“It is the policy of Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.” - 15 U.S.C.A. § 6801.
The Gramm-Leach-Bliley Act (the “GLBA”), also known as the Financial Services Modernization Act of 1999, effectively repealed the Banking Act of 1933 and amended the Bank Holding Company Act of 1956. The GLBA requires financial institutions to protect themselves against unauthorized access, anticipate security risks, and safeguard a consumer’s nonpublic personally identifiable information. The GLBA also prohibits individuals and companies from obtaining consumer information using false representations.
The GLBA separates individual privacy protection into three principal categories: (1) the Financial Privacy Rule; (2) the Safeguards Rule; and (3) Pretexting Provisions. The Financial Privacy Rule and the Safeguards Rule apply to “financial institutions,” which include banks, securities firms, insurance companies and other companies providing financial products and services to consumers. The Pretexting Provisions apply to individuals and companies, who obtain or attempt to obtain personal financial information under false pretenses.
The GLBA charged the Federal Trade Commission and other government agencies that regulate financial institutions, with the duty to enforce, carry out, and implement the GLBA. However, the GLBA does not provide for a private cause of action against those financial institutions that violate the GLBA.
In January, 2007 TJX Companies, Inc. (“TJX”) announced that its computer network for T.J. Maxx, Marshalls, HomeGoods, Bob’s Stores and A.J Wright was breached and that customer information such as drivers’ license numbers, checking accounts and credit and debit card information was compromised. Shortly thereafter, a civil class action lawsuit was filed by AmeriFirst Bank in the United States District Court for the District of Massachusetts against TJX Companies, Inc. for Negligence, Breach of Contract and Negligence Per Se. Interestingly, the Plaintiffs based their claim of negligence per se upon TJX’s violation of the GLBA. Specifically, the lawsuit alleges that TJX failed to comply with 15 U.S.C.A. §§ 6801(a) - (b) and 6809. The lawsuit continued to allege under the negligence per se cause of action that Fifth Third Bank, a co-Defendant in the lawsuit, failed to comply with the GLBA requirements by “not providing for adequate safeguards in its handling of nonpublic personal information.”
As noted above, the GLBA does not afford a private cause of action. However, AmeriFirst Bank’s lawsuit will likely test the extent that GLBA can be used as the basis of a negligence per se cause of action. If AmeriFirst Bank’s negligence per se theory survives judicial scrutiny, other similar cases based on data breach may follow.