The Gramm-Leach-Bliley Act (GLBA) is a federal law that establishes various legal requirements for companies that qualify as “financial institutions” under the Act. The GLBA’s definition of a “financial institution” is extremely broad; and, as a result, many companies that would not normally consider themselves to be financial institutions fall within the definition.
With this in mind, all corporate executives and in-house counsel would be well-served to learn the basics of GLBA compliance. Even if the GLBA does not currently apply based on the nature of the company’s business, changes or new initiatives could trigger the need to comply with the statute in the future.
“Many different types of companies qualify as ‘financial institutions’ under the GLBA—including many that would not normally categorize themselves in this way. As a result, when assessing a company’s compliance obligations, it is imperative to assess whether the company is subject to the privacy and data safeguarding requirements of the GLBA.” – Dr. Nick Oberheiden, Founding Attorney of Oberheiden P.C.
Is Your Company Subject to the GLBA as a “Financial Institution”?
Congress enacted the GLBA in 1999 in response to various concerns that had arisen in the securities, insurance, and financial services sectors. While its primary focus was on reform, the GLBA also established ongoing, affirmative obligations for companies to respect consumers’ privacy and safeguard their personal data.
As such, the GLBA applies to a broad range of companies. While the statute categorizes these companies as “financial institutions,” the definition of this term makes clear that the statute does not merely apply to banks and lenders. As the U.S. Federal Trade Commission (FTC) explains, the GLBA applies to, “all businesses, regardless of size, that are ‘significantly engaged’ in providing financial products or services.”
When assessing whether a company is “significantly engaged” in providing financial products or services, there is not a bright-line rule, but rather a two-factor test. The FTC goes on to state that:
“Two factors are particularly important in determining whether [a company is] ‘significantly engaged’ in a financial activity. First, is there a formal arrangement? A storeowner or bartender who ‘runs a tab’ for customers is not considered to be significantly engaged in financial activities, but a retailer that offers credit directly to consumers by issuing its own credit card would be covered. Second, how often does the business engage in a financial activity? A retailer that lets some consumers make payments through an occasional lay-away plan is not ‘significantly engaged’ in a financial activity. In contrast, a business that regularly wires money to and from consumers is significantly engaged in a financial activity.”
The FTC also identifies all of the following as examples of “financial activities” that trigger GLBA compliance obligations:
- Appraisal services
- Brokering and servicing loans
- Career counseling for individuals seeking employment in the financial services industry
- Check-cashing and issuing payday loans
- Courier services
- Debt collection
- Financial, economic, and investment advisory services
- Lending, exchanging, transferring, and investing money or securities for others
- Mortgage lending
- Nonbank lending
- Real estate settlement services
- Tax preparation services
As you can see from the FTC’s examples, there is room in this analysis for disagreement as to whether a company’s particular activities rise to the level of significant engagement in a financial activity. Companies need to take this into consideration when assessing their GLBA compliance obligations, and they should work with their legal counsel to make reasoned decisions when it is not entirely clear where the line needs to be drawn.
Should companies simply err on the side of caution and undertake measures to establish GLBA compliance? While this makes sense in theory, establishing GLBA compliance can be a significant undertaking. This is particularly true for larger companies, but it is also true for smaller companies that might not have the resources to establish GLBA compliance unnecessarily. Before going too far down this rabbit hole, however, companies should keep the breadth of the GLBA’s “financial institution” definition in mind, and they should also weigh the risks of facing an FTC investigation without a GLBA compliance program in place.
What Does it Take to Establish GLBA Compliance?
For companies that qualify as financial institutions, there are two primary aspects to GLBA compliance. These are: (i) compliance with the GLBA’s Privacy of Consumer Financial Information Rule (the “Privacy Rule”), and (ii) compliance with the GLBA’s Safeguards Rule.
Compliance with the GLBA Privacy Rule
The GLBA Privacy Rule requires financial institutions to protect consumers’ nonpublic information (NPI). Crucially, the GLBA distinguishes between “consumers” and “customers”. While the GLBA establishes enhanced requirements with regard to customers, it establishes baseline requirements that apply to all consumers.
