“It is the policy of Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.”- 15 U.S.C.A. § 6801.
In 2006 an estimated 9 million American adults were the victims of identity theft at a total cost of $56.6 billion. There are a number of legislative efforts designed to protect the privacy, security, and confidentiality of customer data. One such law, the Gramm-Leach-Bliley Act (the “GLBA”), also known as the Financial Services Modernization Act of 1999, effectively repealed the Banking Act of 1933 and amended the Bank Holding Company Act of 1956.
The GLBA requires financial institutions to protect themselves against unauthorized access, anticipate security risks, and safeguard a consumer’s nonpublic information; it also prohibits individuals and companies from obtaining consumer information using false representations. The GLBA charged the Federal Trade Commission (the “FTC”), and other government agencies that regulate financial institutions, with the duty to enforce, carry out, and implement the GLBA.
The GLBA separates individual privacy protection into three principal categories: (1) the Financial Privacy Rule; (2) the Safeguards Rule; and (3) Pretexting Provisions. The Financial Privacy Rule and the Safeguards Rule apply to “financial institutions,” which include banks, securities firms, insurance companies and other companies providing financial products and services to consumers. The Pretexting Provisions apply to individuals and companies, who obtain or attempt to obtain personal financial information under false pretenses.
The Financial Privacy Rule.
The Financial Privacy Rule (the “Privacy Rule”) applies to financial institutions that collect and receive nonpublic personal information from consumers, and requires them to disclose and provide a written notice of its policies and procedures to its customers, stating how the customer’s nonpublic personal information is protected and shared. The privacy notice must also provide consumers with a reasonable opportunity to “opt-out” of any information sharing, if required by statute.
The term “financial institution” is defined as any business that is significantly engaged in activities that are financial in nature, as well as companies that receive information that is “incidental” or “complementary” to such financial activity. Financial activities include, but are not limited to lending, exchanging, transferring, investing for others, safeguarding money or securities, providing financial, investment, or economic advice, underwriting, dealing in or making a market in securities, non-bank mortgage lending, real estate settlement services, credit counseling, check-cashing services and individual tax return services.
Notice Requirements: Clear and Conspicuous.
Disclosure Obligations: Consumer v. Customer.
The type and frequency of the notice is dependent on whether the information belongs to a “consumer” or a “customer.” The primary distinction between a consumer and a customer depends upon the relationship that exists between the individual and the financial institution.
A “consumer” is an individual who obtains, from a financial institution, financial products or services which are to be used primarily for personal, family, or household purposes. Typically, however, a consumer has a limited, “one time” connection with the financial institution. For example, a consumer may be an individual who uses an automatic teller machine to withdraw cash from an account he or she may have at another financial institution, or the consumer obtains a loan from a company that does not retain the rights to service the loan.
A financial institution is only required to send a privacy notice when it shares or intends to share the consumer’s nonpublic personal information with a nonaffiliated third party. Therefore, if a financial institution does not share or intend to share the consumer’s information with a nonaffiliated third party, no privacy notice is required.
A “customer” is a consumer who has a “continuing relationship” with the financial institution. It is the nature of the relationship, not how long it lasts, that defines a customer. For example, a customer may have a deposit or investment account with a bank, obtain a loan, purchase an insurance product or hold an investment account through a brokerage or investment company. If the consumer relationship is a principal one, then the consumer is also a customer.
Financial institutions are required to provide customers with a privacy notice as soon as the customer relationship is established, whether or not the institution plans to share the customer’s nonpublic personal information. Additionally, the institution is required to provide its customer with a privacy notice annually for as long as the customer relationship exists. For purposes of the Privacy Rule, a former customer is considered a consumer.
The privacy notice must accurately reflect the institution’s information collection and sharing practices. The privacy notice must contain the following:
- The categories of nonpublic personal information the institution collects;
- The categories of nonpublic personal information the institution discloses;
- The categories of affiliates and nonaffiliated third parties to whom the institution discloses nonpublic personal information (with certain statutory exceptions);
- The categories of nonpublic personal information the institution discloses about its former customers and the categories of affiliates and nonaffiliated third parties in which the institution shares its former customer information (with certain statutory exceptions);
- If an institution shares nonpublic personal information to a nonaffiliated third party, the institution is required to provide a separate statement of the categories of information institutions disclose and the categories of third parties with whom the institution contracted;
- An explanation of the customer’s rights to opt-out of the disclosure of nonpublic personal information to nonaffiliated third parties, including the method(s) by which the consumer may exercise that right at that time;
- Any disclosures an institution makes pursuant to the Fair Credit Reporting Act; and
- An institution’s policies and practices with respect to protecting the confidentiality and security of nonpublic personal information.
