What is the ‘GLBA’?

Lydia F de la Torre
May 12, 2019 · 24 min read
The original Victoria Grey and Trust Company Office, now the Riverside Parking lot Belleville, Ontario — Community Archives

The Gramm-Leach-Bliley Act of 1999 (GLBA) is a US federal law that includes rules that protect the privacy and security of personally identifiable financial information relating to individuals. It repealed the Glass-Steagall Act (which was part of the U.S. Banking Act of 1933) which limited commercial bank’s ability to engage in investment banking and insurance underwriting and from affiliating or merging with investment banks, insurance companies, and security firms. The GLBA was updated in 2015 and significant changes were introduced.

In essence, GLBA requires financial institutions to follow certain privacy and security standards:

  • Privacy standards: The GLBA requires financial institutions to notify consumers of their information sharing practices and provides for a right to opt-out of certain sharing. See, 15 U.S.C. Sec. 6801(a)
  • Security standards: The GLBA requires financial institutions to have in place a security program to (i) ensure the security and confidentiality of costumer records and information; (ii) protect customer records against any anticipated threats of hazards to their security or integrity; and (iii) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer. See, 15 U.S.C. Sec. 6801(b)

The GLBA authorized various federal agencies (for example, the Consumer Financial Protection Bureau (CFPB); the Securities Exchange Commission (SEC); the Commodity Futures Trading Commission (CFTC), and the Federal Trade Commission (FTC)) to promulgate implementing regulations to ensure appropriate privacy and security standards for the financial institutions they regulate. The GLBA privacy and security regulations issued by the various agencies vary in some respects.

Effective day: The GLBA became effective in 1999 and full compliance is required.

Relationship to other laws:

Important note on citations

  • Privacy Regulations: A financial institution subject to the GLBA must comply with the specific information privacy regulations issued by the agency which has jurisdiction over the institution (See, Resources Legal Citations). The GLBA privacy regulations issued by the various agencies vary in some respects. The references to regulations and corresponding citations in this article are to the rules issued by the CFPB unless specifically stated to the contrary.
  • Security Regulations: A financial institution subject to the GLBA must comply with the specific information security regulations issued by the agency which has jurisdiction over the institution. The GLBA security regulations issued by the various agencies may vary in some respects. The references to the security requirements and citations below are to the requirements issued by the Federal Trade Commission (FTC) under its GLBA authority (16 CFR § 314.1 et seq).

Who is regulated by GLBA (Territorial Scope)?

The GLBA does not specifically address its territorial scope but it states that it applies to ‘financial institutions’. It also imposes limited obligations on certain third parties that receive ‘nonpublic personal information’ (NPI) from regulated FIs (see Obligations below)

Because the GLBA privacy rule regulates the sharing of ‘consumer’ or ‘customer’ data (see Material Scope below), ‘financial institutions’ that provide services only to other business are not covered by the GLBA privacy rule.

Financial institutions (FIs)

The GLBA applies to “financial institution” (FIs). A FI is a business that is ‘significantly engaged’ in ‘financial activities’ as described in section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)). More.

See 15 U.S.C. § 6809(3); 16 C.F.R. §313(k)(1)

Note on private entities receiving NPI from FIs: If an organization that is not a FI receives nonpublic personal information (NPI) from a FI covered by GLBA, it must take steps to ensure it does not re-disclose that information improperly (See Obligations below).

What is regulated by GLBA (Material Scope)?

Material scope of the Privacy Rule

The GLBA privacy rules restricts the sharing of ‘nonpublic personal information’ (NPI) about a natural person who is a ‘consumer’ or a ‘customer’.

(1) Sharing: The core focus of the privacy requirements of the GLBA is limiting the sharing of NPI. As a general rule:

  • Sharing with affiliates is not subject to a right to opt-out but consumers have a right to be informed through the privacy notice
  • Sharing with non-affiliates is subject to a right to opt-out and must also be disclosed through the privacy notice.
  • Several exceptions to the opt-out rule apply.

