Napa Lawyer explains Financial Privacy

Financial Privacy

Federal Financial Privacy Rights, Gramm-Leach-Bliley

In 1999, the Gramm-Leach-Bliley Financial Modernization Act, 15 U.S.C. § 6801, et seq. (GLB), was signed into law. The Act had three major components. The Act: 1) governed the collection and use of non-public personally identifiable financial information [the Privacy Rule]; 2) required financial institutions (including brokers and other lenders) and those who receive information from them to safeguard that information in storage and disposal [the Safeguards Rule]; and 3) it prohibited obtaining that information under false pretenses [Pretexting]. Eight federal agencies were charged with enforcement of the rule, including the Federal Trade Commission, which has jurisdiction over financial institutions not otherwise regulated by the federal government. The Act does not protect entities. It protects individual financial information, which often includes all information received, including the fact of the customer relationship. GLB does not apply to information collected in business or commercial activities, or information which is publicly available in directories or publicly recorded documents such as trust deeds or UCC financing statements.

	The Collection and Use of Financial Information: The GLB Act requires financial institutions to develop a privacy policy, explaining how they use the personal financial information they collect. Besides banking type entities, the GLB definition of financial institutions includes non-banking companies that are significantly engaged in a wide array of "financial activities" such as: lending; brokering or servicing any type of consumer loan; transferring or safeguarding money; preparing individual tax returns; providing financial advice or credit counseling; providing residential real estate settlement services; collecting consumer debts; and various other activities.
	Customers and Consumers: Different treatment is required for customers, who are seen to have a significant or a longer term relationship with the financial institution, and consumers, whose involvement is seen as limited to one or more single or less significant transactions. Where a lender provides a loan or a broker attempts to find a loan for a borrower, the borrower would be considered a customer. The privacy policy must be provided to all customers, by the giving of a privacy notice. Consumers are generally only entitled to receive the privacy notice if the financial institution actually shares the consumer's financial information with a "nonaffiliated third party," and a short form notice may be sent with the opt out notice.
	Use of Web Site: Where the customer agrees to receive the privacy notice through the financial institution's web site, posting the privacy notice on the web site will satisfy the notice requirement. Many lenders require the borrower to agree to receive the privacy notice on the web site as a part of the consent required in the online loan application.
	Annual Notices-Policy Change Notices: Annual notices must be provided to continuing customers, as well as notice of changes in the privacy policy. Former customers need only receive notice if a change in the privacy policy will result in sharing of their financial information in a manner different from the company's former privacy policy.
	Opt Out Notices: If the financial institution's privacy policy includes sharing personal financial information with "nonaffiliated third parties" for marketing purposes, the consumer must be given a reasonable way to "opt out." If the consumer notifies the financial institution that the consumer wishes to "opt out," the financial institution is prohibited from sharing the consumer's personal financial information with "nonaffiliated third parties" for marketing purposes. GLB defines a "nonaffiliated third party" as one that does not control, is not controlled by, and is not under common control with the financial institution, and one that is not employed jointly by the financial institution and another non-affiliated company. The consumer may not prevent the financial institution from sharing most kinds of personal financial information with an affiliated company under the GLB. Account numbers are an exception to the rule, and generally may not be shared with any other company, with a few narrow exceptions. However, the Fair Credit Reporting Act does prevent the sharing of information obtained from a consumer's credit report, or from a borrower's loan application, with affiliates unless the consumer is informed of the affiliate sharing and given a chance to opt out. If the financial institution shares this information with its affiliates, that fact and the opt out notice must be included with the GLB privacy notice.
	Exceptions to Opt Out Rights: Some uses of personal financial information are not subject to the "opt out" rules. The financial institution may provide nonpublic personal information to a nonaffiliated third party to perform services for or functions on behalf of the financial institution, including marketing of the financial institution's own products or services, or financial products or services offered pursuant to qualified joint agreements between two or more financial institutions, if the financial institution fully discloses the providing of such information and enters into a contractual agreement with the third party that requires the third party to maintain the confidentiality of such information. The consumer cannot opt out of this disclosure.
	Pretexting, obtaining customer information under false pretenses: The GLB Act, in 15 U.S.C. §§ 6821 et seq., prohibits obtaining customer information under false pretenses. The Federal Trade Commission is charged with enforcement of this portion of the statute, as well as the federal banking regulators, for financial institutions under their supervision. Beginning with Operation Detect Pretext in 2001, the FTC has engaged in educational programs and law enforcement efforts to combat these practices. One form of pretexting is the practice known as "phishing," where email spam is sent out with logos and graphics giving the appearance of a communication from a financial institution. The emails typically urge consumers to supply financial information, supposedly to correct some fictitious situation which will otherwise adversely affect the consumer's account. The FTC has investigated a wide range of other violations. One of the more recent is the sale of consumer telephone records. The statute calls for imprisonment for up to five years, and fines up to $250,000 for individuals, depending on the circumstances and the severity of the offense. Organizations can be fined up to $500,000. In some cases of multiple offenses, these penalties may be doubled.
	Section 6821 also prohibits information seekers from requesting financial information from a person, knowing that the person will obtain the information from a financial institution under false pretenses. This issue recently received substantial media attention when certain Hewlett Packard Board Members requested that private investigators obtain the telephone records of persons suspected of leaking information about HP to the press. The Board Members were charged with hiring the investigators with knowledge that they intended to obtain telephone records under false pretenses. Creditors need to be careful when seeking information for collection purposes, that their employees do not hire investigators who make it known that they will obtain the information under false pretenses. Also, when purchasing financial information which cannot be legally obtained, such as consumer account numbers (see above), courts may imply purchaser knowledge that the information will be illegally obtained. An FTC web site sting operation, advertising availability of such information, could net other sellers as well as purchasers seeking such information.
	The Safeguards Rule: The GLB Act (15 U.S.C. § 6801(b) and related regulations) requires financial institutions, and those who receive information from financial institutions, to adopt "administrative, technical, and physical safeguards-- (1) to insure the security and confidentiality of customer records and information; (2) to protect against any anticipated threats or hazards to the security or integrity of such records; and (3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer."
	FTC Rule: To comply with the Safeguards Rule, 12 CFR § 314.4 requires financial institutions under FTC authority, such as lenders and brokers, to: "(a) Designate an employee or employees to coordinate your information security program; (b) Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in each relevant area of your operations, including: (1) Employee training and management; (2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and (3) Detecting, preventing and responding to attacks, intrusions, or other systems failures; (c) Design and implement information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures; (d) Oversee service providers, by: (1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; and (2) Requiring your service providers by contract to implement and maintain such safeguards; and (e) Evaluate and adjust your information security program in light of the results of the testing and monitoring required by paragraph (c) of this section; any material changes to your operations or business arrangements; or any other circumstances that you know or have reason to know may have a material impact on your information security program."

