NRF at 5 (expressing concern that Rule could make financial institutions strictly providers).with enforcing the statute].
Financial institutions covered by the Rule will include many of the same lenders, financial advisors, loan brokers and servicers, collection agencies, financial advisors, tax preparers, real estate settlement services, and others that are subject to the Privacy Rule.Many of these financial institutions will not be subject to the Safeguards Rule to the extent that they do not have any customer information within the meaning of the Safeguards Rule.The Commission did not receive comments that helped it to identify in any comprehensive manner the small entities that will be affected by the rule.
However, one commenter, the National Association of Automobile Dealers Association (NADA) submitted 1999 data showing that, at that time, 5,292 franchised new automobile dealers had 30 or fewer employees; 1,706 had 20 or fewer employees; and 575 had 10 or fewer employees.91In addition, the Commission is aware that many small businesses, such as individual tax preparers or mortgage brokers, will be covered by the Rule.VerDate May142002 20:58 May 22, 2002Jkt 197001PO 00000Frm 00010Fmt 4701Sfmt 4700E:\FR\FM\23MYR3.SGMpfrm17PsN: 23MYR3/Vol.67, No.100/Thursday, May 23, 2002/Rules and Regulations 75Equifax at 9.76See, e.g., Equifax at 10; Intuit at 6; Mastercard at 8; NIADA at 8; OCUL at 3; Sallie Mae at 3; SIIA 2.77NADA at 23; NIADA at 8.See also NFFG at 2 (2 years).78ACA at 67.79See, e.g., CDIA at 5; NIADA at 8; OCUL at 3; SIIA at 2; TGSL at 2; Visa at 5.80See, e.g., Equifax at 10; NRF at 5; NFFG at 2; OCUL at 3.81Sallie Mae at 3; Visa at 5.arrangements; or any other circumstances that you know or have reason to know may have a material impact on [its] information security program
.The Commission believes that the Rule allows a financial institution sufficient flexibility as to how to adjust its safeguards, and therefore finds it unnecessary to limit the responsibility of financial institutions to taking reasonable steps to make any adjustments.Thus, paragraph (e) is adopted with the changes noted above.
Section 314.5: Effective Date Proposed section 314.5 required each financial institution covered by the Rule to implement an information security program not later than one year from the date on which a Final Rule is issued.In addition, the proposal requested comment on whether the Rule should contain a transition period to allow the continuation of existing contracts with service providers, even if the contracts would not satisfy the Rules requirements.Many commenters supported as adequate an effective date of one year from the date on which the Final Rule is issued.76A few commenters urged that a longer time be given, such as 18 months,77or that an additional year be allowed for businessesparticularly small entitiesto comply.78In addition, all commenters who addressed the issue urged that the Rule allow a transition period for service provider contracts.79 Most of these commenters requested that financial institutions be given two years to make service provider contracts comply,80while a few commenters sought a slightly longer time.81Consistent with the majority of comments, the Rule will take effect one year from the date on which the Final Rule is published in the Federal Register, except that there will be a transition rule for contracts between financial institutions and nonaffiliated third party service providers.Under the transition Rule, set forth in section 314.5(b) of the Rule, financial institutions will be given an additional year to bring these service provider contracts into compliance with the Rule, as long as the contract was in place 30 days after the date on which the Final Rule is published in the Federal Register.The transition rule parallels the two-year grandfathering of service contracts that was permitted under both the Privacy Rule and the Banking Agency Guidelines.The Commission believes that the effective date and transition rule will provide businesses appropriate flexibility in complying with the Rule.Section D.Paperwork Reduction Act The Paperwork Reduction Act (PRA), 44 U.S.C.
Chapter 35, requires federal agencies to seek and obtain OMB approval before undertaking a collection of information directed to ten or more persons.
Under the PRA, a rule creates a collection of information where ten or more persons are asked to report, provide, disclose, or record information in response to identical questions.See 44 U.S.C.3502(3)(A).Applying these standards, the Rule does not constitute a collection of information.
The Rule calls upon affected financial institutions to develop or strengthen their information security programs in order to provide reasonable safeguards.
Under the Rule, each financial institutions safeguards will vary according to its size and complexity,