VISA July 12, 2004 Jennifer J. Johnson Secretary Board of Governors of the Federal Reserve System 20th Street and Constitution Avenue, NW Washington, DC 20551 Attention: Docket No. R-1199 Office of the Comptroller of the Currency 250 E Street, SW Public Reference Room Mail Stop 1-5 Washington, DC 20219 Attention: Docket No. 04-13 Robert E. Feldman Executive Secretary Federal Deposit Insurance Corporation 55017th Street, NW Washington, DC 20429 Attention: RIN 3064-AC77 Regulation Comments Chief Counsel's Office Office of Thrift Supervision 1700 G Street, NW Washington, DC 20552 Attention: No. 2004-26 Re: Proper Disposal of Consumer Information under FACT Act Ladies and Gentlemen: This comment letter is submitted on behalf of Visa U.S.A. Inc. in response to the joint notice of proposed rulemaking ("Proposed Rule") and request for public comment by the Federal Deposit Insurance Corporation, the Federal Reserve Board, the Office of the Comptroller of the Currency and the Office of Thrift Supervision (collectively, the "Agencies"), published in the Federal Register on June 8, 2004. The Proposed Rule would require financial institutions under the Agencies' jurisdiction to develop, implement and maintain appropriate measures to properly dispose of consumer information. Visa supports the Agencies' Proposed Rule and appreciates the opportunity to comment on this important topic. The Visa Payment System, of which Visa U.S.A.1 is a part, is the largest consumer payment system, and the leading consumer e-commerce payment system, in the world, with more volume than all other major payment cards combined. Visa plays a pivotal role in advancing new payment products and technologies, including technology initiatives for protecting personal information and preventing identity theft and other fraud, for the benefit of its member financial institutions and their hundreds of millions of cardholders. Section 628 of the Fair Credit Reporting Act ("FCRA"), as added by section 216 of the Fair and Accurate Credit Transactions Act of 2003, "is designed to protect a consumer against the risks associated with unauthorized access to information about the consumer contained in a consumer report," such as the risk of identity theft or fraud.2 To this end, section 628 requires the Agencies, the Federal Trade Commission, the National Credit Union Administration and the Securities and Exchange Commission to prescribe consistent and comparable regulations that require "any person that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports" to properly dispose of this information or compilation.3 Section 628 also directs the agencies to ensure that these regulations are consistent with the requirements and regulations issued under the Gramm-Leach-Bliley Act ("GLBA") and other federal law.4 "CONSUMER INFORMATION" SHOULD IDENTIFY A PARTICULAR CONSUMER The Proposed Rule would define "consumer information" as "any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report and that is maintained or otherwise possessed by or on behalf of [financial institutions] for a business purpose.5 The Supplementary Information to the Proposed Rule ("Supplementary Information") indicates that records that are "derived from consumer reports" would include any "information about a consumer that is taken from a consumer report."6 The Supplementary Information also states that "information that may be `derived from consumer reports' but does not identify a particular consumer" would not qualify as "consumer information."7 Visa supports the Agencies' proposed, broad definition of "consumer information." This definition will allow financial institutions and companies providing services to financial institutions to apply consistent disposal procedures and, therefore, a consistent level of protection for all consumer information nationwide. However, Visa is concerned that the proposed definition of "consumer information" in the rule itself does not provide guidance as to the coverage of information that does not identify a particular consumer. Visa believes that the text of the final rule itself should expressly state that information that does not identify a particular consumer would not qualify as "consumer information." This express statement in the text of the final rule would promote clarity and would eliminate any ambiguity surrounding the phrase "any record about an individual." Information that does not identify a particular consumer poses little or no risk of consumer fraud or identity theft and, as a result, the final rule should not apply to such information. HARMONIZATION OF DISPOSAL RULE WITH INTERAGENCY GUIDELINES ESTABLISHING STANDARDS FOR SAFEGUARDING CUSTOMER INFORMATION IS APPROPRIATE In order to implement section 628, the Proposed Rule would amend the Agencies' FCRA rules and the Interagency Guidelines Establishing Standards for Safeguarding Customer Information ("Guidelines"). The Proposed Rule would add a new section to the FCRA rules that would require fmancial institutions to "properly dispose of any consumer information that [financial institutions] maintain or otherwise possess in accordance with the [Guidelines].8 The Guidelines, promulgated pursuant to sections 501 and 505 of the GLBA, provide that financial institutions must assess the risks to their customer information and customer information systems and implement appropriate security measures to control these risks. This `responsibility to safeguard customer information continues through the disposal process.9 The Proposed Rule would amend the Guidelines to require financial institutions to "[d]evelop, implement, and maintain as part of [their] information security program[s], appropriate measures to properly dispose of consumer information in a manner consistent with the disposal of customer information.10 Visa supports the Agencies' determination that "consumer information" should be disposed of in a manner consistent with the disposal of "customer information." This disposal standard would allow financial institutions to employ different standards based on the individual financial institution's risk assessment and circumstances in order to ensure appropriate disposal of consumer information. This approach would promote flexibility and would allow financial institutions to avoid disrupting existing practices under their information security programs, except where necessary to do so. This approach also would respond to the statutory mandate that the regulations issued be consistent with those issued under the GLBA by harmonizing the disposal rule with the Guidelines. This harmonization is essential because inconsistent requirements would be confusing and lead to uneven results. As a result, Visa strongly supports the Agencies' determination that the requirements for the disposal of consumer information should be part of financial institutions' larger information security programs. Visa appreciates the opportunity to comment on this important matter. If you have any questions concerning these comments, or if we may otherwise be of assistance in connection with this matter, please do not hesitate to contact me, at (415) 932-2178. Sincerely, Russell W. Schrader Senior Vice President and Assistant General Counsel VISA U.S.A. Inc. P.O. Box 194607 San Francisco, CA 94119-4607
1 Visa U.S.A. is a membership organization comprised of U.S. financial institutions licensed to use the Visa service marks in connection with payment systems. 2 69 Fed. Reg. 31,913, 31,914 (June 8, 2004). 3 FCRA §§ 628(a)(1)-(2). 4 FCRA § 628(a)(2)(B). 5 69 Fed. Reg. at 31,918, 31,919, 31,921. 6 Id. at 31,915. 7 Id. 8 ld. at 31,918, 31,919, 31,920, 31,922. 9 66 Fed. Reg. 8616, 8618 (Feb. 1, 2001). 10 69 Fed. Reg. at 31,918, 31,919, 31,921, 31,922. In addition, the Proposed Rule would add a new objective to the Guidelines that would provide that a financial institution's information security program should be designed to "[e]nsure the proper disposal of consumer information in a manner consistent with the disposal of customer information." Id. The addition of this objective would require "financial institution[s] to contractually require [their] service providers to develop appropriate measures for the proper disposal of consumer information" because the Guidelines provide that financial institutions contractually should require service providers to implement appropriate measures designed to meet the Guidelines' objectives. Id. at 31,916. |