GLBA

Question 1

Definition

Answer 1

The commonly used name for the financial Services Modernization Act of 1999. The Act re-organized financial services regulation in the U.S/ and applies broadly to any company that is “significantly engaged” in financial activities in the U.S.

Question 2

Definition of PI

Answer 2

Non-public personal information, defined broadly to include a consumer’s name and address, and consumer’s interactions with banks, insurers and other financial institutions.

Actual statutory definition: personally identifiable financial information (i) provided by a consumer to financial institution, (ii) resulting from a transaction or service performed for the consumer, or (iii) otherwise obtained by the financial institution.

Excluded are publicly available information and any consumer list that is derived without using personally identifiable financial information,

Question 3

Requirements

Answer 3

GLBA requires financial institutions to securely store personal financial information give notice of their policies regarding the sharing of personal financial information, and give consumers the ability to opt-out of some sharing of personal financial information.

Question 4

Requirements (elaborate)

Answer 4

• store personal financial information in a secure manner
• provide notice of their policies regarding the sharing of personal financial information
• provide consumers with the choice to opt-out of sharing some personal financial information

Question 5

Scope

Answer 5

Applies to “financial institutions”.

U.S. companies that are “significantly engaged” in financial activities.

Entities such as banks, insurance providers, securities firms, payment settlement services, check-cashing services, credit counselors, and mortgage lenders.

The privacy protections apply generally to “consumers” - individuals who obtain financial services from a financial institution to be used primarily for personal, family or household purposes.

Many of the Act’s requirements also concerns “customers”, those consumers who have an ongoing relationship with the financial institution.

The financial institutions that don’t have customers are not subject to some of the GLBA requirements, in particular, those relating to notice.

Question 6

Enforcing authorities

Answer 6

First it was FTC and financial institution regulators.

In 2011, with the passage of Dodd-Frank Act, the CFPB assumed this rulemaking power, with exceptions for SEC and CFTC.

As enacted in 1999, federal financial regulators enforced GLBA for the institutions in their jurisdiction (Federal Reserve, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, and SEC.

For the financial institutions out of the jurisdiction of other authorities, the FTC originally had jurisdiction.

Under the Dodd-Frank Act, the CFPB also now has enforcement authority for the Privacy and Safeguards Rules.

At the state level, state attorneys general can enforce GLBA

Question 7

Preemption

Answer 7

Stricter state laws are not preempted.

Question 8

Privacy Rule Requirements

Answer 8

1. Prepare and provide to customers clear and conspicuous notice of the financial institution’s information-sharing policies and practices. These notices shall be provided when a customer relationship is established and annually thereafter.
2. Clearly provide customers with the right to opt-out of having their non-public information shared with nonaffiliated third parties (subject to significant exceptions, including for joint marketing and processing of consumer transactions)
3. Refrain from disclosing to any nonaffiliated third-party marketer, other than a consumer reporting agency, an account number or similar form of access code to a consumer’s credit card, deposit or transaction account.
4. Comply with regulatory standard established by certain government authorities to protect the security and confidentiality of customer records and information and protect against security threats and unauthorized access to or certain uses of such records and information.

Question 9

GLBA and Privacy Notices

Answer 9

A financial institution should provide annual notices to consumers on 9 categories of information.

Process opt-outs within 30 days.

Privacy notice is a clear conspicuous and accurate statement about:

• what information the financial institution collects about its consumers and customers.
• with whom it shares the information
• how it protects or safeguards the information
• an explanation of how a consumer may opt out of having their information shared through a reasonable opt out process

Question 10

Under what circumstances a GLBA entity may share the information?

Answer 10

Provided that the notice standard is met, a financial institution may share any information it has with affiliated companies and joint marketing partners which are other financial institutions that it markets a financial product with.

It may share with nonaffiliated parties if it’s disclosed, and the consumers have the right to opt out.

Consumer account numbers cannot be shared with nonaffiliated companies for purposes of telemarketing and direct mail marketing, even if the consumer has not opted out.

Financial institutions must ensure that service providers will not use the information not within the intended purpose.

Question 11

Situation where a consumer has no right to opt out.

Answer 11

• a financial institution shares information with outside companies that provide essential services like data processing or servicing accounts
• the disclosure is legally required
• a financial institution shares customer data with outside service providers that market the financial company’s products or services

Question 12

The Safeguards Rule

Answer 12

GLBA requires the financial institutions to maintain security controls to protest the confidentiality and integrity of personal consumer information, including both electronic and paper records.