See, 12 C.F.R. § 1016.12

An ‘affiliate’ is any company that controls, is controlled by, or is under common control with another company. 12 C.F.R. Sec. 1016.3(a)(1).

In addition, GLBA prohibits ‘financial institutions’ from disclosing an ‘account number or similar form of access number or access code’ for a consumer credit card or a deposit or transaction account to a non-affiliated third party for use in telemarketing, direct mail marketing, or electronic mail marketing. Excepted from this prohibition are disclosures to:

  • consumer reporting agencies;
  • a financial institution’s agent or service provider for the sole purpose of performing marketing for the financial institution’s own products or services so long as the agent or service provider is not authorized to directly initiate charges to the account; and
  • a participant in a private label credit card program where the participants in the program are identified to the customer when the customer enters the program.

See, 12 C.F.R. § 1016.12

The GLBA does not:

  • limit the sharing of information with affiliates;
  • apply to a FI’s collection or use of its own NPI (but it imposes reuse limitations with respect to another FI’s NPI). See 12 U.S.C. § 6802(c); 12 C.F.R. § 1016.11.
  • modify, limit, or supersede the federal Fair Credit Report Act (FCRA) (Note that FCRA may require disclosure and opt-out for sharing with affiliates.)

The GLBA requirements apply with respect to all types of NPI, regardless of sensitivity and does not include special rules for particularly sensitive types.

(2) Nonpublic personal information (NPI): The GLBA extends its protections to all “nonpublic personal information” (NPI) which is any personally identifiable financial information:

  • provided by a consumer to a FI;
  • resulting from any transaction with the consumer or any service performed for the consumer; or
  • otherwise obtained by the FI.

See, 15 U.S.C. § 6809(4)/ 12 C.F.R. § 1016.3(p) & (q).

Publicly available information is not NPI. Information is publicly available if the organization has a reasonable basis to believe it is lawfully made available to the general public. When information is generally made lawfully available but an individual has elected not to have his or her information publicly available (such as by having an unlisted telephone number), such information is NPI with respect to that individual. Publicly available information includes information disclosed in government real state records such as a deed or bankruptcy filings, as well as information that is in widely distributed media, such as a website, that is available in general to the public.

See, 12 C.F.R. § 1016.3(r)(1)&(3)

Examples of information that is NPI include:

  • An individuals income, Social Security number, marital status, amount of savings or investments, payment histories, loan or deposit balances, credit or debt card purchases, account numbers, consumer reports;
  • The fact that an individual has an account with a particular FI
  • Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using a combination of NPI and publicly available information (e.g. a ‘list of individuals’ names and street addresses that is derived in whole or in part using NPI such as account numbers);
  • Any information the FI has obtained as a result of servicing a customer’s account and information collected through internet ‘cookies’ is NPI.

Examples of information that is NOT NIP include:

  • A mailing list using information that is publicly available, such as nae and mailing address, as long as they do not also include NPI (but customer lists are NPI because they disclose that the individual has an account with the FI);
  • Aggregate data that does not reveal the identity of any particular consumer such as charts showing age demographics of customers.

(3) ‘Consumers’ and ‘Customers’: A ‘consumer’ is an individual who obtains or has obtained a financial product or service from a FI , to be used primarily for personal, family, or household purposes. Consumers may include individuals who cash a check with a check-cashing company, make a wire transfer, purchase a money order, applies for a loan or credit card but latter withdraws the application, or use the ATM of a Bank at which the individual does not maintain an account. Consumers under GLBA are afforded less protection than customers.

See 15 U.S.C. § 6809(9)&(11); 12 C.F.R. § 1016.3(e)(1) (Consumer)

A ‘customer’ is a consumer who has a “customer relationship” with a FI. A ‘customer relationship’ is a continuing relationship between a consumer and a FI under which the institution provides a financial product or service to the consumer.

See, 12 C.F.R. § 1016.3(i)&(j).

