FTC Gramm-Leach-Bliley Act Regulations
Overview
|
|
|||||
|
|
|||||
|
|
|||||
|
|
|||||
|
|
|||||
|
|
|||||
|
|
|||||
|
|
|||||
|
|
|||||
 |
|||||
 |
|||||
|
|||||
Regulation of Disclosure of Financial Information.
The Gramm- Leach Bliley Act ("GLBA") imposes three general privacy obligations: (1) providing a notice of a financial institution's non-public personal information handling practices; (2) providing individuals with the right to opt-out before information can be shared with non- affiliated third parties for a non-exempted purpose; and (3) instituting data security and integrity mechanisms to protect non-public personal information. The GLBA directed the FTC and other federal agencies with jurisdiction over "financial institutions" to develop rules to implement these requirements. The FTC announced its final trade regulation rule implementing the GLBA in May 2000 (the "GLBA Rule"), which went into effect on July 1, 2001.
a. Who and what are covered by the GLBA Rule?
The GLBA Rule regulates financial institutions, which generally includes anyone who extends credit to consumers, but also includes debt collection agencies, mortgage lenders, real estate settlement services, and entities that process consumers' non-public personal financial information. The FTC's GLBA Rule also regulates non-affiliated third parties (parties that are not financial institutions) by limiting the transfer of non-public personal information they receive from financial institutions.
The GLBA Rule protects "non-public personal information," which the FTC has broadly defined to include all information a financial institution obtains from consumers in connection with providing a financial product or service that is not publicly available.
b. What is required under the GLBA Rule?
i. Notice
Regardless of whether financial institutions are engaged in information sharing, the GLBA Rule requires financial institutions to provide an understandable notice of their privacy practices, including their basic handling of "non-public personal information," to their customers (defined as those who purchase a financial product or service from or through a financial institution, which is to be used primarily for personal, family, or household purposes) when the customer relationship is established, and at a minimum on an annual basis thereafter. A privacy notice must also be provided to all consumers (defined as all customers and non-customers who have submitted personal information to a financial institution relating to a financial product or service), if the financial institution is going to share that information with a non-affiliated third party for a non-exempted purpose.
Although the GLBA Rule does not require financial institutions to have a particular type of privacy policy, they must provide the following information in their privacy notices in a clear and conspicuous manner:
-
The categories of non-public personal information that the financial institution collects (including the nature of the data and the means by which it is collected, if the collection means are not obvious);
-
The categories of non-public personal information that may be disclosed;
-
The categories of affiliates and non-affiliated third parties to whom such disclosures may be made, other than those to whom information is disclosed under an exception;
-
The financial institution's policies and practices with respect to sharing non-public information about former customers;
-
The categories of non-public personal information disclosed pursuant to agreements with third party service providers and joint marketers, and the categories of third parties providing the services;
-
The individual's right to opt-out of the disclosure of non-public personal information to non-affiliated third parties;
-
Any disclosures regarding affiliate information sharing that the financial institution is providing under the FCRA; and
-
The financial institution's policies and practices with respect to protecting the confidentiality, integrity and quality of the non-public personal information it collects.
ii. Opt-Out
Financial institutions may freely share consumers' non-public personal information with affiliates or with non-affiliate third parties for an exempted purpose. (It should be noted, however, that to the extent that "financial institutions" under GLBA also meet the definition of "consumer reporting agencies" under the Fair Credit Reporting Act, they would be required to offer consumers an opt-out of the sharing of certain information with affiliates.)
Before disclosing non-public personal information about any consumer to a non-affiliated third party for a non-exempted purpose, the financial institution must notify the consumer and give the consumer the ability to opt-out of this disclosure. It is important to note that the GLBA Rule prohibits non-affiliated third parties from re-disclosing non-public personal information obtained from financial institutions, unless they are otherwise permitted by law to do so, or unless the financial institution would, itself, be permitted to do so.
iii. Exceptions For Joint Marketers And Service Providers
The GLBA Rule provides that financial institutions need not comply with the opt-out requirements when they provide nonpublic personal information to certain third-party service providers and joint marketers, if they provide these third parties with an initial privacy notice and enter into a contractual agreement with them that prohibits them from disclosing or using the information other than for the purposes specified in the contract.
