Gramm-Leach-Bliley Act

Introduction
Title V of the Gramm-Leach-Bliley Act of 1999 (GLBA) requires financial institutions to provide customers with notice of their privacy policies, and requires financial institutions to safeguard the security and confidentiality of customer information, to protect against any anticipated threats or hazards to the security or integrity of such records; and to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

Financial institutions are defined as businesses that are engaged in certain “financial activities” described in Section 4(k) of the BankHolding Company Act of 1956 and accompanying regulations. Such activities include traditional banking, lending, and insurance functions, along with other financial activities.

Financial institutions are prohibited from disclosing “nonpublic personal information” to non-affiliated third parties without providing customers with a notice of privacy practices and an opportunity to opt-out of the disclosure.

A number of statutory exceptions are provided to this disclosure rule, including that financial institutions are permitted to disclose nonpublic personal information to a non-affiliated third party to perform services for or functions on behalf of the financial institution. To the extent that data brokers fall within GLBA’s definition of “financial institution,” they are required to maintain reasonable security for customer information.

GLBA Privacy Rule
Regulations implementing GLBA’s privacy requirements published by the federal banking regulators govern the treatment of nonpublic personal information about consumers by financial institutions, require a financial institution in specified circumstances to provide notice to customers about its privacy policies and practices, describe the conditions under which a financial institution may disclose nonpublic personal information about consumers to nonaffiliated third parties, and provide a method for consumers to prevent a financial institution from disclosing that information to most nonaffiliated third parties by “opting out” of that disclosure, subject to exceptions.

FTC Safeguards Rule
This rule implements GLBA’s requirements for entities under FTC jurisdiction. The Safeguards Rule applies to all businesses, regardless of size, that are “significantly engaged” in providing financial products or services. These include, for example, check-cashing businesses, payday lenders, mortgage brokers, nonbank lenders, real estate appraisers, and professional tax preparers. The Safeguards Rule also applies to companies like credit reporting agencies and ATM operators that receive information about the customers of other financial institutions.

The rule requires financial institutions to have an information security plan that “contains administrative, technical, and physical safeguards” to “insure the security and confidentiality of customer information: protect against any anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.” Using its authority under the Safeguards Rule, the Commission has brought a number of enforcement actions to address the failure to provide reasonable and appropriate security to protect consumer information.

Information Security Standards
Section 501(b) of GLBA requires the banking agencies to establish standards for financial institutions relating to administrative, technical, and physical safeguards to ensure the security, confidentiality, and integrity of customer information, protect against any anticipated threats or hazards to the security or integrity of such information, and protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.

Similar to the Safeguards Rule issued by the FTC, Interagency Guidance issued by the federal banking regulators applies to customer information which is defined as “any record containing nonpublic personal information. . . about a customer, whether in paper, electronic, or other form, that is maintained by or on behalf of” a financial institution.” The security guidelines direct each financial institution to assess the risks of reasonably foreseeable threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information and customer information systems, the likelihood and potential damage of threats, and the sufficiency of policies, procedures, customer information systems, and other controls.

Following the assessment of risks, the security guidelines require a financial institution to manage and control the risk through the design of a program to address the identified risks, train staff to implement the program, regularly test the key controls, systems, and procedures of the information security program, and develop and maintain appropriate measures to dispose of customer information. The security guidelines also direct every financial institution to require its service providers by contract to implement appropriate measures designed to protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer. Each financial institution is required to monitor, evaluate, and adjust its information security program as necessary.

Finally, each financial institution is required to report to its board at least annually on its

information security program, compliance with the security guidelines, and issues such as risk assessment, risk management and control decisions, service provider arrangements, results of testing, security breaches or violations and management’s responses, and recommendations for changes in the information security program. The Office of the Comptroller of the Currency assessed a $180,000 civil penalty by consent against a bank’s subsidiary for allegedly failing to dispose of confidential customer information in a secure fashion, in violation of OCC regulations governing the security of customer information. In the Matter of First Horizon Home Loan Corporation (operating subsidiary of First Tennesseee Bank N.A., Memphis, Tenn.), Doc. No. 2005-78 (June 30, 2005).

Response Programs for Unauthorized Access to Customer Information and Customer Notice
The security guidelines recommend implementation of a risk-based response program, including customer notification procedures, to address unauthorized access to or use of customer information maintained by a financial institution or its service provider that could result in substantial harm or inconvenience to any customer, and require disclosure of a data security breach if the covered entity concludes that “misuse of its information about a customer has occurred or is reasonably possible.” Pursuant to the guidance, substantial harm or inconvenience is most likely to result from improper access to “sensitive customer information.”

At a minimum, an institution’s response program should contain procedures for: assessing the nature and scope of an incident and identifying what customer information systems and types of customer information have been accessed or misused; notifying its primary federal regulator when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information; consistent with the Agency’s Suspicious Activity Report (“SAR”) regulations, notifying appropriate law enforcement authorities; taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information (e.g., by monitoring, freezing, or closing affected accounts and preserving records and other evidence); and notifying customers when warranted.

The security guidelines note that financial institutions have an affirmative duty to protect their customers’ information against unauthorized access or use, and that customer notification of a security breach involving the customer’s information is a key part of that duty. The guidelines prohibit institutions from forgoing or delaying customer notification because of embarrassment or inconvenience.

The guidelines provide that when a financial institution becomes aware of an incident of unauthorized access to sensitive customer information, the institution should conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused. If the institution determines that misuse has occurred or is reasonably possible, it should notify the affected customer as soon as possible. Customer notice may be delayed if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation and provides the institution with a written request for the delay. The institution should notify its customers as soon as notification will no longer interfere with the investigation.

If a financial institution can determine which customers’ information has been improperly accessed, it may limit notification to those customers whose information it determines has been misused or is reasonably likely to be misused. In situations where the institution determines that a group of files has been accessed improperly, but is unable to identify which specific customers’ information has been accessed, and the institution determines that misuse of the information is reasonably possible, it should notify all customers in the group. The guidelines also address what information should be included in the notice sent to the financial institution’s customers.