A ‘former customer’ is a person who was a customer at one time but no longer has an ongoing relationship with the FI (e.g. a customer that pays a loan in full). If the customer relationship does not terminate at a particular moment, for the purposes of the privacy rule, a customer becomes a former customer when the FI has not communicated with the customer about the relationship for a period of twelve consecutive months, other than to provide notices or promotional materials.

See, 12 C.F.R §1016.5(b)(1)&(2)

GLBA’s protections do not apply to business or individuals who seek financial services for business purposes.

Material Scope of the Security Rule:

The security requirements apply to any record containing NPI about a ‘customer’ of a ‘financial institution’, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of a ‘financial institution’ or its affiliates. (See, Sections 501 and 505(b)(2) of the GLBA)

What rights do individuals have under GLBA (Data subject Rights)?

GLBA grants on consumers two rights: the right to opt-out of certain disclosures and the right to be informed (notice). (15 U.S.C. § 6802)

(1) Right to opt-out of sharing

OPT-IN: GLBA does not require opt-in for sharing NPI.

OPT-OUT: As a general rule, FIs must provide a ‘reasonable mean’ to opt-out prior to sharing NPI with ‘non-affiliated third party’ unless an exception applies (see below). A reasonable mean to opt-out exists where the FI:

  • designates check-off boxes in a prominent position on the relevant forms with the opt-out notice;
  • includes a reply form together with the opt-out notice;
  • provides an electronic means to opt out, such as a form that can be sent via electronic mail or a process at the institution’s website, if the consumer agrees to the electronic delivery of information; or
  • provides a toll-free telephone number that consumers may call to opt out.

However, a FI does not provide a reasonable means of opting out if:

  • the only means of opting out is for the consumer to write his or her own letter to exercise that opt out right; or
  • The only means of opting out as described in any notice subsequent to the initial notice is to use a check-off box that the institution provided with the initial notice but did not include with the subsequent notice.

See, 12 C.F.R. § 1016.7(a)(2)(ii)-(iii).

Content of the opt-out: An opt-out notice must include:

  • a statement concerning the disclosure, or the reservation of the right, to disclose NPI about the consumer to a non-affiliated third party;
  • a statement that the consumer has the right to “opt out” ; and
  • a reasonable means to opt out.

See, 15 U.S.C. § 6802(b); 12 C.F.R. § 1016.7

Complying with the request to opt-out: A consumer’s direction to opt out is effective until the consumer revokes it in writing or, if the consumer agrees, electronically. Consumers may opt-out at any time and the FI must comply with the request. When a customer relationship terminates, the customer’s opt out direction continues to apply to the nonpublic personal information that collected during or related to that relationship. If the individual subsequently establishes a new customer relationship with the FI, the opt out direction that applied to the former relationship does not apply to the new relationship.

See, 12 C.F.R. § 1016.7(g-i)

NO CONSENT: No consent is required where (1) an FI shares with affiliated entities and (2) where the sharing is covered by one of the exceptions to the opt-out rule (see below).

EXCEPTIONS: FIs are exempted from the obligation to provide opt-out from sharing with non-affiliates if the share with the consent or at the direction of the consumer (C.F.R. Sec. 1016.15(a)(1)) OR under three narrowly defined exceptions, commonly referred to by the sections of the statute under which the exceptions arise.

(1) Section 13 exception (Service providers): FIs are not required to provide an opt-out (but must disclose in the initial privacy notice unless the disclosure is otherwise covered under Section 14 or 15 exception) if NPI is shared with a third party acting as a service provider and the FI enters into a compliant contractual agreement.

  • This exception applies generally to non affiliated agents to which a FI outsources functions such as servicing, account maintenance, and customer service.
  • A compliant contractual agreement must prohibit the third party from disclosing or using NPI other than to carry out the purposes for which the institution disclosed the information.
  • The services may include marketing of the institution’s own products and services (e.g. using a non-affiliated third party to do a targeted promotion to existing customers or mail holiday cards). The services also may include marketing under a “joint agreement” with a non-affiliated FI to jointly offer, endorse, or sponsor a financial product or service.

