Gramm-Leach-Bliley Act
Children's Online Privacy Protection Act
- Verifiable Parental Consent required before collection personal info on a child under age of 13 - Applies to sites, apps
Resellers Must
- Verify ID and purpose of user - disclose to the original CRA each end-user and permissible purpose - know exactly who you are doing business with.
What is a Financial Institution according to the GLBA?
Any company that is in the business of engaging in certain financial activities identified under federal law including: Extending Credit Taking Deposits Providing Insurance
Most Common Financial Institutions
Banks, Credit Unions, Securities Brokers and Insurance Companies
Consumers
Broad Term
Reuse and Redisclosure
Can get info to protect fraud, but can't (expand on this)
COPPA
Children's Online Privacy Protection Act
What is the CFPB?
Consumer Financial Protection Burea
GLBA applies to these "significantly-engaged' non-bank institutions:
Consumer Reporting Agencies, Resellers, Debt Collectors, Mortgage Brokers and others that provide financial services. Only if significantly engaged.
CRA
Credit Reporting Agency
DPPA covers
DMVs may not disclose data
DPPA
Driver's Privacy Protection Act
Which Federal regulator is responsible for information security regulation?
FTC - Federal Trade Commission - Info Security
The Safeguards Rule
FTC issues the Safeguards Rule to implement the GLBA info security requirements.
GLBA
Gramm-Leach-Bliley Act
HIPAA
Health Insurance Portability and Accountability Act
GLBA Exceptions
If the disclosure necessary to: - effect, administer or enforce a transaction the consumer requests; - in connection with servicing or processing a FProduct or service that consumer requests; - maintaining or servicing consumer's account - with consent or a discretion of consumer - protect against or prevent actual or potential fraud, unauthorized transactions, claims or other liability - to or from a consumer reporting agency in accordance with requirements of the Fair Credit Reporting Act
NPI
Non-public Personal Information
Purposes of the GLBA
Respect Privacy of customers, protect security and confidentiality of information about those customers.
Primary Focus of the GLBA
The GLBA's purpose was to remove legal barriers preventing financial institutions from providing banking, investment and insurance services together.
Information Security Program
Insure security and confidentiality Protect against any anticipated threats or hazards to security or integrity of cusomter info. Protect against unauthorized access to, or use of, such info that could result in harm or inconvenience.
How did GLBA change the financial industry landscape?
Led to consolidation of different types of financial institutions into single holding companies.
Credentialing
The process of making sure that reports provided are used for permissible purposes only. CRA will conduct investigation of customers and propsective customers: - site visit - regular audits of customers account usage.
Customer
Specific type of Consumer Has an existing customer relationship with a financial institution. Ex: Individual with an automobile installment loan provided by a bank (in present).
How are GLBA rules implemented?
Different federal agencies write rules and implement for different sectors.
What are the two types of Financial Institutions?
1. Providers of financial products and services to consumers; B2C 2. Providers of financial products and services to other companies; B2B
PIFI
Personally Identifiable Financial Information
PHI
Protected Health Information
CFIPA
California Financial Information Privacy Act
FCRA
Fair Credit Reporting Act
What is the FTC?
Federal Trade Commission
Which Federal Regulator is responsible for the privacy regulation?
CFPB - Consumer Financial Protection Bureau- Privacy
What types of info are NPI?
1. Any info that a consumer provides to a financial institution to obtain a financial product or service; 2. Any info about a consumer resulting from a transaction involving a financial product or service between the institution and consumer (for example, a credit balance) 3. Any info a financial institution obtains about a consumer in connection with providing a financial product or service to that consumer (like a credit card app) 4. Any list, description or grouping of consumers derived using these types of information.
Data Security Laws & Rules
Intended to protect against unintended disclosure of PII; Personally Identifiable Information
Information Security Program must...
- designate an employee to coordinate program - ID internal and external risks to customer info and assess sufficiency of safeguards in place to control these risks -
Non-traditional financial institutions?
Consumer Reporting Agencies & Debt Collectors
GLBA Rights and Duties
1. Right to opt-out 2. Initial and annual privacy notices 3. Limits on disclosure to nonaffiliated third parties Limits on redisclosure and reuse 4. Safeguarding customer information
Annual Notices
Types of NPI that the FI collects and discloses; Types of affiliated and non-affiliated third parties to whom the FI discloses NPI Explanation of opt-out of disclosure of NPI to non-affiliated 3rd parties. Description how info is provided to 3rd parties.
