“It is the policy of Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.”- 15 U.S.C.A. § 6801.

In 2006 an estimated 9 million American adults were the victims of identity theft at a total cost of $56.6 billion.  There are a number of legislative efforts designed to protect the privacy, security, and confidentiality of customer data.  One such law, the Gramm-Leach-Bliley Act (the “GLBA”), also known as the Financial Services Modernization Act of 1999, effectively repealed the Banking Act of 1933 and amended the Bank Holding Company Act of 1956.

The GLBA requires financial institutions to protect themselves against unauthorized access, anticipate security risks, and safeguard a consumer’s nonpublic information.  The GLBA separates individual privacy protection into three principal categories: (1) the Financial Privacy Rule; (2) the Safeguards Rule; and (3) Pretexting Provisions. The Financial Privacy Rule and the Safeguards Rule apply to “financial institutions,” which include banks, securities firms, insurance companies and other companies providing financial products and services to consumers.

This abbreviated article is meant to provide an overview of the GLBA and its Financial Privacy Rule and the Safeguards Rule. To read this article in its entirety, please visit

http://www.scottandscottllp.com/media-library.asp

I.     THE FINANCIAL PRIVACY RULE.

“The world is digital and so is our personal data.  In this day and age, almost everything we do results in a third party creating a digital record about us – digital records that we may not even realize exist.” – Senator Russ Feingold.

The Financial Privacy Rule (the “Privacy Rule”) applies to financial institutions that collect and receive nonpublic personal information from consumers, and requires them to disclose and provide a written notice of its policies and procedures to its customers, stating how the customer’s nonpublic personal information is protected and shared.  The privacy notice must also provide consumers with a reasonable opportunity to “opt-out” of any information sharing, if required by statute.

A.    Notice Requirements:  Clear and Conspicuous.

First and foremost the privacy notice must be “clear and conspicuous.”  This means that the notice must be understandable and designed to call attention to the nature and significance of the information within the notice.  For example, the notice must use easily readable font, present the information in clear, concise sentences, using definite, everyday words, and short, explanatory sentences whenever possible.  Similarly, any changes in the privacy policy must be clear and conspicuous and the consumer must be reasonably notified of such changes.

B.     Disclosure Obligations: Consumer v. Customer. 

The type and frequency of the notice is dependent on whether the information belongs to a “consumer” or a “customer.”  The primary distinction between a consumer and a customer depends upon the relationship that exists between the individual and the financial institution.

A “consumer” is an individual who obtains, from a financial institution, financial products or services which are to be used primarily for personal, family, or household purposes.  Typically, a consumer has a limited, “one time” connection with the financial institution such as an automatic teller machine transaction.  A financial institution is only required to send a privacy notice when it shares or intends to share the consumer’s nonpublic personal information with a nonaffiliated third party.

A “customer” is a consumer who has a “continuing relationship” with the financial institution such as a traditional deposit or investment account.  Financial institutions are required to provide customers with a privacy notice as soon as the customer relationship is established, whether or not the institution plans to share the customer’s nonpublic personal information.  Additionally, the institution is required to provide its customer with a privacy notice annually for as long as the customer relationship exists.  For purposes of the Privacy Rule, a former customer is considered a consumer.

C.    The Opt-Out Notice and its Exceptions:  What is Required in an Opt-Out Notice?
 
If a financial institution intends to share nonpublic personal information with a nonaffiliated third party, the institution must provide its consumers with an opportunity to “opt-out” and instruct the institution not to share his or her nonpublic personal information in most instances.  This opt-out notice is required to be delivered to the consumer within a reasonable time and must be included or incorporated within the privacy notice itself.  Just like the privacy notice, the opt-out notice must be clear and conspicuous and state that: (1) the institution reserves the right to disclose the consumer’s nonpublic personal information to a nonaffiliated third party; (2) that the consumer has the right to opt-out; and (3) provide a reasonable means by which the consumer may opt-out.

1.    Exceptions to the Opt-Out Notice:  Service Providers and Joint Marketing. 

Financial institutions often contract with outside service providers to perform certain ordinary business functions such as data processing or servicing accounts.  The opt-out requirements do not apply when financial institutions share information with service providers who perform such services or ordinary business functions on the institution’s behalf as long as: (1) the institution provides an initial notice to the consumer; and (2) the institution enters into a written contractual agreement with the service provider that prohibits it from disclosing or using the information, other than to carry out the function for which it was hired.

2.    Servicing Transactions. 

A second exception to the opt-out notice requirements allows the sharing of nonpublic personal information that is necessary for a financial institution to “effect, administer, or enforce” a transaction that a customer requests or authorizes. These customer-authorized transactions include: (1) servicing or processing a financial product or service that a consumer requests or authorizes; (2) maintaining or servicing the consumer’s account, including servicing another entity such as a private label credit card program; or (3) a proposed or actual securitization, secondary market sale (including sales of servicing rights), or similar transaction related to the consumer.  For example, the GLBA allows a financial institution to proceed with a consumer’s loan application without having to provide the consumer with an opt-out notice.  The premise of this exception is that the consumer authorizes disclosure of personal information, which is necessary in order to obtain the loan(s) they requested.

3.    Other Exceptions to Notice and Opt-Out Requirements. 

Finally, Section 313.15 provides a laundry list of exceptions which allows a financial institution to disclose a consumer’s nonpublic personal information.  These exceptions include:

• When the customer consents to his or her information being shared.
  
  
• To protect the confidentiality or security of the consumer’s records and to protect against or prevent actual or potential fraud. 
  
  
• To resolve customer disputes or inquiries.
  
  
• To a consumer’s legally appointed representative, such as a power of attorney, or persons acting in a fiduciary capacity on the behalf of the consumer.
  