The final rule was established by the regulatory agencies in 2003.

Requirements:

-develop and implement a comprehensive “information security program”

Information security program is a program that contains “administrative, technical and physical safeguards” to protect the confidentiality and integrity of the consumer information.

• the program must be appropriate for the size complexity, nature and the scope of the activities of the institution.
• the program shall contain certain elements, including a designated employee to coordinate the program, audit systems to determine risk, and certain procedures to take with service providers to ensure that the security of the information is maintained.

Question 13

Three levels of security under the Safeguards Rule

Answer 13

1. Administrative security, which includes program definition, management of workforce risks, employee training, and vendor oversight.
2. Technical security, which covers computer systems, networks, and applications in addition to access controls and encryption.
3. Physical security, which includes facilities, environmental safeguards, business continuity and disaster recovery.

The administrative, technical and physical safeguards to be implemented must be reasonably designed to 1) ensure the security and confidentiality of customer information, 2( protect against any anticipated threats or hazards to the security or integrity of the information, and 3) protect against unauthorized access to or use of the information that could result in substantial harm or inconvenience to any customer.

Maintaining the security if this information essentially means protecting the confidentiality and integrity of information and restricting access to it.

Question 14

Basic elements that shall be included in a security program under the Safeguards Rule

Answer 14

• Designate an employee to coordinate the safeguards
• Identify and assess the risks to customer information in each relevant area of the company;s operation and evaluate the effectiveness of the current safeguards for controlling those risks.
• Design and implement a safeguard program and regularly monitor and test it
• Select appropriate service providers and enter into agreements with them to implement safeguards
• Evaluate and adjust the program in light of relevant circumstances, including changes in business arrangements or the results of testing and monitoring the safewguards.

Question 15

Notable enforcement cases

Answer 15

• 2017. Taxslayer. The FTC alleged violations related to the company’s privacy policy as well as violations related to appropriately implementing security measures - particularly related to authentication.
• 2018.PayPal’s Venmo. The FTC alleged that the company misled its customers regarding privacy practices and the level of security for customers’ data.

Result of both - settlements with obligations not to violate the GLBA and to submit to the third-party assessments of compliance for 10 years.

Question 16

State Requirements

Answer 16

GLBA does not preempt state laws.

California and New York are examples of state regulation.

California Financial Information Privacy Act (CFIPA) AKA SB-1 expands the protections afforded under the GLBA.

CFIPA increases the disclosure requirements of financial institutions and grants consumers increased rights with regard to the sharing of information. Violation of CFIPA in cases of negligent noncompliance can be punished with statutory damages of 2,500 USD per consumer, up to a 500,000 USD per occurrence. In cases of wilful noncompliance, there is no 500,000 damage cap.

Opt-in and opt-out requirements exist for financial institutions as follows:

• written opt-in consent is required for a financial institution to share personal information with nonaffiliated third parties.

Opt-in provisions must be presented on a form titled “Important Privacy Choices for Consumers” and be written in simple English. Additionally, CFIPA grants consumers the ability to opt out of information sharing between their financial institutions and affiliates not in the same line of business.

A financial institution does not need to obtain consumer’s consent in order to share nonmedical information with its wholly owned subsidiaries engaged in the same line of business - insurance, banking or securities - if they are regulated by the same functional regulator.

CCPA has a special provision to insure against conflicts between the CCPA and GLBA and CFIPA. But the line is not clear.

New York. New York Department of Financial Services (NYDFS) put in place comprehensive and strict cybersecurity regulations for its vast financial industry.

Although entities covered by GLBA are already subject to these types of requirements, the New York regulations are the first state-level regulations to go so far beyond the requirements of GLBA.

Covered institutions: state-chartered banks, credit unions, investment companies, licensed lenders, mortgage brokers, life insurance companies, private bankers, commercial banks, savings and loan associates.

These regulations are in line with the provisions of the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

Under the regulations, the covered entities must implement cybersecurity programs with:

• risk assessments,
• documentation of security policies,
• designation of a chief information security officer,
• limitations on data retention,
  -incident response plan,
• audit trails.

Federal law differs from the NY law in terms of more broad definition of the nonpublic information. The NY regulations have key requirements not included in the GLBA related to the personnel, reporting obligations, documentation obligations, and third-party service providers.