Gramm-Leach-Bliley Act Flashcards
Sector
Financial
Year passed/amended
1999 (aka the Financial Services Modernization Act); substantial compliance required by 2001. Safeguards rule: 2003
Original purpose
Codify privacy and data security to financial institutions’ customers, in the wake of high-profile cases where financial institutions shared customers’ financial data with telemarketing firms (e.g. U.S. Bancorp/Memberworks)
Primary requirements
Financial institutions must:
(a) store personal financial information in a secure manner;
(b) provide notice of policies regarding data sharing;
(c) provide consumers with the ability to opt out of some types of data sharing
Entities subject to law
“Financial Institutions:” any U.S. company “significantly engaged” in financial activities
Protections only apply to data of “consumers,” and most notice provisions only to “consumer customers”
Term for relevant PII or regulated data
“nonpublic personal information”
Definition of relevant PII or regulated data
Personally identifiable financial information
(i) provided by a consumer to a financial institution,
(ii) resulting from a transaction or service performed for the customer, or
(iii) otherwise obtained by the financial institution.
Excluded: publicly-availably information, consumer lists derived without using personally identifiable financial information
Civil or criminal?
Civil only
Enforcing authority - civil
Originally FTC and financial institution regulators.
Post-Dodd-Frank (2010), the CFPB, with carve-outs for SEC and the Commodity Futures Trading Commission.
State AGs have concurrent enforcement authority.
Penalties - civil
Banks, etc. are subject to FIRREA: Up to $5,500 per violation, or up to $27,500 if violations are unsafe, unsound or reckless, or up to $1.1 million if knowing.
California SB-1: $2,500 per consumer for negligent noncompliance, up to $500k per occurrence (no cap for willful noncompliance).
Preemption?
Stricter state laws are not preempted (note: they are preempted under FCRA/FACTA, so it is important to determine which statute governs)
Private right of action?
No, but failure to comply with notice requirements might be a deceptive trade practice
FIP individual rights provided
Notice, choice/consent (no access?)
Notice requirements
Financial institutions must prepare and provide to customers clear and conspicuous notice of their information-sharing policies and procedures, Must be provided when customer relationship is established and annually thereafter.
Must include:
(a) what information the financial institution collects;
(b) with whom it shares the information;
(c) how it protects or safeguards the information;
(d) how a consumer can opt out, if they can.
Model privacy notice promulgated in 2008.
California SB-1 increases notice requirements (provides specific form).
Exceptions to notice requirements
None mentioned.
Choice and consent provisions
Customers have the right to opt out of having nonpublic personal information shared with nonaffiliated third parties. FIs must process the request within 30 days (Privacy Rule).
California SB-1: Written opt-in consent required to share with non-affiliated third-party marketers. Opt-out consent required for information sharing with affiliates not in the same line of business.
Exceptions for consent
For sharing with nonaffiliated third parties, no opt-out available for:
(a) sharing with affiliates and joint marketing partners; (b) for processing of consumer transactions; or
(c) if the disclosure is legally required.
California SB-1: no consent needed for nonmedical information with wholly owned subsidiaries in the same line of business
FIP information control provisions
Information security (no separate information quality)
Information security provisions
Safeguards rule: must create an information security program to protect confidentiality, security and integrity of information, proportionate to the complexity, nature and scope of the organization’s activities. Must include:
(a) Administrative security, including program definition, workforce risks, employee training and vendor oversight;
(b) Technical security, including computer systems, networks and applications, access controls, and encryption;
(c) Physical security, including facilities, environmental safeguards, business continuity and disaster recovery
FIP information lifecycle features addressed
Disclosure (no collection/disposal, use and retention–law is explicitly about sharing and is primarily a law about notice and opt-out consent)
Disclosure provisions
Financial institutions may not disclose an account number or similar access code for a credit card, to non-affiliated third-party marketers
Redisclosure provisions
If disclosed under one of the provisions not requiring opt-out consent, redisclosure is only permitted to carry out the purpose for which it was disclosed.
If disclosed for marketing (because consumer did not opt out), may only redisclose consistent with the originating financial institution’s privacy policy (e.g. if it says it might disclose to charitable organizations, redisclosure to charitable organizations is permitted),
Right to list of disclosures?
No
FIP management principles addressed
Administration, monitoring ad enforcement (i.e. both)
