- 1 Citation
- 2 Introduction
- 3 Financial Privacy Rule
- 4 FTC Safeguards Rule
- 5 Information security guidelines
- 6 Response programs for unauthorized access to customer information and customer notice
- 7 Pretexting
- 8 References
- 9 External reading
Gramm-Leach-Bliley Financial Services Modernization Act (GLB Act), Title V of the Financial Services Modernization Act of 1999, Pub. L. No. 106-102, 113 Stat. 1338 (Nov. 12, 1999) (codified at 15 U.S.C. §§ 6801, 6809, 6821, and 6827) (full-text); 16 C.F.R. part 313 (implementing privacy rules pursuant to GLB Act).
The Act includes provisions to protect consumers’ personal financial information held by financial institutions. There are three principal parts to the privacy requirements: the Financial Privacy Rule, the Safeguards Rule and pretexting provisions.
The Act gives authority to eight federal agencies and the states to administer and enforce the Financial Privacy Rule and the Safeguards Rule. These two regulations apply to "financial institutions," which are defined as businesses that are engaged in certain “financial activities” described in Section 4(k) of the Bank Holding Company Act of 1956 and accompanying regulations. "Financial institutions" include not only banks, securities firms, and insurance companies, but also companies providing many other types of financial products and services to consumers. Among these services are lending, brokering or servicing any type of consumer loan, transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, providing residential real estate settlement services, collecting consumer debts and an array of other activities. Such non-traditional "financial institutions" are regulated by the FTC.
Title V of Act requires financial institutions to provide customers with notice of their privacy policies, and requires financial institutions to safeguard the security and confidentiality of customer information, to protect against any anticipated threats or hazards to the security or integrity of such records; and to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.
Financial institutions are prohibited from disclosing “nonpublic personal information.” A number of statutory exceptions are provided to this disclosure rule, including that financial institutions are permitted to disclose nonpublic personal information to a non-affiliated third party to perform services for or functions on behalf of the financial institution. To the extent that data brokers fall within GLBA’s definition of “financial institution,” they are required to maintain reasonable security for customer information.
Financial Privacy Rule
Protecting the privacy of consumer information held by "financial institutions" is at the heart of the financial privacy provisions of the Act. The Act requires companies to give consumers privacy notices that explain the institutions' information-sharing practices. In turn, consumers have the right to limit some — but not all — sharing of their information.
Regulations implementing GLBA’s privacy requirements published by the federal banking regulators govern the treatment of nonpublic personal information about consumers by financial institutions, require a financial institution in specified circumstances to provide notice to customers about its privacy policies and practices, describe the conditions under which a financial institution may disclose nonpublic personal information about consumers to nonaffiliated third parties, and provide a method for consumers to prevent a financial institution from disclosing that information to most nonaffiliated third parties by “opting out” of that disclosure, subject to exceptions.
The Act applies to "financial institutions" — namely, companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance. The Federal Trade Commission has authority to enforce the law with respect to "financial institutions" that are not covered by the federal banking agencies, the Securities and Exchange Commission, the Commodity Futures Trading Commission, and state insurance authorities.
Among the institutions that fall under FTC jurisdiction for purposes of the Act are non-bank mortgage lenders, loan brokers, some financial or investment advisers, tax preparers, providers of real estate settlement services, and debt collectors. At the same time, the FTC's regulation applies only to companies that are "significantly engaged" in such financial activities.
The law requires that financial institutions protect information collected about individuals; it does not apply to information collected in business or commercial activities.
Consumers and customers
A company's obligations under the Act depend on whether the company has consumers or customers who obtain its services. A "consumer" is an individual who obtains or has obtained a financial product or service from a financial institution for personal, family or household reasons. A "customer" is a consumer with a continuing relationship with a financial institution. Generally, if the relationship between the financial institution and the individual is significant and/or long-term, the individual is a customer of the institution. For example, a person who gets a mortgage from a lender or hires a broker to get a personal loan is considered a customer of the lender or the broker, while a person who uses a check-cashing service is a consumer of that service.
Why is the difference between consumers and customers so important? Because only customers are entitled to receive a financial institution's privacy notice automatically. Consumers are entitled to receive a privacy notice from a financial institution only if the company shares the consumers' information with companies not affiliated with it, with some exceptions. Customers must receive a notice every year for as long as the customer relationship lasts.
The privacy notice must be given to individual customers or consumers by mail or in-person delivery; it may not, say, be posted on a wall. Reasonable ways to deliver a notice may depend on the type of business the institution is in: for example, an online lender may post its notice on its website and require online consumers to acknowledge receipt as a necessary part of a loan application.
