2C- 4- The Financial Services Modernization Act of 1999 (Gramm-Leach-Bliley Act / GLBA)
GLBA Safeguard Rule
Beyond the notice and consumer choice provisions of the Privacy Rule, the GLBA additionally requires financial institutions to properly secure the confidentiality and integrity of personal consumer information. Rules establishing the appropriate security measures are known as the Safeguard Rules. These rules apply to "customer information," which means any nonpublic personal information about a customer. It mandates that financial institutions adopt an "information security program" that includes "administrative, technical, or physical safeguards" designed to protect how the entity accesses, collects, distributes, processes, protects, stores, uses, transmits, disposes of, or otherwise handles consumer information. A financial institution's privacy program should seek to satisfy three objectives: (1) ensure the security and confidentiality of customer information; (2) protect against any anticipated threats or hazards to the security or integrity of such information; and (3) protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer. This program must be in written form and contain safeguards that are appropriate to the size and complexity of the institution, the nature and scope of the institution's activities, and the sensitivity of the customer information. The Safeguard Rules implement the same basic steps outlined in Module I.D.3 for the development of a privacy program. In developing the program, an assessment must be undertaken to identify potential risks. This initial review must include an assessment of employee training and management, information systems design, and the detection and response to potential attacks. Once in place, the program must be regularly tested and monitored to evaluate the effectiveness of the safeguards in place. The program must then be adjusted as appropriate in light of this testing and monitoring, and as needed to address any material change in the business or other potential risk factors. A designated person must be appointed to coordinate the information security program, including the assessing, monitoring, and implementation of improvements. Financial institutions must also adequately oversee their service providers to ensure that each is taking reasonable steps to maintain appropriate safeguard. Furthermore, a financial institution must have a contractual agreement in place requiring the service provider to adopt reasonable safeguards. In the Spring of 2019, the FTC issued a proposed rulemaking that may result in amendments to both the GLBA Privacy and Safeguard Rules.
Enforcement and Rulemaking Under the GLBA
Enforcement authority over the GLBA's Privacy and Safeguard Rules is placed in any regulator having jurisdiction over the financial institution, including the Federal Reserve, the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Securities and Exchange Commission, and state-level insurance authorities. The FTC has jurisdiction under the FTC Act to enforce the GLBA against any financial institution not subject to the jurisdiction of these other federal agencies. The CFPB has general enforcement authority as well. The fines for failure to comply with GLBA range from $5,500 for a simple violation to $27,500 for a violation found to be unsafe, unsound, or reckless to $1.1 million for a knowing violation of the GLBA. The GLBA does not preempt stricter state laws.48 It should be noted, however, that because some state laws are preempted under the FCRA, and because the FCRA and GLBA overlap to some extent, certain state laws that could be considered equivalent to GLBA may be subject to a preemption challenge under the FCRA. There is no private cause of action under GLBA, but some state laws provide for a private cause of action under their state-level equivalents.
ii. Disclosure Restrictions and Consumer Choice (GLBA Privacy Rule)
In addition to the notice requirements, the GLBA prohibits the disclosure of nonpublic personal information to non-affiliated third parties unless the financial institution provides consumers an opportunity to opt out of this disclosure prior to the information being initially shared. Financial institutions must adopt "reasonable means" by which consumers can exercise their opt-out rights, which may include providing a checkbox on relevant forms, including a reply form in any mailed communications, providing an electronic form of opt-out via email, or providing a toll-free phone number for consumers to call. Consumer opt-out must be implemented within a "reasonable" timeframe.Although this is not a hard-and-fast rule set forth in the regulations, the FTC has indicated that 30 days is a reasonable timeframe. The GLBA does not require that consumers be provided the opportunity to opt-out prior to a financial institution sharing information with an affiliate. Financial institutions, however, must be aware that they are very often subject to both the Fair Credit Reporting Act ("FCRA") and the GLBA. Thus, while the GLBA does not prohibit sharing of information with affiliates, the FCRA may separately limit the ability of a financial institution to share information in this way.
Key Points
Rulemaking authority was originally placed in FTC and financial regulators, but this was mostly transferred to CFPB after Dodd-Frank Scope of GLBA: - Applies to "financial institutions," which is broadly defined to include any company "significantly engaged" in financial activities - Applies to "nonpublic personal information" (publicly available information therefore excluded) - Applies to "consumers" that obtain financial products or services and "customers" that have an ongoing relationship with a financial institution Financial institutions may not disclose nonpublic personal information unless it provides annual written notice of its privacy policies If disclosure is made to non-affiliated third party, consumer must be provided the opportunity to opt out; "reasonable means" to exercise this right must be provided - There is no obligation to provide an opt-out opportunity when sharing information with an affiliate Federal agencies have created a model disclosure form, and if financial institutions utilize this model form, they receive safe harbor protection Safeguard Rule requires financial institutions to implement an information security program that includes "administrative, technical, or physical safeguards" to protect "customer information" (does not apply to all "consumer" nonpublic personal information) - Safeguards must be appropriate to the size and complexity of the institution - Security program must be regularly monitored and updated as needed Financial institutions must oversee service providers to ensure that they have employed adequate security Enforced by bank regulators, the FTC, and the CFPB Does not preempt state laws and there is no private cause of action
iv. Safe Harbor (GLBA Privacy Rule)
Rules have been adopted to better define these provisions and to provide appropriate examples of what is considered adequate compliance. Originally, the FTC and financial regulators had rulemaking authority. But as noted above, with the passage of the Dodd-Frank, rulemaking authority was transferred to the CFPB with respect to those entities subject to its jurisdiction (discussed in the next Module), with some limited exceptions for the SEC and CFTC. As dictated by the GLBA, and in accordance with this rulemaking authority, federal agencies promulgated a model form for the disclosure requirements. Although financial institutions are not required to utilize this model form, those that do receive safe harbor protections and satisfy their disclosure obligations.