In addition, financial institutions do not need to comply with the notice and opt-out requirements for service providers and joint marketers to whom they disclose non-public personal information (1) in order to service or process transactions or accounts at consumers' requests; and (2) who are necessary to effect, administer or enforce such transactions. There are other cases in which financial institutions will not have to comply with the notice and opt-out requirements for service providers and joint marketers with whom they share nonpublic personal information, including if: (1) they have the consent of the consumer; (2) they are doing so in order to protect the confidentiality or security of their records; (3) they are doing so to protect against fraud; (4) they are doing so in connection with a sale, merger, or transfer of all or a portion of their business; (5) they are doing so to resolve consume r disputes or inquiries; and (6) they are doing so as required by law.
iv. FTC's Proposed Standards for Insuring the Security, Confidentiality, Integrity and Protection of Customer Records and Information Pursuant to GLBA:
Any financial institution that collects or maintains non-public personal information must institute measures for protecting the security and integrity of that information. The banking regulatory agencies have issued security guidelines pursuant to GLBA. The FTC is likely to issue similar guidelines for "financial institutions" under its jurisdiction.
The GLBA requires the FTC and other federal agencies to create standards regarding the administrative, technical, and physical security measures for customer information. Specifically, the GLBA instructs the FTC and these other agencies to create security standards that:
-
Insure the security and confidentiality of customer records and information;
-
Protect against any anticipated threats or hazards to the security or integrity of such records; and
-
Protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.
On July 30, 2001, the Federal Trade Commission ("FTC") announced its proposed Standards for Insuring the Security, Confidentiality, Integrity and Protection of Customer Records and Information ("Proposed Security Standards"). The FTC's Proposed Security Standards apply not only to all "financial institutions," which the FTC has interpreted extremely broadly, but also to financial institutions' affiliates that handle or maintain the customer information, and would require "financial institutions" to establish a comprehensive, written information security program.Comments on the FTC's proposal are due by October 8, 2001.
Specifically, under the FTC's proposal, financial institutions would be required to:
-
Designate an employee or employees to coordinate their safeguards programs;
-
Assess internal and external risks to the security and integrity of customer information in each relevant area of their operations, including employee training and management; information systems (including processing, storage, transmission and disposal); and prevention and response measures for attacks, intrusions and other failures;
-
Design and implement an information security program to control these risks;
-
Require service providers, by contract, to implement appropriate safeguards for the customer information at issue; and
-
Adapt their programs in light of material changes to their businesses.
The detailed FTC proposal lies in stark contrast to a similar rule issued by the SEC under GLBA. The SEC's financial privacy safeguards rule, Regulation S-P, does not mandate exact procedures to ensure security of consumers' personal information, but rather allows companies subject to the SEC's jurisdiction under GLBA to adopt their own procedures, provided that they are reasonably designed to: (1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of such records; and (3) protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer, as required under GLBA.
The FTC sought comments on its Proposed Security Standards from businesses, professional associations, consumers, and others. Comments were due by October 9, 2001. The requests for comment likely to generate the most responses are printed below:
-
Whether compliance with alternative standards should constitute compliance with the FTC's Proposed Security Standards - - that is, whether the FTC should allow compliance with the SEC's security rule or with another federal agency's guidelines to constitute compliance with the FTC's Proposed Security Standards;
-
What are the benefits and burdens of the FTC's proposal to require affiliates of financial institutions to safeguard customer information, including any compliance burdens imposed on entities already covered by the safeguards standards of other Agencies?;
-
Whether any additional guidance is needed on what safeguards are appropriate for affiliates;
-
What are the benefits and burdens of establishing a written information security program and are there any other issues or concerns raised by this requirement? Is the burden disproportionate for smaller entities, and if so, how can any burden be lessened while still ensuring that each financial institution develops an effective program?