See, 15 U.S.C. § 6802 (b)(2) & 15 U.S.C. § 6809(10) (definition of ‘joint agreement’) / 12 C.F.R. § 1016.13

(2) Section 14 exception (process a transaction or service an account): FIs are not required to provide an opt-out (and are not required to inform consumers of the sharing) if NPI is shared “as necessary to effect, administer, or enforce a transaction,” that a consumer requests or authorizes, or in connection with:

  • servicing or processing a financial product or service that a consumer requests or authorizes;
  • maintaining or servicing the consumer’s account with the institution, or with another entity as part of a private label credit card program or other extension of credit on behalf of such entity; or
  • a proposed or actual securitization, secondary market (including sales of servicing rights), or similar transaction related to a transaction of the consumer.

‘Necessary to effect, administer, or enforce a transaction’ generally means any disclosure of NPI to an unaffiliated third party necessary or used by the FI in its usual course of business to be able to service a covered individual’s account or effect a requested transaction. This includes:

  • carrying out the transaction and record, service, or maintain the account in the ordinary course business;
  • administering benefits related to the transaction;
  • administering accounts;
  • providing confirmation, statements, or other records for the transaction or information on the status or value of the service or product;
  • accruing or recognizing incentives or bonuses provided by the FI to the consumer;
  • enforcing the FI’s rights or the rights of other persons engaged in carrying out the financial transaction or providing the product or service;
  • underwrite insurance at the request of the consumer;
  • reporting, investigating, or preventing fraud or material representation; or
  • in connection with: (A) The authorization, settlement, billing, processing, clearing, transferring, reconciling or collection of amounts charged, debited, or otherwise paid using a debit, credit, or other payment card, check, or account number, or by other payment means; (B) The transfer of receivables, accounts, or interests therein; or (C) The audit of debit, credit, or other payment information.

Examples of Section 14 sharing include sharing NPI with:

  • service providers that mail account statements consumers;
  • creditors listed by a consumer on a credit application in order to obtain a loan.

See, 15 U.S.C. § 6809(7), 12 C.F.R. § 1016.14(b),

(3) Section 15 exception (with consent or legally required): FIs are not required to provide an opt-out (and are not required to inform consumers of the sharing) if NPI is shared:

  • with the consent or at the direction of the consumer (C.F.R. Sec. 1016.15(a)(1));
  • to protect the confidentiality or security of the institution’s records pertaining to the consumer, service, product, or transaction;
  • to protect against or prevent actual or potential fraud, unauthorized transactions, claims or other liability;
  • for required institutional risk control or for resolving consumer disputes or inquiries;
  • to persons holding legal or beneficial interest relating to the consumer;
  • to persons acting in a fiduciary or representative capacity on behalf of the consumer;
  • to provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating the institution, persons that are assessing the institution’s compliance with industry standards, and the institution’s attorneys, accountants, and auditors;
  • to the extent permitted or required under other provisions of law;
  • to a consumer reporting agency in accordance with the FCRA, or from a consumer report reported by a consumer reporting agency;
  • in connection with a sale of a financial institution; or
  • to comply with: (i) federal, state or local laws, rules and other applicable legal requirements; (ii) properly authorized civil, criminal, or regulatory investigation or subpoena or summons; or (iii) to respond to a judicial process or government regulatory authorities with proper jurisdiction.

See, 15 U.S.C. § 6802(e)(1)-(8)/ 12 C.F.R. §§ 1016.14 & 1016.15.

(2) Right to be informed (Privacy Notice)

Initial notice: As a general rule, all consumers have a right to be informed of whether the FI shares data with non-affiliated third parties. Customers have an enhance right to be informed. The specific notice differs depending on whether the FI shares data with non-affiliated companies or not.