Gramm-Leach-Bliley Act ("GLBA")
The legislation commonly known as the Gramm-Leach-Bliley Act ("GLBA") is officially named the Financial Services Modernization Act of 1999. The GLBA resulted from the consolidation of financial institutions in the late 1990s, which prompted concerns about how financial institutions would share data internally among the large financial holding companies that were being created. In particular, a lawsuit filed by the Minnesota Attorney General accusing U.S. Bancorp of sharing financial account information with telemarketing firm MemberWorks raised widespread public awareness of this concern just as Congress was considering the GLBA. In response, two rules emerged out of this legislation—the GLBA Privacy Rule and the GLBA Safeguard Rule—each of which derive from Title V of the GLBA. The GLBA sought to place "an affirmative and continuing obligation" on financial institutions "to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information." Rulemaking authority meant to effectuate this goal was placed in the Federal Trade Commission ("FTC") and a handful of federal agencies that govern financial institutions. After the adoption of the Dodd-Frank Wall Street Reform and Consumer Protection Act ("Dodd-Frank"), much of this rulemaking authority was transferred to the newly-created Consumer Financial Protection Bureau ("CFPB").
v. Exceptions to the Privacy Rule (GLBA Privacy Rule)
There are a number of statutory and rule-based exceptions to the prohibitions contained in the Privacy Rule. Exceptions are made for service providers of the financial institution and for joint marketing purposes. Other important exceptions exist where disclosure of nonpublic personal information is made with consumer consent or where necessary to effect, administer, or enforce a transaction. Likewise, disclosure of nonpublic personal information is permitted where necessary to comply with the law or when disclosure is done in order better protect data.
iii. Additional Restrictions (GLBA Privacy Rule)
There are several other additional restrictions on the disclosure of nonpublic personal information under the GLBA's Privacy Rule. For example, any non-affiliated third party that received information under the terms of a financial institution's privacy policy, and in compliance with the GLBA, is prohibited from reusing this information by providing it to another non-affiliated third party. The GLBA also provides a blanket prohibition on the disclosure of account numbers or access code to any non-affiliated third party for purposes of marketing, except for disclosure to consumer reporting agencies. These restrictions apply regardless of whether a consumer has opted-out of sharing his or her nonpersonal financial information with third parties.
Scope of the GLBA
Under the GLBA, financial institutions are required to provide notice of their privacy and data-sharing policies, permit consumers the opportunity to opt-out of sharing certain personal information, and store personal financial information with adequate security measures in place. A "financial institution," the type of entity regulated under the GLBA, is any company that is "significantly engaged" in financial activities. A litany of businesses fall under this broad definition, including mortgage lenders, insurance providers, cash-checking services, banks, and credit counselors, to name a few. Additionally, GLBA also regulates affiliates of financial institutions that control, are controlled by, or are under common control of a financial institution. The type of information sought to be protected under GLBA is "nonpublic personal information," defined as any personally identifiable information that is (1) provided by a consumer to a financial institution; (2) obtained as a result of a transaction with, or a service provided to, a consumer; or (3) otherwise obtained by a financial institution. Information obtained by a financial institution that is publicly available is not subject to the GLBA. Likewise, any compilation or list in which this publicly available information is contained falls outside the definition of "nonpublic personal information," so long as the compilation or list was not created using other "nonpublic personal information."Similar to the definition of "financial institutions," the definition of "nonpublic personal information" is extremely broad and encompasses much more than just financial information—it can even include the fact of the very existence of a relationship between a consumer and the financial institution. There are two types of persons whose privacy rights are impacted by GLBA—consumers and customers. "Consumers" are individuals that obtain financial products or services from a financial institution that are used primarily for personal, family, or household purposes. "Customers," on the other hand, are "consumers" that have an ongoing relationship with a financial institution. Financial institutions that have no "consumer customers" are exempt from certain requirements under GLBA.
i. Notice Requirements (GLBA Privacy Rule)
Under the specific terms of the statute, GLBA prohibits a financial institution or any of its affiliates from disclosing nonpublic personal information unless it provides a notice of its privacy policies. This notice must, at a minimum, describe in a "clear and conspicuous" manner the policies related to disclosures of data made to affiliates and non-affiliated third parties, practices related to the disclosure of data once a person ceases being a customer, and the safeguards implemented to protect consumer's nonpublic personal information. These disclosures must also identify the categories of persons to whom disclosure is made and the categories of nonpublic personal information that are collected by the financial institution. The required notice under the GLBA must be provided at the time of establishing a customer relationship and at least once annually thereafter during the course of the customer relationship. If a financial institution wishes to disclose information in a manner different than that provided in the previously sent notice, a new notice must be sent before information can be disclosed in accordance with the updated privacy notice. Notice under GLBA's Privacy Rule must be in writing, unless the consumer agrees to receive the notice electronically.