Gramm-Leach-Bliley Act

Question 1

Sector

Answer 1

Financial

Question 2

Year passed/amended

Answer 2

1999 (aka the Financial Services Modernization Act); substantial compliance required by 2001. Safeguards rule: 2003

Question 3

Original purpose

Answer 3

Codify privacy and data security to financial institutions’ customers, in the wake of high-profile cases where financial institutions shared customers’ financial data with telemarketing firms (e.g. U.S. Bancorp/Memberworks)

Question 4

Primary requirements

Answer 4

Financial institutions must:

(a) store personal financial information in a secure manner;
(b) provide notice of policies regarding data sharing;
(c) provide consumers with the ability to opt out of some types of data sharing

Question 5

Entities subject to law

Answer 5

“Financial Institutions:” any U.S. company “significantly engaged” in financial activities

Protections only apply to data of “consumers,” and most notice provisions only to “consumer customers”

Question 6

Term for relevant PII or regulated data

Answer 6

“nonpublic personal information”

Question 7

Definition of relevant PII or regulated data

Answer 7

Personally identifiable financial information

(i) provided by a consumer to a financial institution,
(ii) resulting from a transaction or service performed for the customer, or
(iii) otherwise obtained by the financial institution.

Excluded: publicly-availably information, consumer lists derived without using personally identifiable financial information

Question 8

Civil or criminal?

Answer 8

Civil only

Question 9

Enforcing authority - civil

Answer 9

Originally FTC and financial institution regulators.
Post-Dodd-Frank (2010), the CFPB, with carve-outs for SEC and the Commodity Futures Trading Commission.

State AGs have concurrent enforcement authority.

Question 10

Penalties - civil

Answer 10

Banks, etc. are subject to FIRREA: Up to $5,500 per violation, or up to $27,500 if violations are unsafe, unsound or reckless, or up to $1.1 million if knowing.

California SB-1: $2,500 per consumer for negligent noncompliance, up to $500k per occurrence (no cap for willful noncompliance).

Question 11

Preemption?

Answer 11

Stricter state laws are not preempted (note: they are preempted under FCRA/FACTA, so it is important to determine which statute governs)

Question 12

Private right of action?

Answer 12

No, but failure to comply with notice requirements might be a deceptive trade practice

Question 13

FIP individual rights provided

Answer 13

Notice, choice/consent (no access?)

Question 14

Notice requirements

Answer 14

Financial institutions must prepare and provide to customers clear and conspicuous notice of their information-sharing policies and procedures, Must be provided when customer relationship is established and annually thereafter.

Must include:

(a) what information the financial institution collects;
(b) with whom it shares the information;
(c) how it protects or safeguards the information;
(d) how a consumer can opt out, if they can.

Model privacy notice promulgated in 2008.

California SB-1 increases notice requirements (provides specific form).

Question 15

Exceptions to notice requirements

Answer 15

None mentioned.

Question 16

Choice and consent provisions

Answer 16

Customers have the right to opt out of having nonpublic personal information shared with nonaffiliated third parties. FIs must process the request within 30 days (Privacy Rule).

California SB-1: Written opt-in consent required to share with non-affiliated third-party marketers. Opt-out consent required for information sharing with affiliates not in the same line of business.

Question 17

Exceptions for consent

Answer 17

For sharing with nonaffiliated third parties, no opt-out available for:

(a) sharing with affiliates and joint marketing partners; (b) for processing of consumer transactions; or
(c) if the disclosure is legally required.

California SB-1: no consent needed for nonmedical information with wholly owned subsidiaries in the same line of business

Question 18

FIP information control provisions

Answer 18

Information security (no separate information quality)

Question 19

Information security provisions

Answer 19

Safeguards rule: must create an information security program to protect confidentiality, security and integrity of information, proportionate to the complexity, nature and scope of the organization’s activities. Must include:

(a) Administrative security, including program definition, workforce risks, employee training and vendor oversight;
(b) Technical security, including computer systems, networks and applications, access controls, and encryption;
(c) Physical security, including facilities, environmental safeguards, business continuity and disaster recovery

Question 20

FIP information lifecycle features addressed

Answer 20

Disclosure (no collection/disposal, use and retention–law is explicitly about sharing and is primarily a law about notice and opt-out consent)

Question 21

Disclosure provisions

Answer 21

Financial institutions may not disclose an account number or similar access code for a credit card, to non-affiliated third-party marketers

Question 22

Redisclosure provisions

Answer 22

If disclosed under one of the provisions not requiring opt-out consent, redisclosure is only permitted to carry out the purpose for which it was disclosed.

If disclosed for marketing (because consumer did not opt out), may only redisclose consistent with the originating financial institution’s privacy policy (e.g. if it says it might disclose to charitable organizations, redisclosure to charitable organizations is permitted),

Question 23

Right to list of disclosures?

Answer 23

No

Question 24

FIP management principles addressed

Answer 24

Administration, monitoring ad enforcement (i.e. both)

Question 25

Administration provisions

Answer 25

Safeguards rule: administrative protections must include program definition, workforce risks, employee training and vendor oversight. Must designate an employee to coordinate the program.

Question 26

Monitoring and enforcement provisions

Answer 26

Must have audit system to determine risk.
Must have procedures in place to take with service providers to ensure security of information is maintained.
Must regularly monitor and test the program, and adjust it in light of changes to business arrangements or operations, or the results of testing and monitoring safeguards.