California Financial Privacy Rights, the FIPA (SB 1)

California enacted the Financial Information Privacy Act, known as SB 1, effective July 1, 2004. SB 1 is more restrictive than the GLB Act. Where the GLB Act allows disclosure of personally identifiable financial information to nonaffiliated third parties, if the financial institution discloses its intent to share the information in its privacy notice, and gives the consumer a reasonable opportunity to opt out, California's version requires the financial institution to obtain a signed written permission from the consumer to release the information to nonaffiliated third parties. (Financial Code § 4053(a).)

SB 1 also imposed additional conditions on the ability of financial institutions to disclose nonpublic financial information to their affiliates. (Financial Code § 4053(b).) However, the Ninth Circuit Court of Appeals, in Am. Bankers Ass'n v. Gould, 412 F.3d 1081 (9^th Cir 2005), struck down those provisions. The court ruled that § 4053(b) was preempted by the provisions of the Fair Credit Reporting Act (FCRA) that allow sharing with affiliates, if the sharing is disclosed in the financial institution's privacy notice, and the consumer is given a chance to opt out. The court limited its ruling to the type of information normally disclosed in a credit report, and remanded the case for the district court to determine if the preemption could be limited to that type of information. The district court found that it could not rewrite Section 4053(b). Therefore, it issued an injunction preventing the enforcement of the affiliate sharing provisions of SB 1, as to all information. As a result, affiliate sharing in California is controlled by the FCRA. Information may be shared with affiliates if the practice is disclosed to the consumer in the financial institutions privacy notice, and the consumer is provided with a reasonable method to opt out.

California also has a number of other privacy related statutes, including: the Information Practices Privacy Act (Civil Code §§ 1798.1, et seq.) governing collection and disclosure of information about individuals by California state and local agencies; Civil Code §§ 1798.60 et seq., restricting the sale or renting of individual's names and addresses by an agency unless specifically authorized by law; Civil Code §§ 1798.80 et seq., calling for businesses to provide for the security of customer records, in storage and destruction, and for businesses to obtain contractual guaranties of the security of customer records to those the records are disclosed to; to disclose any breach of the security of and unencrypted computerized personal information; to disclose upon request by the consumer, and that the business disclose, upon qualifying request, information to the consumer regarding third parties that the business released the consumer information to. The business is also required to disclose how the consumer can request this information and to place this information on its web site under the heading "Your privacy rights" which will describe the privacy policy of the business.

Identity Theft: California Civil Code Sections 1785.10, et seq., impose various obligations on credit reporting agencies and users of consumer credit reports, aimed at reducing identity theft. For example, Section 1785.20.3 imposes requirements on users of consumer credit reports, where the name, address and social security number on the credit report do not match the information stated on the credit application, to confirm that the application is not based upon identity theft. In addition, these sections limit the use of social security numbers and California Driver's License numbers. Numerous other statutes which affect the duties of credit reporting agencies related to dentity theft are discussed in the Article on Credit Reporting.

Mr. Imfeld creates privacy policies, and reviews existing privacy policies, for his clients. In addition, Mr. Imfeld reviews security policies and contracts, to evaluate compliance with the GLB provisions requiring vendors to contract to maintain the confidentiality of personal financial information. If you have questions about GLB compliance, GLB related litigation, or if you wish to have privacy policies or contracts reviewed, please contact the firm or submit the Information Request Form below.

[ Home ] [ Up ]