  
• To provide information to insurance rate advisory organizations, guaranty funds, or agencies that rate the institution, persons assessing an institution’s compliance with industry standards, and the institution’s attorneys, accountants, and auditors.
  
  
• To the extent permitted or required by law and in accordance with the Right to Financial Privacy Act.
  
  
• To a consumer reporting agency in accordance with the Fair Credit Reporting Act.
  


• To comply with all Federal, State or local laws, including court orders.

II.        THE SAFEGUARDS RULE.

“Safeguarding information is not a product, but a process.” – Thomas J. Smedinghoff

So far this article discussed the GLBA’s Privacy Rule, its Safe Harbor Rule and its reporting and notice requirements.  Part III examines the GLBA’s Safeguards Rule and the steps necessary to satisfy the Federal Trade Commission.

The Safeguards Rule requires financial institutions to conduct a thorough risk assessment of its security measures and design a comprehensive information security program to protect nonpublic personal information.  Specifically, the Safeguards Rule

requires financial institutions to “develop, implement, and maintain a comprehensive information security program that is written… and contains administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.”  The statutory objective of the Safeguards Rule is to: (1) ensure the security and confidentiality of customer information; (2) protect against anticipated threats or hazards to the security or integrity of such information; and (3) protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.

A.    An Information Security Program Must be Appropriate.

The Safeguards Rule requires an institution to develop, implement, and maintain a comprehensive information security program that is written, contains administrative, technical and physical safeguards, is “appropriate” to the institution’s size and complexity, as well as the nature and scope of its activities, and is appropriate to the sensitivity of the customer information at issue.  Therefore, an institution may exercise some latitude in developing its security program.  While some critics may view this subjective standard as unenforceable, the FTC places a high level of responsibility upon financial institutions to keep up with the latest technology and the constant bombardment of potential identity thieves.

B.    A Thorough Risk Assessment is Required.

The FTC requires companies to conduct a thorough risk assessment and address such risks to customer information in all areas of their operation, including administrative, technical, and physical safeguards.  As part of the risk assessment, the Safeguards Rule requires an institution to:

• Designate someone to coordinate the information security program;
  
  
• Perform a thorough risk assessment and identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in unauthorized disclosure, misuse, alteration, destruction or other compromise of such information; and
  
  
• Assess the sufficiency of any safeguards in place to control these risks.

Reactions to the Safeguards Rule were mixed.  Many companies carefully considered the costs of compliance compared to the costs of non-compliance.  In fact, John Eubank, president of Nationwide Mortgage Group, evaluated whether to close his company because it would cost him $70,000 to comply with the Safeguards Rule and approximately $250,000 to fight the FTC if he elected not to comply.  The $250,000 did not include potential fines. 

Another important factor for institutions to consider is the potential discoverability of risk assessments.  If internal employees prepare the risk assessments, those assessments could be admitted as evidence, if they are relevant in court proceedings.  For example, if a technical professional prepared a risk assessment indicating that the company should replace the firewall, and a security breach or data breach resulted due to the firewall before it could be replaced, the security assessment may be a damaging piece of evidence.  To avoid potential discovery issues, companies should determine whether they could have their risk assessments covered by the attorney-client or the attorney work-product privileges.  The rules regarding these privileges are state specific and should be examined carefully with experienced counsel.

C.    Employee Training and Management. 

The cost of compliance is related to employee training and management.  A financial institution’s risk assessment should:

• Check employee references and perform background checks;
  
  
• Require employees to sign a confidentiality agreement;
  
  
• Limit employee access to sensitive customer information;
  
  
• Use password-activated screen savers to lock employee computers;
  
  
• Encrypt customer files on laptops and other computers in case of theft;
  
  
• Impose disciplinary measures for security policy violations;
  
  
• Prevent terminated employees from accessing customer information by immediately deactivating their passwords and user names.

D.    Information Systems.

Second, the Safeguards Rule requires a financial institution to assess its information systems, including network and software design, as well as information processing, storage, transmission, and disposal.  A financial institution’s written information security plan should include both technology concerns and the physical storage and destruction of nonpublic personal information. For example:

• Know where sensitive customer information is stored and stored securely;
  
  
• Ensure that the computer or server is accessible only by using a “strong” password and is kept in a physically secure area;
  
  
• Maintain secure backup records and keep archived data secure by storing it off-line and in a physically secure area;
  
  
• Take affirmative steps to secure transmission of customer information;
  
  
• Encrypt customer data if it is necessary for you to transmit such information by email or Internet;
  
  
• If you collect information online directly from customers, secure the data transmission automatically;
  
  
• Dispose of customer information consistent with the FTC’s Disposal Rule.

• Monitor the websites of software vendors and relevant industry publications for news about emerging threats and available defenses;


• Maintain up-to-date and appropriate programs and controls to prevent unauthorized access to customer information;


• Use appropriate oversight or audit procedures to detect the improper disclosure or theft of customer information;


• Take affirmative steps to preserve the security, confidentiality, and integrity of customer information and consider notifying consumers, law enforcement, and credit bureaus in the event of a security breach or data breach;
  
• Oversee service providers by ensuring that they are able to take appropriate security precautions and in fact do so;


• Update the security program as necessary in response to frequent monitoring and material changes in the business.

Conclusion

As Congress attempts to keep pace with the information age and balance the needs of commerce with those of individual protection, the Gramm-Leach-Bliley Act continues to evolve.  Financial institutions must be aware of new Federal agency opinions as well as changing state laws.  The Privacy and Safeguards Rules allow financial institutions to adopt policies and procedures that are appropriate for their specific needs and size, but the costs of compliance are often great.  The costs of non-compliance can be even greater. As technology advances, so does the level of appropriateness a financial institution is required to maintain.  Protecting the privacy of consumer information is not only good for business, it’s a legal duty.