The Gramm-Leach-Bliley Act (GLBA) is a federal law that establishes numerous authorized prerequisites for firms that qualify as “financial institutions” below the Act. The GLBA’s definition of a “financial institution” is extremely wide and, as a consequence, numerous providers that would not normally think about them selves to be economical institutions fall inside of the definition.
With this in head, all corporate executives and in-residence counsel would be properly-served to study the essentials of GLBA compliance. Even if the GLBA does not now use based on the character of the company’s organization, adjustments or new initiatives could result in the want to comply with the statute in the long run.
“Many various sorts of organizations qualify as ‘financial institutions’ under the GLBA—including quite a few that would not commonly categorize by themselves in this way. As a consequence, when assessing a company’s compliance obligations, it is crucial to assess no matter whether the enterprise is subject matter to the privacy and details safeguarding prerequisites of the GLBA.” – Dr. Nick Oberheiden, Founding Attorney of Oberheiden P.C.
Is Your Company Issue to the GLBA as a “Financial Institution”?
Congress enacted the GLBA in 1999 in reaction to a variety of worries that had arisen in the securities, insurance coverage, and fiscal expert services sectors. Although its major target was on reform, the GLBA also set up ongoing, affirmative obligations for firms to regard consumers’ privacy and safeguard their private information.
As such, the GLBA applies to a broad selection of organizations. Even though the statute categorizes these providers as “financial establishments,” the definition of this phrase helps make clear that the statute does not just utilize to banks and loan companies. As the U.S. Federal Trade Commission (FTC) points out, the GLBA applies to, “all enterprises, no matter of sizing, that are ‘significantly engaged’ in furnishing fiscal goods or expert services.”
When assessing whether or not a corporation is “significantly engaged” in delivering financial goods or providers, there is not a vibrant-line rule, but fairly a two-variable exam. The FTC goes on to point out that:
“Two things are especially important in determining no matter whether [a company is] ‘significantly engaged’ in a economical exercise. Initial, is there a official arrangement? A storeowner or bartender who ‘runs a tab’ for prospects is not regarded as to be significantly engaged in economical functions, but a retailer that offers credit specifically to customers by issuing its possess credit history card would be lined. Second, how frequently does the business enterprise engage in a economical exercise? A retailer that lets some customers make payments through an occasional lay-absent approach is not ‘significantly engaged’ in a money activity. In contrast, a enterprise that often wires income to and from buyers is considerably engaged in a money activity.”
The FTC also identifies all of the pursuing as illustrations of “financial activities” that bring about GLBA compliance obligations:
- Appraisal products and services
- Brokering and servicing loans
- Occupation counseling for people in search of employment in the money products and services sector
- Test-cashing and issuing payday financial loans
- Courier expert services
- Financial debt collection
- Economic, financial, and expense advisory providers
- Lending, exchanging, transferring, and investing dollars or securities for other individuals
- Property finance loan lending
- Nonbank lending
- Authentic estate settlement services
- Tax planning products and services
As you can see from the FTC’s examples, there is room in this examination for disagreement as to whether or not a company’s unique functions rise to the stage of important engagement in a fiscal exercise. Businesses will need to just take this into thing to consider when assessing their GLBA compliance obligations, and they need to do the job with their authorized counsel to make reasoned selections when it is not entirely crystal clear where the line needs to be drawn.
Must businesses only err on the aspect of caution and undertake measures to set up GLBA compliance? Though this makes feeling in concept, establishing GLBA compliance can be a sizeable enterprise. This is specially correct for bigger organizations, but it is also accurate for smaller providers that may possibly not have the methods to establish GLBA compliance unnecessarily. In advance of heading way too significantly down this rabbit hole, having said that, providers need to hold the breadth of the GLBA’s “financial institution” definition in thoughts, and they should really also weigh the dangers of going through an FTC investigation without the need of a GLBA compliance system in location.
What Does it Get to Establish GLBA Compliance?
For organizations that qualify as economic establishments, there are two main factors to GLBA compliance. These are: (i) compliance with the GLBA’s Privacy of Shopper Money Info Rule (the “Privacy Rule”), and (ii) compliance with the GLBA’s Safeguards Rule.
Compliance with the GLBA Privacy Rule
The GLBA Privateness Rule necessitates economical establishments to safeguard consumers’ nonpublic information and facts (NPI). Crucially, the GLBA distinguishes involving “consumers” and “customers”. When the GLBA establishes improved specifications with regard to customers, it establishes baseline specifications that use to all buyers.