In other words, a financial institution must provide written notice of its privacy policies and practices, describe the conditions under which the institution may disclose the consumer’s nonpublic personal information to nonaffiliated companies, and provide a method for consumers to opt-out of such information sharing, if required by law. The GLBA defines nonpublic personal information as “personally identifiable financial information provided by a consumer to a financial institution resulting from any transaction with the consumer or any service performed for the consumer or otherwise by the financial institution.” (e.g. first and last name, home address, email address, telephone number, Social Security number, credit card account number, and a customer number held in a “cookie” that identifies an individual consumer).
The Opt-Out Notice and its Exceptions: What is Required in an Opt-Out Notice?
If a financial institution intends to share nonpublic personal information with a nonaffiliated third party, the institution must provide its consumers with an opportunity to “opt-out” and instruct the institution not to share his or her nonpublic personal information in most instances. This opt-out notice is required to be delivered to the consumer within a reasonable time and must be included or incorporated within the privacy notice itself. Just like the privacy notice, the opt-out notice must be clear and conspicuous and state that: (1) the institution reserves the right to disclose the consumer’s nonpublic personal information to a nonaffiliated third party; (2) that the consumer has the right to opt-out; and (3) provide a reasonable means by which the consumer may opt-out. For example, an institution may provide the consumer with a toll-free telephone number or a detachable form which includes a check-off box and mailing information. However, the FTC determined that requiring a consumer to write a letter as the sole means to opt-out fails to meet the reasonable means standard.
The Exceptions to the Opt-Out Notice: Service Providers and Joint Marketing.
Financial institutions often contract with outside service providers to perform certain ordinary business functions such as data processing or servicing accounts. The opt-out requirements do not apply when financial institutions share information with service providers who perform such services or ordinary business functions on the institution’s behalf as long as: (1) the institution provides an initial notice to the consumer; and (2) the institution enters into a contractual agreement with the service provider that prohibits it from disclosing or using the information, other than to carry out the function for which it was hired. These service provider contracts should specify the appropriate use of consumer nonpublic personal information, the requirements for safeguarding such personal information, and expressly prohibit any unauthorized and unlawful use of personal information. This exception also applies to third parties who perform joint marketing services, such as the marketing of an institution’s own products and services or financial products offered by one or more affiliated financial institutions. Again, there must be a contractual agreement with the financial institution that carries out any joint marketing expressly prohibiting the disclosure of information, other than what is necessary in the ordinary course of business.
A second exception to the opt-out notice requirements allows the sharing of nonpublic personal information that is necessary for a financial institution to “effect, administer, or enforce” a transaction that a customer requests or authorizes. These customer-authorized transactions include: (1) servicing or processing a financial product or service that a consumer requests or authorizes; (2) maintaining or servicing the consumer’s account, including servicing another entity such as a private label credit card program; or (3) a proposed or actual securitization, secondary market sale (including sales of servicing rights), or similar transaction related to the consumer. For example, the GLBA allows a financial institution to proceed with a consumer’s loan application without having to provide the consumer with an opt-out notice. The premise of this exception is that the consumer authorizes disclosure of personal information, which is necessary in order to obtain the loan(s) they requested.
Other Exceptions to Notice and Opt-Out Requirements.
Finally, Section 313.15 provides a laundry list of exceptions which allows a financial institution to disclose a consumer’s nonpublic personal information. These exceptions include:
- When the customer consents to his or her information being shared.
- To protect the confidentiality or security of the consumer’s records and to protect against or prevent actual or potential fraud.
- To resolve customer disputes or inquiries.
- To a consumer’s legally appointed representative, such as a power of attorney, or persons acting in a fiduciary capacity on the behalf of the consumer.
- To provide information to insurance rate advisory organizations, guaranty funds, or agencies that rate the institution, persons assessing an institution’s compliance with industry standards, and the institution’s attorneys, accountants, and auditors.
- To the extent permitted or required by law and in accordance with the Right to Financial Privacy Act.
- To a consumer reporting agency in accordance with the Fair Credit Reporting Act.
- To comply with all Federal, State or local laws, including court orders.