The third law in our series is the Gramm-Leach Bliley Act, often abbreviated as "GLBA" or pronounced "GLIBBA" (not a fan of that one).
Statute | Gramm-Leach Bliley Act ("GLBA") or Title V of the Financial Services Modernization Act of 1999 |
Reference | 15. U.S.C. §§6801-6809; §§6821-6827 |
Year Passed | 1999 |
Covered Entity | Financial institutions and their affiliates |
Regulated Activity | Collection and use of Nonpublic Personal Information; Security requirements; Prohibition of pretexting |
Private Right of Action | None |
Enforcement Agency | Consumer Financial Protection Bureau, Federal Trade Commission and other federal agencies; States' attorneys general in some cases |
Preemption | No |
Remedies | Penalties can range from $5500 to $1.1 M |
A. Background. In the late 90's the government had concerns about financial institutions merging for a variety of reasons. One was the lack of control around personally identifiable information in customer accounts. The Gramm-Leach-Bliley Act repealed the Glass-Steagall Act and requires U.S. financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to provide clear notice of their information sharing practices and to provide safeguards for that information.
The law established three rules or prohibitions:
i. The Financial Privacy Rule. The Financial Privacy Rule ("Privacy Rule") requires financial institutions to provide each consumer with a privacy notice at the time the customer relationship is established and annually thereafter. The privacy notice must explain the information collected about the consumer, where and with whom that information is shared, how that information is used, and how that information is protected. The notice must also identify the consumer’s right to opt-out of the information being shared with unaffiliated parties pursuant to the provisions of the Fair Credit Reporting Act. Changes to the notice must be posted and customers must have the opportunity to opt-out again.
ii. The Safeguards Rule. The Safeguards Rule requires institutions to develop a written information security plan that describes their program to protect customer information. Plans can and should be scaled to the company's size, complexity and the sensitivity of the information it collects.
iii. The Pretexting Prohibition. Pretexting is the practice of collecting personal information under false pretenses. Pretexters pose as authority figures and develop stories with the intent to elicit information from unsuspecting customers. GLBA prohibits the use of false, fictitious or fraudulent statements or documents to get customer information from a financial institution or directly from a customer of a financial institution or through other fraudulent means.
B. Who is covered? GLBA regulates U.S. "financial institutions" and their "affiliates" that are “significantly engaged” in providing financial products or services to consumers. Financial institutions can include, but are not necessarily limited to:
An "affiliate" of a financial institution is an entity that controls another company, is controlled by the company, or is under common control with the financial institution. A "nonaffiliated third party" is any person except a financial institution’s affiliate or a person employed jointly by a financial institution and a company that is not the institution’s affiliate.
C. What personally identifiable information is covered? GLBA terms protected information as "nonpublic personal information" or "NPI." NPI is "personally identifiable financial information: (i) provided by a consumer to a financial institution, (ii) resulting from a transaction or service performed for the consumer, or (iii) otherwise obtained by the financial institution." NPI does not include publicly available information and any consumer list that is not created using personally identifiable financial information.
D. What you can and can't do. Financial institutions can share NPI with affiliated and non-affiliated third parties, provided such sharing takes place securely and in accordance with the institutions' privacy notice and the choices of its customers and consumers.
i. Notice. A financial institution needs to provide sufficient notice to its customers and to consumers as to what information it collects and how it is shared. A consumer is an individual who obtains or has obtained a financial product or service from a financial institution for personal, family or household reasons. A customer is a consumer with a continuing relationship with a financial institution. Whether an individual is a customer or a consumer impacts a financial institution's obligations in providing notice. Generally, a consumer that is not a customer is entitled to an initial privacy notice and opt-out notice before the sharing of NPI. A customer is entitled to an initial notice and also receiving that notice annually.
Such notice shall be conspicuous and easy to understand. The notice must provide clear guidance on any opt-out rights customers have and provide a user-friendly way to do that. The privacy notice also must explain that consumers have a right to opt-out of any sharing of credit report or application information with the financial institution's affiliates. Consumers have this right under a different law, the Fair Credit Reporting Act. At a minimum, in any privacy notice, a financial institution must disclose:
ii. Opt-Out. GLBA does not require opt-out right in several situations, including but not limited to:
Of those data sharing practices that are eligible, institutions must provide customers the ability to opt-out of such sharing. Customers should be able to opt-out via a toll free number or an opt-out card they can return via mail. Making a customer write their own letter is not considered a reasonable opt-out mechanism.
iii. Security. The Safeguards Rule requires that financial institutions develop and implement a comprehensive information security program, which is defined as a program that contains "administrative, technical and physical safeguards" to protect the confidentiality, security and integrity of customer information.
The expectation is that any such program be commercial reasonably and scalable to the size and complexity of the organization. Therefore, the law does not explicitly detail every element of such a program other than requiring the following:
E. What happens if you don't comply. Enforcement of GLBA can come from a number of sources, depending on the jurisdiction or regulatory sector in which a financial institution sits. Generally, violators can be penalized in many ways, including:
Additionally, as GLBA does not preempt state laws that are more stringent, state-level enforcement actions can result in even greater statutory damages based on things such as the number of consumers impacted.
F. Risks and Recommendations
Relatively speaking, GLBA has less substance to it when it comes to privacy and security guidelines than other laws, such as HIPAA. Such paucity has led to a great deal of criticism for little to no enforceable actions to hold businesses accountable. Indeed, many critics say the law has no teeth when it comes to privacy and security. With this in mind, businesses might fail to give GLBA compliance the required due diligence. The following are three critical areas that tend to get businesses in trouble.
1. Notice and Opt-Out. GLBA has drawn loads of criticism for not being so much a privacy law, as it is a law designed to enable the sharing of information by bigger and bigger entities, with limited consumer opt-out rights. In short, the burden is on the consumer to speak up and tell financial institutions to not share their information, and even then, in only certain situations. This said, the obligations to provide clear and conspicuous notice to consumers is a focus for regulators. So, take time to draft a simple and conspicuous privacy notice and make it easy for consumers to opt-out of any information sharing they can. Consider use of the model short notice, provided in the Financial Services Regulatory Relief Act of 2006. Such a notice has been deemed to satisfy the disclosure requirement of the Privacy Rule.
2. Take Time to Take Security Seriously. With less specificity and detail, GLBA gives you some room to assess the risks to your NPI and to likewise scale any security solutions in line with the size of your business and complexity of your operations. This "vagueness" is another criticism of the law for some. Indeed, the law does not provide a checklist for all the elements needed to satisfy the Security Rule. However, such a lack of specificity does not relieve you of your obligations, but rather it does two things. One, it provides you the flexibility to implement security that is in line with your business, budget and resources. Two, it burdens you with the expectation that you will be thoughtful and diligent in developing the security that is necessary and specific to the risks associated with your financial institution or affiliates. Indeed, this is a best practice with all data governance as there is no "one size fits all" compliance program. What this means is you need to take the time and properly assess the way your organization uses NPI and implement the needed administrative, technical and physical safeguards to fulfill the Rule's mandate of maintaining the confidentiality, accessibility and integrity of that NPI. And, probably most importantly, you must never stop assessing and keeping up with your program. Indeed, that is one thing that IS spelled out.
3. No pretexts. Ensure it is posted policy that any financial institution representative will properly identify themselves to all customers or consumers, as well as the purpose for such contact. Further, identify for customers and consumers the only approved means by which they may be contacted and asked to give personal information (telephone, secure e-mail, etc.). This is not only good for compliance with GLBA, but reinforces basic security protections against social engineering and is just plain good business.