As the FTC points out, “a ‘consumer’ is anyone who obtains or has acquired a economic product or service or support from a fiscal institution that is to be made use of mainly for own, spouse and children, or domestic uses, or that person’s authorized representative. . . . ‘Customers’ are a subclass of people who have a continuing romance with a money institution. [But, [i]t’s the mother nature of the relationship – not how very long it lasts – that defines [a company’s] clients.” Beneath the GLBA, economic institutions must shield all consumers’ NPI. This incorporates:
- Identify, tackle, Social Security variety, earnings, and other details a buyer provides in an effort and hard work to obtain a fiscal item or services
- Details obtained from customers concerning economical merchandise or solutions (i.e. account figures, payment histories, and deposit balances) and,
- Information and facts received in relationship with giving a economic products or service (i.e. courtroom documents or buyer reviews).
For economic institutions that obtain consumers’ NPI, the some of the key prerequisites of the GLBA Privateness Rule are as follows:
1. Privacy Notices
The GLBA Privateness Rule requires monetary institutions to present consumers with “clear and conspicuous” penned discover of their privacy procedures and procedures. Monetary institutions must offer first detect “by the time the client relationship is established,” and they will have to also provide annual notices “for as extended as the client romantic relationship lasts.”
Privacy notices delivered pursuant to the GLBA’s Privacy Rule will have to include several pieces of information and facts. These consist of (but are not constrained to):
- The types of NPI the company collects
- The groups of NPI the enterprise discloses to third parties
- The company’s procedures with regards to details safety and confidentiality
- Any disclosures necessary below the Fair Credit Reporting Act (FCRA)
2. Choose-Out Notices
Economic institutions that disclose NPI to unaffiliated third parties have to also offer decide-out notices to individuals. Companies’ choose-out notices should provide “reasonable means” for individuals to elect not to have their NPI shared. Providers must also give a “reasonable opportunity” for people to work out their opt-out ideal, and the FTC presents an example of 30 times subsequent opt-out detect shipping.
3. Reuse and Redisclosure of NPI
In addition to developing needs with regard to NPI that firms acquire from buyers straight, the GLBA Privateness Rule also establishes requirements for when corporations obtain NPI from unaffiliated 3rd events. The FTC notes that economic institutions’ skill to reuse and redisclose NPI received from third parties is “limited,” with distinct limits staying identified dependent on “how the information is disclosed.”
This checklist is much from exhaustive. It is also subject to a variety of exceptions. When addressing GLBA Privacy Rule compliance, firms will have to very carefully assess their requirements, and they ought to aim on creating and adopting insurance policies, treatments, and devices that reflect their specific compliance obligations. An off-the-shelf compliance program will not lower it and, when the FTC investigates companies under the GLBA, it expects to find documentation of a custom-tailor-made, proof-primarily based approach to compliance.
Compliance with the GLBA Safeguards Rule
The very same is correct with regard to the GLBA Safeguards Rule. Though the Privateness Rule focuses mostly (though not exclusively) on discover and disclosure, the Safeguards Rule focuses on how economical institutions safeguard consumers’ (and customers’) NPI. Underneath the Safeguards Rule, fiscal establishments will have to set up a published information and facts stability system that addresses the following:
- Designation of an data security software coordinator
- Identification and assessment of the hazards to NPI in every single space of the company’s operations
- Analysis of powerful safeguards for controlling risks to NPI
- Design and style and implementation of a safeguards program
- Typical monitoring and tests of the money institution’s safeguards system
- Range of provider suppliers that are able of adequately safeguarding NPI
- Contractual legal rights and solutions to make sure satisfactory oversight of provider providers’ handling of NPI
- Analysis and adjustment of the financial institution’s safeguards plan as vital
In each and every of these wide regions, fiscal institutions can likely have a host of particular person tasks. Again, what is essential is intensely dependent on the threats offered by a individual company’s operations. The FTC’s assistance about compliance with the GLBA Safeguards Rule addresses everything from data encryption to doc shredding, and company executives and their legal counsel should make knowledgeable decisions about all factors of the company’s Safeguards Rule compliance efforts primarily based on the specific pitfalls at hand.
Though the GLBA is now more than 20 decades old, it continues to enjoy a central function in economic institutions’ decisions pertaining to consumer information privateness and safeguarding. However, although fiscal establishments will have to tackle their obligations underneath the GLBA, they are unable to aim on the GLBA exclusively when deciding what is necessary in terms of cybersecurity. A variety of other state, federal, and worldwide rules may well utilize as perfectly and, irrespective of any statutory needs, numerous firms will obtain it necessary to consider additional measures in purchase to adequately safeguard consumers’ facts and mitigate their danger of civil liability.