The privacy notice must be a clear, conspicuous, and accurate statement of the company's privacy practices; it should include what information the company collects about its consumers and customers, with whom it shares the information, and how it protects or safeguards the information. The notice applies to the "nonpublic personal information" the company gathers and discloses about its consumers and customers; in practice, that may be most, or all, of the information a company has about them. For example, nonpublic personal information could be information that a consumer or customer puts on an application; information about the individual from another source, such as a credit bureau; or information about transactions between the individual and the company, such as an account balance.
Indeed, even the fact that an individual is a consumer or customer of a particular financial institution is nonpublic personal information. But information that the company has reason to believe is lawfully public — such as mortgage loan information in a jurisdiction where that information is publicly recorded — is not restricted by the GLB Act.
Consumers and customers have the right to opt out of (or say no to) having their information shared with certain third parties. The privacy notice must explain how — and offer a reasonable way — they can do that. For example, providing a toll-free telephone number or a detachable form with a pre-printed address is a reasonable way for consumers or customers to opt out; requiring someone to write a letter as the only way to opt out is not.
The privacy notice also must explain that consumers have a right to say no to the sharing of certain information — credit report or application information — with the financial institution's affiliates. An affiliate is an entity that controls another company, is controlled by the company, or is under common control with the company. Consumers have this right under a different law, the Fair Credit Reporting Act of 1970. The Act does not give consumers the right to opt out when the financial institution shares other information with its affiliates.
- a financial institution shares information with outside companies that provide essential services like data processing or servicing accounts;
- the disclosure is legally required;
- a financial institution shares customer data with outside service providers that market the financial company's products or services.
Receiving nonpublic personal information
The Act puts some limits on how anyone that receives nonpublic personal information from a financial institution can use or re-disclose the information. Take the case of a lender that discloses customer information to a service provider responsible for mailing account statements, where the consumer has no right to opt out: The service provider may use the information for limited purposes — that is, for mailing account statements. It may not sell the information to other organizations or use it for marketing.
However, it is a different scenario when a company receives nonpublic personal information from a financial institution that provided an opt-out notice — and the consumer did not opt out. In this case, the recipient steps into the shoes of the disclosing financial institution, and may use the information for its own purposes or re-disclose it to a third party, consistent with the financial institution's privacy notice. That is, if the privacy notice of the financial institution allows for disclosure to other unaffiliated financial institutions — like insurance providers — the recipient may re-disclose the information to an unaffiliated insurance provider.
Other important provisions of the GLB Act also impact how a company conducts business. For example, financial institutions are prohibited from disclosing their customers' account numbers to non-affiliated companies when it comes to telemarketing, direct mail marketing or other marketing through e-mail, even if the individuals have not opted out of sharing the information for marketing purposes.
FTC Safeguards Rule
This rule implements GLBA’s requirements for entities under FTC jurisdiction. The Safeguards Rule applies to all businesses, regardless of size, that are “significantly engaged” in providing financial products or services. These include, for example, check-cashing businesses, payday lenders, mortgage brokers, nonbank lenders, real estate appraisers, and professional tax preparers. The Safeguards Rule also applies to companies like credit reporting agencies and ATM operators that receive information about the customers of other financial institutions.
The rule requires financial institutions to have an information security plan that “contains administrative, technical, and physical safeguards” to “insure the security and confidentiality of customer information: protect against any anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.” Using its authority under the Safeguards Rule, the Commission has brought a number of enforcement actions to address the failure to provide reasonable and appropriate security to protect consumer information.
Information security guidelines
Section 501(b) of GLBA requires the banking agencies to establish standards for financial institutions relating to administrative, technical, and physical safeguards to ensure the security, confidentiality, and integrity of customer information, protect against any anticipated threats or hazards to the security or integrity of such information, and protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
Similar to the Safeguards Rule issued by the FTC, Interagency Guidance issued by the federal banking regulators applies to customer information which is defined as “any record containing nonpublic personal information . . . about a customer, whether in paper, electronic, or other form, that is maintained by or on behalf of” a financial institution.” The security guidelines direct each financial institution to assess the risks of reasonably foreseeable threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information and customer information systems, the likelihood and potential damage of threats, and the sufficiency of policies, procedures, customer information systems, and other controls.
Following the assessment of risks, the security guidelines require a financial institution to manage and control the risk through the design of a program to address the identified risks, train staff to implement the program, regularly test the key controls, systems, and procedures of the information security program, and develop and maintain appropriate measures to dispose of customer information. The security guidelines also direct every financial institution to require its service providers by contract to implement appropriate measures designed to protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer. Each financial institution is required to monitor, evaluate, and adjust its information security program as necessary.