As the FTC explains, “a ‘consumer’ is someone who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes, or that person’s legal representative. . . . ‘Customers’ are a subclass of consumers who have a continuing relationship with a financial institution. [But, [i]t’s the nature of the relationship – not how long it lasts – that defines [a company’s] customers.” Under the GLBA, financial institutions must protect all consumers’ NPI. This includes:
- Name, address, Social Security number, income, and other information a consumer provides in an effort to obtain a financial product or service;
- Information obtained from consumers regarding financial products or services (i.e. account numbers, payment histories, and deposit balances); and,
- Information obtained in connection with providing a financial product or service (i.e. court records or consumer reports).
For financial institutions that collect consumers’ NPI, the some of the key requirements of the GLBA Privacy Rule are as follows:
1. Privacy Notices
The GLBA Privacy Rule requires financial institutions to provide consumers with “clear and conspicuous” written notice of their privacy policies and practices. Financial institutions must provide initial notice “by the time the customer relationship is established,” and they must also provide annual notices “for as long as the customer relationship lasts.”
Privacy notices provided pursuant to the GLBA’s Privacy Rule must include several pieces of information. These include (but are not limited to):
- The categories of NPI the company collects
- The categories of NPI the company discloses to third parties
- The company’s policies regarding data security and confidentiality
- Any disclosures required under the Fair Credit Reporting Act (FCRA)
2. Opt-Out Notices
Financial institutions that disclose NPI to unaffiliated third parties must also provide opt-out notices to consumers. Companies’ opt-out notices must provide “reasonable means” for consumers to elect not to have their NPI shared. Companies must also provide a “reasonable opportunity” for consumers to exercise their opt-out right, and the FTC gives an example of 30 days following opt-out notice delivery.
3. Reuse and Redisclosure of NPI
In addition to establishing requirements with regard to NPI that companies obtain from consumers directly, the GLBA Privacy Rule also establishes requirements for when companies receive NPI from unaffiliated third parties. The FTC notes that financial institutions’ ability to reuse and redisclose NPI obtained from third parties is “limited,” with specific limitations being determined based on “how the information is disclosed.”
This list is far from exhaustive. It is also subject to a number of exceptions. When addressing GLBA Privacy Rule compliance, companies must carefully assess their needs, and they must focus on developing and adopting policies, procedures, and systems that reflect their specific compliance obligations. An off-the-shelf compliance program won’t cut it; and, when the FTC investigates companies under the GLBA, it expects to find documentation of a custom-tailored, evidence-based approach to compliance.
Compliance with the GLBA Safeguards Rule
The same is true with regard to the GLBA Safeguards Rule. While the Privacy Rule focuses primarily (though not exclusively) on notice and disclosure, the Safeguards Rule focuses on how financial institutions protect consumers’ (and customers’) NPI. Under the Safeguards Rule, financial institutions must establish a written information security plan that addresses the following:
- Designation of an information security program coordinator
- Identification and assessment of the risks to NPI in each area of the company’s operations
- Evaluation of effective safeguards for controlling risks to NPI
- Design and implementation of a safeguards program
- Regular monitoring and testing of the financial institution’s safeguards program
- Selection of service providers that are capable of adequately safeguarding NPI
- Contractual rights and remedies to ensure adequate oversight of service providers’ handling of NPI
- Evaluation and adjustment of the financial institution’s safeguards program as necessary
Within each of these broad areas, financial institutions can potentially have a host of individual responsibilities. Again, what is necessary is heavily dependent upon the risks presented by a particular company’s operations. The FTC’s guidance regarding compliance with the GLBA Safeguards Rule addresses everything from data encryption to document shredding, and company executives and their legal counsel must make informed decisions about all aspects of the company’s Safeguards Rule compliance efforts based on the specific risks at hand.
While the GLBA is now more than 20 years old, it continues to play a central role in financial institutions’ decisions regarding consumer data privacy and safeguarding. However, while financial institutions must address their obligations under the GLBA, they cannot focus on the GLBA exclusively when determining what is necessary in terms of cybersecurity. Various other state, federal, and international laws may apply as well; and, regardless of any statutory requirements, many companies will find it necessary to take additional measures in order to adequately safeguard consumers’ data and mitigate their risk of civil liability.