  • For consumers that do not have an on-going relationship with the FI (i.e., consumers that are NOT customers): If a FI does not intent to share NPI with non affiliated third parties no notice needs to be provided. If it intends to share NPI with non affiliated third parties, the FI must provide both notice an opportunity to opt-out (see OPT-OUT REQUIRED above) before sharing unless an the disclosure is permitted under one of the three exceptions (see EXECPTIONS above). (12 C.F.R. §1016.7(a)(1); 12 C.F.R. §§ 1016.3(e)(1) (definition of ‘consumer’), 1016.4(a)(2) (initial notice) and 1016.10(a) (opt-out notice)).
  • For customers (i.e. consumers with an on-going relationship with the FI): An FI must provide an initial privacy notice whether it shares NIP with non-affiliated third parties or not. If it intends to share with non affiliated third parties the FI must provide an opportunity to opt-out unless an exception applies (See EXCEPTIONS ABOVE). (12 C.F.R. §1016.7). In addition, an annual notice for the duration of the relationship must be provided BUT the requirement to provide an annual notice has been waived for FIs that do not change their practices. (See, 15 U.S.C. § 6803(a), 12 C.F.R. §§1016.4, §1016.5, 12 C.F.R. § 1016.6(b), 1016.7, 1016.8.)
  • For former customers: An FI does not need to provide an annual privacy notice to former customers. (See, 12 C.F.R. §1016.5(b)(1)

In addition, FIs must send a revised privacy notice with a new opportunity to opt-out to all consumers and former consumers if the categories of data or the scope of the disclosures changes and no opportunity to exercise an opt-out regarding the new disclosure has been provided before (12 C.R.F. Sec. 1016.8).

Notification when sharing under an exception: FIs sharing NPI ONLY under section 14 and 15 exceptions can provide a ‘simplified privacy notice’ but those sharing under section 13 must describe the sharing in the notice (see below)

Joint privacy notices: An FI and its affiliates may jointly provide a single privacy notice. (See, 12 C.F.R. Sec. 1016.9(f))

Relation specific privacy notices: An FI can either provide a separate tailored privacy notice or a comprehensive one. For example, a bank collects different NPI from credit card customers and checking account customers and can either provide separate privacy notices or the same privacy notice to both so long as it clearly describes which categories of data are collected from which type of customer.

Contents of the notice: The notice must separately specify how the FI handles NPI of consumers, customers, and former customers and contain:

  • the categories of NPI collected;
  • the categories of NPI disclosed;
  • the categories of affiliates and non-affiliated third parties with whom the NPI is shared, other than those parties to whom the FI discloses information under an exception;
  • an explanation of the consumer’s right to opt out of the disclosure of NPI to non-affiliated third parties, including the method(s) by which the consumer may exercise that right;
  • the categories of NPI about former customers disclosed and the categories of affiliates and non-affiliated third parties to whom NPI about former customers is disclosed, other than those parties to whom the institution discloses information under an exception;
  • if the FI discloses NPI to a non-affiliated third party under the service provider exception (and no other exception), a separate statement of the categories of NPI disclosed and the categories of third parties with whom the FI has contracted for the provision of services;
  • if the FI discloses NPI pursuant to exceptions, a statement that the FI makes disclosures to other non-affiliated companies.
  • any disclosures that the FI makes under the federal Fair Credit Reporting Act (“FCRA”) regarding the ability to opt out of disclosures of information among affiliates;
  • the financial institution’s policies and practices with respect to protecting the confidentiality and security of NPI; and
  • any other disclosure that the FI wishes to make.

See, 15 U.S.C. §§ 6803(a)-(b); 12 C.F.R. § 1016.6

Form of the privacy notice: A privacy notice should be clear and conspicuous, understandable to the consumer, and designed to call attention to the nature and significance of the information contained therein. It should contain short explanatory sentences, bullet points, and clear headings as well as an easily readable typeface and type size. (12 C.F.R. Sec. 1016.3(b))

The GLBA does not require that notice be provided in a specific format. However, all federal agencies responsible for enforcing GLBA have adopted a ‘model privacy notice’. FIs that use the model privacy notice form may rely on it as a safe harbor for compliance with the content requirements of GLBA.

