VerDate Sep<11>2014 14:29 Mar 27, 2018 Jkt 244054 PO 00000 Frm 00443 Fmt 8010 Sfmt 8010 Q:\16\16V1.TXT 31
kpayne on DSK54DXVN1OFR with $$_JOB
AUTHENTICATE
~
U.S.
GOVERNMENT
.
IN
FORMAT
ION
GPO
Case 1:19-cv-03297-TWT Document 6 Filed 07/23/19 Page 73 of 74
EXHIBIT B
Federal Trade Commission § 314.3
(ii) If it shares with nonaffiliated third par-
ties, state, as applicable: ‘‘Nonaffiliates we
share with can include [list categories of compa-
nies such as mortgage companies, insurance
companies, direct marketing companies, and
nonprofit organizations].’’
(3) Joint Marketing. As required by § 313.13
of this part, where [joint marketing] appears,
the financial institution must:
(i) If it does not engage in joint marketing,
state: ‘‘[name of financial institution] doesn’t
jointly market’’; or
(ii) If it shares personal information for
joint marketing, state, as applicable: ‘‘Our
joint marketing partners include [list categories
of companies such as credit card companies].’’
(c) General instructions for the ‘‘Other impor-
tant information’’ box. This box is optional.
The space provided for information in this
box is not limited. Only the following types
of information can appear in this box.
(1) State and/or international privacy law
information; and/or
(2) Acknowledgment of receipt form.
[74 FR 62966, Dec. 1, 2009]
PART 314—STANDARDS FOR SAFE-
GUARDING CUSTOMER INFOR-
MATION
Sec.
314.1 Purpose and scope.
314.2 Definitions.
314.3 Standards for safeguarding customer
information.
314.4 Elements.
314.5 Effective date.
A
UTHORITY
: 15 U.S.C. 6801(b), 6805(b)(2).
S
OURCE
: 67 FR 36493, May 23, 2002, unless
otherwise noted.
§ 314.1 Purpose and scope.
(a) Purpose. This part, which imple-
ments sections 501 and 505(b)(2) of the
Gramm-Leach-Bliley Act, sets forth
standards for developing, imple-
menting, and maintaining reasonable
administrative, technical, and physical
safeguards to protect the security, con-
fidentiality, and integrity of customer
information.
(b) Scope. This part applies to the
handling of customer information by
all financial institutions over which
the Federal Trade Commission (‘‘FTC’’
or ‘‘Commission’’) has jurisdiction.
This part refers to such entities as
‘‘you.’’ This part applies to all cus-
tomer information in your possession,
regardless of whether such information
pertains to individuals with whom you
have a customer relationship, or per-
tains to the customers of other finan-
cial institutions that have provided
such information to you.
§ 314.2 Definitions.
(a) In general. Except as modified by
this part or unless the context other-
wise requires, the terms used in this
part have the same meaning as set
forth in the Commission’s rule gov-
erning the Privacy of Consumer Finan-
cial Information, 16 CFR part 313.
(b) Customer information means any
record containing nonpublic personal
information as defined in 16 CFR
313.3(n), about a customer of a financial
institution, whether in paper, elec-
tronic, or other form, that is handled
or maintained by or on behalf of you or
your affiliates.
(c) Information security program means
the administrative, technical, or phys-
ical safeguards you use to access, col-
lect, distribute, process, protect, store,
use, transmit, dispose of, or otherwise
handle customer information.
(d) Service provider means any person
or entity that receives, maintains,
processes, or otherwise is permitted ac-
cess to customer information through
its provision of services directly to a fi-
nancial institution that is subject to
this part.
§ 314.3 Standards for safeguarding
customer information.
(a) Information security program. You
shall develop, implement, and main-
tain a comprehensive information se-
curity program that is written in one
or more readily accessible parts and
contains administrative, technical, and
physical safeguards that are appro-
priate to your size and complexity, the
nature and scope of your activities, and
the sensitivity of any customer infor-
mation at issue. Such safeguards shall
include the elements set forth in § 314.4
and shall be reasonably designed to
achieve the objectives of this part, as
set forth in paragraph (b) of this sec-
tion.
(b) Objectives. The objectives of sec-
tion 501(b) of the Act, and of this part,
are to:
(1) Insure the security and confiden-
tiality of customer information;
433