Scott & Scott | Software Compliance Counsel
Scott & Scott Scott & Scott

« Preventing Data Breach and the GLBA: The Privacy Rule | Main | It’s Now Easier to Enforce Out-of-State and International Judgments in Texas »

Preventing Data Breach and the GLBA: The Privacy Rule's Safe Harbor and Notice Requirements

“I’ll send an S.O.S. to the world… I’ll send an S.O.S. to the world… I hope that someone gets my… I hope that someone gets my… Message in a bottle…” – The Police.

The GLBA requires financial institutions to protect themselves against unauthorized access, anticipate security risks, and safeguard a consumer’s nonpublic information; it also prohibits individuals and companies from obtaining consumer information using false representations. However, critics often cite that the GLBA requirements are not specific enough and are subject to interpretation.

Question: How do financial institutions know when they are complying with the GLBA’s Privacy Rule?
Answer: The Safe Harbor Rule… for now.

The Safe Harbor Rule.

The Privacy Rule does not require any specific format or uniform wording to be included in an institution’s privacy notice. Instead, the GLBA allows an institution to draft its own privacy notice as long as it is clear and conspicuous and furnishes the required information. However, Congress recognizes that this broad discretion may result in some confusion. Therefore, Congress attached an appendix to the Privacy Rule that provided model language called “Sample Clauses.” With some specific industry exceptions, if a financial institution incorporated the Sample Clauses within its privacy notice, the financial institution has complied with the GLBA requirements as a matter of law.

Despite Congress’ efforts to ensure that privacy notices were clear and conspicuous, consumers and customers still complained about the notices. “Reaction to the first privacy notices delivered in July 2001 was highly negative… the notices received by millions were filled with legalese and confusing messages. Many consumers simply tossed the privacy notices, seeing them as just another bit of junk mail stuffed in with account statements.”

On October 13, 2006, Congress passed the Financial Services Regulatory Relief Act of 2006 (the “Relief Act”). The Relief Act charged eight federal agencies (the “Agencies”) to jointly develop a uniform model privacy notice, which would address concerns expressed by financial institutions and reduce consumer confusion. Specifically, the Relief Act instructed the new model form to:


  • Be comprehensible to consumers, with a clear format and design;

  • Provide for clear and conspicuous disclosures;

  • Enable consumers to easily identify the sharing practices of a financial institution and to compare privacy practices among financial institutions; and

  • Be succinct, and use an easily readable format.


On March 29, 2007, the Agencies submitted the Interagency Proposal for Model Privacy Form Under the Gramm-Leach-Bliley Act (the “Interagency Report”). The Interagency Report proposed several model forms that are straightforward and easier to understand than most privacy notices used by institutions today. The Interagency Report, if adopted, would eliminate the existing Sample Clauses and replace them with the proposed new model form. A financial institution could still elect to use the Sample Clauses, but would no longer receive safe-harbor protection. In order to provide a transition period for institutions to adopt the proposed new model forms, the Interagency Report recommended a one-year phase-in period once the final rule becomes effective.

Notice of Data Breach.

The FTC acknowledges that “perfect security” is not attainable and that breaches in security and data breaches may occur even when every reasonable precaution is taken. The GLBA does not specifically require institutions to notify their customers of a security breach or data breach. However, the Safeguards Rule does charge institutions with an “affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.” In 2005, the FTC and other federal banking regulatory agencies adopted the Interagency Guidelines on Response Programs for Unauthorized Access to Customer Information and Customer Notice (the “Guidance”). The Guidance outlines a financial institution’s notice responsibilities when its consumers’ nonpublic personal information network is breached and highlights customer notice as a key feature of an institution’s response program.

Once a financial institution discovers that its network was breached and sensitive customer information has been or will be misused, the institution is required to notify its primary Federal regulator. Second, an institution is required to notify appropriate law enforcement authorities including filing a Suspicious Activity Report (“SAR”), when Federal criminal violations are involved. Next, if the institution determines that misuse of customer information has occurred or is likely, then the institution is required to notify its affected customers as soon as possible. However, an institution may delay customer notice if law enforcement determines that such notification will interfere with a criminal investigation. The customer notice must be clear and conspicuous and should be delivered in a manner designed to ensure that a customer can reasonably be expected to receive it. The customer notification shall include:


  • A description of the incident in general terms and the type of customer information that was subject to the unauthorized access or use;

  • A description of what the institution has done to protect the customer’s information from further unauthorized access;

  • A telephone number customers may call for further information and assistance;

  • A reminder that customers need to be vigilant over the next 12 to 24 months and to promptly report incidents of suspected identity theft to the institution.


The FTC Guidance report encourages, but does not require, institutions to include in their customer notice:

  • A recommendation that the customer review account statements and immediately report any suspicious activity to the institution;

  • A description of fraud alerts and an explanation of how the customer may place a fraud alert in the customer’s consumer reports to put the customer’s creditors on notice that the customer may be a victim of fraud;

  • A recommendation that the customer periodically obtains credit reports from each nationwide credit reporting agency and have information relating to fraudulent transactions deleted;

  • An explanation of how the customer may obtain a credit report free of charge;

  • Information about the availability of the FTC online guidance regarding steps a consumer can take to protect against identity theft.


The Guidance also encourages institutions to notify the nationwide consumer credit reporting agencies prior to sending notices to its customers. In addition to the FTC Guidance report, many states, such as California, passed their own breach notification laws. Institutions must be aware of each state’s requirements and comply accordingly.

Posted on June 20, 2007 10:16 AM |

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Search


About

This page contains a single entry from the blog posted on June 20, 2007 10:16 AM.

The previous post in this blog was Preventing Data Breach and the GLBA: The Privacy Rule.

The next post in this blog is It’s Now Easier to Enforce Out-of-State and International Judgments in Texas.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]
Powered by
Movable Type 3.32