See, 12 C.F.R. § 1016.2 and pt. 1016, App. A

Short-form privacy notices: A short-form privacy notice is a notice that a FI’s full privacy notice is available on request and describing a reasonable way consumers can obtain the full privacy notice. It must include an opt-out if necessary.

Simplified privacy notices: If an FI only shares NPI pursuant to section 14 and section 15 exceptions (see exceptions to the right to opt-out above) it may provide a simplified privacy notice both initially and annually (if it has changed its practices) stating:

  • a statement that the FI does not disclose and does not reserve the right to disclose NPI;
  • the categories of NPI collected;
  • the FI’s policies and practices intending to protect the confidentiality, security, and integrity of NPI; and
  • any required description of the sharing.

12 C.F.R. § 1016.6(b)(5)

Delivery process: Privacy notices must be delivered in writing or, if the consumer agrees, electronically. Notice may be provided via postal mail and in-person.

Electronic delivery includes posting a privacy notice in the FI’s website and requiring customers to acknowledge receipt as a requirement to obtain a particular product or service. The electronic notice should be placed on a screen or hyperlinked to a screen that consumers frequently access, such as the home page. The CFPB has advised that FIs should ensure consumers are encouraged to scroll down if necessary to see the link and that other elements should not distract attention away from the privacy notice.

Notices given orally or posted in an office are not sufficient. See, 15 U.S.C. § 6803(a); 12 C.F.R. § 1016.9.

Timing for delivery: As a general rule, an FI must

(1) provide to customers:

  • an initial privacy notice no later than when establishing a “customer relationship,” (e.g. when a customer opens a credit card account); and
  • an annual privacy notice each year during the continuation of the “customer relationship.” The annual privacy notice is not required if the FI: (i) only shares NPI under exceptions that permit such disclosure (i.e., the FI is not sharing in a way that would require it to provide an opt-out); AND (ii) has not changed its policies and practices with regard to disclosing NPI from the policies and practices that were disclosed in the most recent privacy notice sent to the customer. A FI must resume providing an annual privacy notice when the financial institution fails to meet the criteria described above.

See, 15 U.S.C. § 6803(f) / 12 C.F.R. Sec 1016.4(a)(1) (initial notice) / 12 C.F.R. Sec. 1016.5 (annual notice)

(2) provide to consumers that are not customers (i.e. consumers with whom the FI does not have an ongoing relationship) an initial privacy notice before sharing the NPI unless an exemption permits the disclosure.

See, 12 C.F.R. §1016.7(a)(1); 12 C.F.R. §§ 1016.3(e)(1) (definition of ‘consumer’), 1016.4(a)(2) (initial notice) and 1016.10(a) (opt-out notice)

What Obligations does GLBA Impose?

In addition to giving effect to consumer’s rights, FI have three obligations udder GLBA: ensure the security of NPI, refrain from sharing with non-affiliated third parties account numbers or access codes for marketing purposes, and overseeing vendors. GLBA also imposes obligations on non-affiliated third parties receiving NPI subject to GLBA

FI OBLIGATIONS:

(1) Security requirements (‘Safeguards Rule’)

The GLBA contains a ‘Safeguards Rule’ under which FIs must develop, implement, and maintain a comprehensive information security program that is written that contains administrative, technical, and physical safeguards that are appropriate to the size and complexity of the organization, the nature and scope of its activities, and the sensitivity of any the information. The safeguards shall be reasonably designed to achieve the following objectives:

  • Insure the security and confidentiality of customer information;
  • Protect against any anticipated threats or hazards to the security or integrity of such information; and
  • Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.

See, 16 CFR §314.3

The safeguards shall include the following elements:

(1) Designate an employee or employees to coordinate the information security program.

(2) Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in each relevant area of operations, including:

  • Employee training and management;
  • Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and
  • Detecting, preventing and responding to attacks, intrusions, or other systems failures.