Finally, each financial institution is required to report to its board at least annually on its information security program, compliance with the security guidelines, and issues such as risk assessment, risk management and control decisions, service provider arrangements, results of testing, security breaches or violations and management’s responses, and recommendations for changes in the information security program.
The security guidelines recommend implementation of a risk-based response program, including customer notification procedures, to address unauthorized access to or use of customer information maintained by a financial institution or its service provider that could result in substantial harm or inconvenience to any customer, and require disclosure of a data security breach if the covered entity concludes that "misuse of its information about a customer has occurred or is reasonably possible." Pursuant to the guidance, substantial harm or inconvenience is most likely to result from improper access to "sensitive customer information."
At a minimum, an institution's response program should contain procedures for: assessing the nature and scope of an incident and identifying what customer information systems and types of customer information have been accessed or misused; notifying its primary federal regulator when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information; consistent with the Agency’s Suspicious Activity Report ("SAR") regulations, notifying appropriate law enforcement authorities; taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information (e.g., by monitoring, freezing, or closing affected accounts and preserving records and other evidence); and notifying customers when warranted.
The security guidelines note that financial institutions have an affirmative duty to protect their customers’ information against unauthorized access or use, and that customer notification of a security breach involving the customer’s information is a key part of that duty. The guidelines prohibit institutions from forgoing or delaying customer notification because of embarrassment or inconvenience.
The guidelines provide that when a financial institution becomes aware of an incident of unauthorized access to sensitive customer information, the institution should conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused. If the institution determines that misuse has occurred or is reasonably possible, it should notify the affected customer as soon as possible. Customer notice may be delayed if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation and provides the institution with a written request for the delay. The institution should notify its customers as soon as notification will no longer interfere with the investigation.
If a financial institution can determine which customers' information has been improperly accessed, it may limit notification to those customers whose information it determines has been misused or is reasonably likely to be misused. In situations where the institution determines that a group of files has been accessed improperly, but is unable to identify which specific customers' information has been accessed, and the institution determines that misuse of the information is reasonably possible, it should notify all customers in the group. The guidelines also address what information should be included in the notice sent to the financial institution’s customers.
- 12 U.S.C. §1843(k).
- See generally 12 C.F.R. 225.28, 225.86.
- Standards for Insuring the Security, Confidentiality, Integrity and Protection of Customer Records and Information, 16 C.F.R. Part 314.
- For information on enforcement actions the Commission has brought involving the privacy of consumer information under Section 5 of the FTC Act.
- See Board of Governors Federal Reserve System, The Commercial Bank Examination Manual, Supp. 27, 984-1034 (May 2007) (full-text).
- The Office of the Comptroller of the Currency assessed a $180,000 civil penalty by consent against a bank's subsidiary for allegedly failing to dispose of confidential customer information in a secure fashion, in violation of OCC regulations governing the security of customer information. In the Matter of First Horizon Home Loan Corporation (operating subsidiary of First Tennesseee Bank N.A., Memphis, Tenn.), Doc. No. 2005-78 (June 30, 2005).
- Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, Part III of Supplement A to Appendix, at 12 C.F.R. Part 30 (OCC), Supplement A to Appendix D-2, at 12 C.F.R. Part 208 (Federal Reserve System), 12 C.F.R. Part 364 (FDIC), and 12 C.F.R. Part 568 (Office of Thrift Supervision), 70 Fed. Reg. 15736-54 (March 29, 2005).
- "Sensitive customer information means a customer's name, address, or telephone number, in conjunction with the customer's social security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account. Sensitive customer information also includes any combination of components of customer information that would allow someone to log onto or access the customer’s account, such as user name and password or password and account number.” 70 Fed. Reg. 15736-54 (Mar. 29, 2005).
- Federal Trade Commission, Financial Privacy: The Gramm-Leach Bliley Act (full-text).
- Gramm-Leach-Bliley Act, 15 U.S.C., Subchapter I, §§6801-09, Disclosure of Nonpublic Personal Information (full-text).
- Mike Chapple, Gramm-Leach-Bliley and You, Nov. 18, 2003 (full-text).
- Federal Trade Commission, The Gramm-Leach-Bliley Act: The Financial Privacy Rule (full-text).
- Federal Trade Commission, In Brief: The Financial Privacy Requirements of the Gramm-Leach-Bliley Act (full-text).
- Electronic Privacy Information Center, The Gramm-Leach-Bliley Act — “History of the GLBA" (full-text).
- Financial Institution Privacy Protection Act of 2003, 108th Cong., 1st Sess., S. 1458, "To amend the Gramm-Leach-Bliley Act to provide for enhanced protection of nonpublic personal information, including health information, and for other purposes," In the Senate of the United States, July 25, 2003 (legislative day, July 21, 2003) (full-text).