As part of its comprehensive renovation of federal banking and securities laws that culminated with the enactment of the Gramm-Leach-Bliley Act (GLBA) in 1999, Congress created two new privacy obligations with which all "financial institutions" must comply. These two new obligations are:
· Every "financial institution" must provide all of its "customers" with an annual notice that describes its information handling practices; and;
· Before sharing a "consumer’s" (including a "customer’s") "nonpublic personal information" with a third-party for a non-exempted purpose, a "financial institution must notify the "consumer" that he or she has the right to prohibit the "financial institution" from sharing his or her "nonpublic personal information" for a nonexempted purpose (a so-called right to "opt-out" of the information sharing).
This article explains the basic elements of these two requirements. First, you should know to whom these privacy obligations apply and the type of information that they protect.
Who Must Comply?
The GLBA’s privacy obligations are imposed upon all "financial institutions." The term "financial institution" encompasses all providers of "financial services," which means that providers of any insurance product or service, including title insurance and real estate settlement services, must comply. The states have the primary authority to interpret and enforce the GLBA’s new privacy requirements for anyone engaged in the business of insurance within their borders.
What Type of Information is Protected?
The cornerstone of the GLBA privacy obligations is the protection of "nonpublic personalinformation." Understanding what type of information counts as nonpublic personal information is the key to being able to protect it. The privacy regulations define "nonpublic personal information" as any "personally identifiable financial information," and any list or grouping of consumers (and any publicly available information pertaining to them) that is derived using any personally identifiable financial information not available publicly. Conversely, nonpublic personal information does not include "publicly available information," or any list derived without using any personally identifiable financial information not available publicly.
"Personally identifiable financial information" means any information that a consumer provides or that is obtained in connection with a transaction involving a financial product or service. Examples include information provided on loan, credit card or insurance applications, account information, information from a consumer report and information collected through an Internet "cookie." An example of a protected list would be a list of names and street addresses derived in whole or in part using account or policy numbers, because such information is personally identifiable financial information that is not available publicly. Information that does not identify a consumer, such as aggregate information or blind data that does not contain policy numbers, names or addresses, however, would not be protected.
While these examples clarify what it means for information to be "personal," there is another component to the definition— the information must also be "nonpublic" in order to deserve protection. The privacy regulations define "publicly available information" to mean any information that you have a reasonable basis to believe is lawfully available to the general public from: (1) Federal, state, or local government records (such as real estate records); (2) widely distributed media (such as information from a telephone book, newspaper, or publicly accessible Web site); or (3) disclosures to the general public that are required to be made by Federal, state, or local law.
To ensure that your belief is reasonable, you should take steps to determine that the information is of the type that is available to the general public, and that the consumer has not taken steps to make sure that the information is kept private. Thus, for example, you would have a reasonable basis to believe that mortgage information is publicly available if you determine that the information is of the type included on the public record in the jurisdiction where the mortgage is recorded. Likewise, you would have a reasonable basis to believe that an individual’s phone number is publicly available if the phone number is listed.
What Obligations are Imposed?
1. The Notice Requirement
All financial institutions are required to provide an easily understandable notice of their privacy practices, including their basic handling of "nonpublic personal information," to their "customers." In the case of title insurance providers, consumers are individuals who obtain residential title insurance products or services. The privacy obligations do not apply to companies or individuals that obtain products or services for business, commercial or agriculturalpurposes.
Exception for real estate settlement service providers. In response to ALTA® comments, regulators recognized the unique, "one-time" nature of the relationship between providers and consumers of real estate settlement services by creating an important exception to the annual notice requirement for real estate settlement service providers. In the case of such providers, the customer relationship is deemed terminated at the time a customer completes execution of all documents related to a real estate closing and payment for those services has been received, or the provider has completed all of its responsibilities with respect to the settlement, including filing documents on the public record. Once the relationship is terminated, annual notices are no longer required. Of course, the initial privacy notice requirement still applies.
2. The Opt-Out Notification Requirement
What must be disclosed? Under the opt-out requirement, you must inform your consumers that they have the right to prohibit you from sharing their nonpublic personal information with unaffiliated third parties. The right is qualified in that it does not prohibit you from sharing information for the purpose of completing the transaction (or a related transaction) for which the information was provided, or for other specifically limited purposes, such as for insurance purposes or where otherwise permitted or required by law.
When must disclosures be made? In contrast to the privacy notice disclosure, which must be made regardless of whether information sharing takes place, the opt-out notification is required only if and when you share nonpublic personal consumer information with a nonaffiliated third party for a nonexempted purpose. Thus, information sharing with affiliates is not only permissible under the GLBA, but consumers do not have a right to prevent it.
Exceptions for marketing. There are two major exceptions to the opt-out right. You are not required to let consumers opt-out of information sharing between the financial institution and a third party under a joint marketing
agreement. Second, you are permitted to disclose consumer information to unaffiliated third parties to market your own products and services. For example, if you purchase a home equity product that you want to market to consumers, you are permitted to compile a list of these consumers—their names and addresses—and send the list to a fulfillment service (or envelope stuffing service) for distribution of a pamphlet or other marketing tool describing your new product without first sending opt-out notifications to these consumers.
Does Compliance Satisfy Privacy Obligations?
While compliance with the GLBA privacy obligations is necessary for institutions that collect, handle, and share their consumers’ nonpublic personal information, compliance is not sufficient to discharge obligations under other information-protecting laws. Nothing in the GLBA privacy regulations limits or supercedes existing state laws relating to medical records, health and insurance information privacy, or the operation of the federal Fair Credit Reporting Act (FCRA).
The relationship between the privacy regulations and the FCRA is particularly worth noting, because it sometimes causes confusion. The FCRA and GLBA essentially impose cumulative requirements, meaning that the more restrictive provisions apply. The GLBA protects consumers from the disclosure of all nonpublic personal information to nonaffiliated third parties for a nonexempted purpose by requiring that consumers be informed of their right to "opt-out" of such information-sharing. The FCRA protects a more limited category of information—information used or expected to be used as a factor in establishing an individual’s eligibility for personal credit, insurance or employment—but it affords a greater degree of protection to such information by requiring that a consumer "opt-in" before any "nontransactional" information can be shared with a third party.
How You Can Protect Yourself
The most important step you can take toward satisfying the GLBA privacy obligations is to develop detailed policies for handling nonpublic personal information. Remember that the disclosure of your policies may be treated as a contract between you and your clients. You should therefore take steps to make your policies con-tracts to which your customers have agreed. Your policies should in-clude provisions, such as an alter-native dispute resolution provision, that could help to reduce the costs of defending against potential challenges. You also should consolidate multiple privacy policies into a single disclosure form that you utilize in all contexts in order to avoid conflicting obligations, and you should institute quality assurance programs to ensure that your policies are maintained and followed at all times.
Scott A. Sinder is a partner and Christy Hallam DeSanctis is an associate in the Washington, D.C. law firm Collier Shannon Scott, PLLC. Scott can be reached at 202-342-8425 or firstname.lastname@example.org . Christy can be reached at 202-342-8519 or email@example.com .