(3) Design and implement information safeguards to control the risks identified through the risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures.

(4) Evaluate and adjust the information security program in light of the results of the testing and monitoring in (3) above; any material changes to the operations or business arrangements; or any other circumstances that the ‘financial institution’ knows or have reason to know may have a material impact on its information security program.

See, 16 CFR §314.4

See also Case Study: In re. TaxSlayer

(2) Prohibition against sharing account numbers or access codes for marketing purposes

GLBA prohibits FIs from disclosing an ‘account number or similar form of access number or access code’ for a consumer credit card or a deposit or transaction account to a non-affiliated third party for use in telemarketing, direct mail marketing, or electronic mail marketing. Excepted from this prohibition are disclosures to:

  • consumer reporting agencies;
  • a financial institution’s agent or service provider for the sole purpose of performing marketing for the financial institution’s own products or services so long as the agent or service provider is not authorized to directly initiate charges to the account; and
  • a participant in a private label credit card program where the participants in the program are identified to the customer when the customer enters the program.

See, 12 C.F.R. § 1016.12

(3) Vendor Management

FI’s sharing disclosing NPI to a third party acting as a service provider under section 13 (see above) must enter into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the institution disclosed the information.

12 C.F.R. § 1016.13

Under Reg S, a FIs is required to oversee service providers, by:

  • Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; and
  • Requiring service providers by contract to implement and maintain such safeguards.

See, 16 CFR §314.4 (d)

Obligations of recipients of NPI

Recipients of NPI have limited ability to use and re-disclose the NPI, depending on how the NPI was received.

  • NPI received under section 13 exceptions (see above for a description of what the exceptions cover): Recipient may use and disclose NPI only as necessary to carry out the purpose for which it was received, or pursuant to another exception. For example, a non-affiliated third party recipient can disclose NPI in response to a subpoena under section 15 exception but cannot use NPI for its own marketing purposes. (See, 12 C.F.R. § 1016.13)
  • NPI received under section 14 or 15 exception (see above for a description of what the exceptions cover): Third parties that receive NPI pursuant to a section 14 or 15 exception may only disclose NIP (i) to their affiliates; (ii) to the affiliates of the FI from which they received the NPI; or (iii) pursuant to a section 14 or 15 exception. For example, an institution that receives NPI for the purposes of mortgage servicing could also disclose the NPI to its own auditors.
  • NPI received outside of section 13, 14 or 15 exceptions (see above for a description of what the exceptions cover): The non-affiliated third party may use the NPI for their own purposes but may re-disclose NPI ONLY to (i) the FI that originally disclosed it and affiliates of that FI, and (ii) to the extent that the original FI would be able to disclose the NPI. For example, if the original FI’s privacy notice informed consumers that it would only share NPI with business in California, the recepient may not share NPI with business outside of California (See, 12 C.F.R §1016.11).

Enforcement

Private cause of action

The GLBA does not provide for a private cause of action. Under state law, a consumer may be able to bring an action under common law or state law consumer protection statutes.

Agency enforcement

Today, several federal agencies, including the Consumer Financial Protection Bureau (CFPB), as well as State insurance agencies enforce the GLBA Privacy Rule. The CFPB took on primary enforcement responsibilities for the GLBA when the CFPB was formed in 2011 pursuant to the Dodd-Frank Wall Street Reform and Consumer Protection Act, and other agencies authorized to enforce consumer financial law may recommend that the CFPB initiate an enforcement proceeding. The CFPB has responsibility for enforcing the GLBA Privacy Rule against banks with more than $10 billion in assets. The federal banking agencies (such as the Federal Reserve Board (the “Board”) and the Office of the Comptroller of Currency(OCC)) as well as other federal regulatory agencies (such as the SEC), have authority to enforce the privacy provisions of GLBA against other banks. Any financial institution not otherwise regulated by a federal agency is regulated by the FTC and the CFPB.