-
What are the specific costs to a small financial institution associated with establishing an information security program, including the costs incurred to: (1) designate an employee(s) to coordinate safeguards; (2) regularly test or monitor the effectiveness of the safeguards' procedures; (3) develop a comprehensive written information security program; and (4) ensure that affiliates with which the entities share information maintain adequate safeguards?
3. Cases
a. FTC v. Ira Smolev, et al.: Alleged Unauthorized Disclosure Of Consumers' Credit Card Numbers By Telemarketers To Their Affiliates
In October 2001, the FTC announced that Triad Discount Buying Services Inc., its affiliated companies and their operator, Ira Smolev, had settled charges brought by the FTC and state Attorneys General that they had misled consumers into purchasing trial buying club memberships and obtained consumers' credit card information from telemarketers without consumers' knowledge or consent. As part of the settlement, the defendants are prohibited from obtaining consumers' billing information from third parties or disseminating this information without permission.
b. Sears, Roebuck and Co.: Alleged Unauthorized Sale of Customers' Credit Card Data To Third Party
Two Sears credit card holders have filed suit against Sears in Cook County Circuit Court, alleging that the company sold their credit card data in violation of its privacy policy. Sears maintains that it sold the information to direct marketing firm Memberworks, Inc., and that the sale was not a violation of its privacy policy because Memberworks is a licensee of Sears and therefore a "member of the Sears family of business." The plaintiffs are seeking class action status.
c. New Millennium Concept, Inc.: Alleged Collection, Use, and Disclosure of Credit Card Information Obtained Through Misrepresentations
In November 2001, the FTC announced that New Millennium Concepts, Inc., d/b/a/ rhinoPoint, and their principal Karl V. Kay had settled charges that the company violated section 5 of the FTC Act by collecting, using, and disclosing personal information, including credit card information, obtained through misrepresentations. In its complaint the FTC alleged that New Millennium promised that consumers who signed up as members of rhinopoint.com, paid an initial set up fee, and disclosed personal information by completing a member form would received monthly marketing surveys and be reimbursed for monthly Internet access charges. The FTC maintained that New Millennium did not provide the surveys or reimburse the charges as promised. As a part of the settlement, New Millennium agreed not to collect, use, or disclose personal information obtained through misrepresentations and within 30 days to delete or destroy the information it has already collected.
d. Minnesota v. Fleet Mortgage Corp. : Alleged Unauthorized Disclosure of Consumers' Names, Contact Information, and Mortgage Information to Telemarketing Firms
The Minnesota Attorney General recently filed a suit against Fleet Mortgage Corp., cha rging that the company violated its privacy policy by disclosing names, contact information, and mortgage information to telemarketing firms, thereby exceeding its promise to only provide the minimum amount of information necessary for a company to offer its product or service to Fleet customers. These telemarketing firms then used the pre-acquired account information to telemarket free trial offers to Fleet customers, and informed these customers that a monthly fee would be added to their mortgage accounts if they did not affirmatively cancel the offer during the trial period. The case is currently in litigation in the district court of Minnesota.
• A notice need not be given to individuals or companies that obtain products or services for business, commercial, or agricultural purposes.
• If the financial institution does not intend to share the personal information of these individuals (who are not customers because there is no established customer relationship) with a non-affiliated third party for a non-exempted purpose, then no privacy notice must be provided.
Related Reading
For those of you wishing to research this topic in more depth, we provide the following public record documents for your use.
The Fair Credit Reporting Act
The Fair Credit Reporting Act ("FCRA") governs the use of consumer
reports.
History of the Fair Credit Reporting Act
A brief chronology of the Fair Credit Reporting Act ("FCRA")
as it has evolved over the years.
Monitoring Unauthorized Access to Credit Report
It is equally important to keep an eye on who is accessing your
information and ensuring that you have authorized that access.
For more information on credit related products and services,
choose from the following:
Reports | Monitoring | Scores | 3-in-1 | Debt Help
|
