GLBA

• Promulgated a Privacy Rule and Safeguards Rule. Sets the privacy framework for modern banking. Financial institutions must protect consumers’ nonpublic personal info

• Stricter state laws are not preempted

• No private right to action, however, failure to comply with certain notice requirements may be considered a deceptive trade practice which some states give private right to action for.

• Under GLBA’s privacy provisions, financial institutions are required to:

• Store personal financial info in a secure manner

• Provide notice of their policies regarding the sharing of personal financial info

• Provide consumers with the choice to opt out of sharing some personal financial info

• Regulates financial institution management of “nonpublic personal information” defined as “personally identifiable financial information”:

• Provided by the consumer to a financial institution

• Resulting from a transaction or service performed for the consumer or

• Otherwise obtained by the financial institution

• Name of a financial institution’s customer is considered non-public personal info and must be protected under GLBA

Enforcement:

• Federal financial regulators for institutions in their jurisdiction (Federal Reserve, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, and Securities and Exchange Commissions).

• Financial institutions not in the jurisdiction of the other agencies (FTC and now also CFPB).

• At the state level, state AGs can enforce.

Violations:

• Subject to penalties under the Financial Institution Reform, Recovery, and Enforcement Act (FIRREA).

• FIRREA penalties range from up to $5,500 for violation of laws to a max of $27,500 if violations are unsafe, unsound, or reckless. $1mil for knowing violations.

Privacy Rule Components: Financial institutions must:

• Prepare and provide to customers clear and conspicuous notice of F.I’s info sharing policies

• Clearly provided customers the right to opt out of having their nonpublic personal info shared with nonaffiliated third parties (subject to exceptions such as joint marketing and transaction processing)

• Refrain from disclosing to any nonaffiliated third-party marketer an account number or similar form of access code to a consumer’s credit card, deposit or transaction account

• Comply with regulations to protect the security and confidentiality of customer records and info. Protect against security threats and unauthorized access.

• Privacy notices: must process opt outs within 30 days. Notice must contain:

• What info the F.I collects

• With whom it shares the info o

• How it protects/safeguards the info o

• Explanation of opt out policy

• GLBA prohibits F.Is from disclosing info to nonaffiliated parties. F.I must ensure that service providers will not use provided consumer data for anything other than the intended purpose.

Consumer cannot opt out if:

• F.I shares info with outside company that provides crucial services like data processing

• Disclosure is legally required

• F.I shares customer data with outside service providers that market the financial company’s products or services

The GLBA Safeguards Rule

• Requires F.I to maintain security controls to protect the confidentiality and integrity of personal consumer info, including both electronic and paper records.

• F.I must develop an info sec program that addresses “administrative, technical, and physical safeguards.”

• Each F.I must:

▪ Designate an employee to coordinate safeguards

▪ Identify and assess risks to customer info

▪ Design and implement a safeguard program and regularly monitor and test

▪ Select appropriate service providers and enter into agreements with them

▪ Evaluate and adjust the program in light of relevant circumstances

• Permits disclosure for an investigation on a matter related to public safety (National Security Act)