(See, 15 U.S.C. Sec. 6805(a))

The FTC has shown willingness to enforce the Privacy Rule where it believes a company has failed to provide accurate information in its privacy notice. The FTC has also shown a willingness to enforce the Security Rule against companies that fall victims to cybersecurity attacks, even those that may not typically be considered a full-scale breach, where a company has failed to take steps to remedy the vulnerabilities that it identified or would have identified if it had complied with the Safeguards Rule.

See, Case Study: Venmo & Case Study: In re. TaxSlayer

State insurance authorities are responsible for enforcing GLBA with respect to insurance providers.

NOTE: The GLBA initially gave rulemaking authority to several federal banking agencies (including the Federal Reserve Board (the “Board”); the Office of the Comptroller of the Currency (OCC); the Federal Deposit Insurance Corporation (FDIC); the Office of the Thrift Supervision (OTS), the National Credit Union Association (NCUA); the FTC, the SEC, and the CFTC). The Dodd-Frank Wall Street Reform and Consumer Protection Act transferred rulemaking authority from the Board, OCC, FDIC, OTS, NCUA and FTC (in part) to the Consumer Financial Protection Bureau (CFPB). The SEC and the CFTC retained authority over persons subject to their jurisdiction, such as securities brokers and commodity trading advisors; the FTC retained authority with respect to motor vehicle dealers.

Resources

Legal citation

15 U.S.C. § 1843 et seq. w/ privacy rules at §6801 et seq. (GLBA Act)

GLBA Privacy Rule:

GLBA Safeguards Rule:

Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank), Pub. L. №111–203, 124 Stat. 1376 Sec. 1025(c) (July 21, 2010) (Reforming GLBA after the 2008 crisis and transferring primary enforcement responsibility to the CFPB)

California’s Insurance Information and Privacy Protection Act, Section 791 et seq. (CalIIPPA), promulgated pursuant to GLBA (although GLBA is a federal law, state insurance authorities are responsible for the enforcement of the financial institution safeguards and disclosure/opt-out procedures required by GLBA as applied to “any person engaged in providing insurance,” see 15 U.S.C. § 6805(a)(6))

California’s Code of Regulations (“CCRs”) promulgated pursuant to CalIIPPA. NOTE: In 2010, the California’s Office of Administrative Law (“OAL”) approved the California Department of Insurance’s (“DOI”) proposal to repeal certain privacy regulations promulgated under GLBA

Articles

‘Financial Services Modernization Act of 1999, commonly called Gramm-Leach-Bliley’ by Joe Mahon, Federal Reserve Bank of Minneapolis for Federal Reserve History (Nov. 1999)

“Repeal of Glass-Steagall: Not a cause, but a multiplier” by Barry Ritholtz for the Washington Post (Aug. 2012)

Guidance issue by federal agencies

As of January 2019, the CFPB has not issued any specific guidance on GLBA compliance other than amending regulations in 2014 to permit online posting of privacy notices.

‘How To Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act’ issued by FTC (July, 2002)

‘Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice’ issued by OCC, Board, FDIC, and OTS (March, 2005)

Caselaw and case studies

Case study: ABA v. FTC (GLBA does not apply to attorneys or law firms)

In re Lenz, 448 B.R. 832, 840 (Bankr D. Or. 2011)

In re. Nationwide Mortgage Group, Inc., and John D. Eubank proceedings before the FTC concluded in 2005 (complaint alleged violations of both the security and the privacy rule)

In re. Sunbelt Lending Servs., Inc. proceedings before the FTC concluded in 2005 (complaint alleged violations of both the security and the privacy rule)

People of the State of California v. Citibank No. RG13693591 (Cal. Super. Aug., 2013)(Complaint & Final Judgement)

Case Study: In re. TaxSlayer

Case Study: Venmo

Golden Data

Legal blog about data laws

Lydia F de la Torre

Written by

Teacher. Counsel. Author. Queen bee.

Golden Data

Legal blog about data laws

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade