Privacy Laws _____ Shelly Repp General Counsel National Council of Higher Education Loan Programs, Inc. Gramm-Leach-Bliley Act and Regulations Objective: Provide Overview of the GLB Act and the Implementing Regulations Two Privacy Provisions • • Financial Privacy Rule Safeguards Rule Financial Privacy Rule Policy Objectives • Place information about the privacy policies and practices of financial institutions in the hands of consumers so consumers can use that information to select the financial institutions they want to receive financial products and services from. • Give consumers control – via an opt-out right – over how financial institutions use and share the consumer’s nonpublic personal information with nonaffiliated 3rd parties. Regulatory and Enforcement Authority • Banking Agencies (OCC, Fed, FDIC, OTS) • SEC • FTC (default regulator) The Framework is Not Complicated • Requires financial institutions to provide notice to customers about their privacy policies and practices • Describes conditions under which financial institutions may disclose nonpublic personal information about consumers to others • Provides consumers the opportunity to prevent disclosures to most nonaffiliated 3rd parties by “opting-out” (subject to extensive list of exceptions) Scope • Applies to “Financial Institutions,” both regulated and non-regulated (Guaranty Agencies are financial institutions; so are nonprofit secondary markets, loan servicers and collection agencies) Governs handling of 1) “nonpublic personal information” (NPI) about individuals (information collected on an application or derived from loan history) 2) who obtain “financial products or services‟ 3) from “financial institutions” 4) primarily for personal, family or household purposes (e.g., student loans). • Rules Generally Apply to Customers Special rule for loans – only one customer relationship per loan • A school does not establish a customer relationship by certifying a student‟s eligibility for a FFELP loan. • A guarantor/insurer does not establish a customer relationship by issuing to the lender its guarantee/insurance on the FFELP loan or private student loan. • An origination/disbursement agent or loan servicer does not establish a customer relationship by performing loan origination and/or disbursement functions, or servicing a loan, on the lender‟s behalf. Content of Privacy Notice • Customers must be provided a clear and conspicuous notice of privacy policies and , if applicable, a reasonable opportunity to opt-out • Privacy notice must explain: – The nature or “types” of information collected – The purposes for which information is collected – Types of entities where data is shared, and the purposes for sharing – Consumer rights to “opt-out” of sharing arrangements with nonaffiliated third parties, with clear direction on how they can freely exercise these rights • Privacy statements need to be accurate and complete (due diligence needed) Initial Notice Required When Customer Relationship Established • New Product Notice. What obligations apply when additional products/services are provided to an existing customer? – New notice only needed if prior privacy notice is not accurate with respect to the new product – E.g. A financial institution is not required to send another notice with each loan made under an MPN if the notice provided with the first loan remains accurate with respect to each subsequent loan. • Annual Customer Notice - Must provide recurring annual notice of privacy policies and practices during the continuation of the customer relationship. - Notice must be provided on a 12-month consistent basis. • Revised Notice A financial institution must provide a new notice to all existing customers if the institution changes its privacy policies/practices in a way that makes the prior notice no longer accurate. • FYI - A bankruptcy condition does not excuse the required notices. The notice is not an attempt to collect a debt, and so does not violate an automatic stay. • Notices to Consumers – No notices required unless and until the consumer‟s NPI will actually be shared. Notice, and a reasonable opportunity to opt-out (when required), must be provided to consumer prior to sharing of consumer‟s NPI. Opt-Out Right Financial Institutions that share NPI about consumers with nonaffiliated third parties outside of opt-out exceptions must provide consumers with: • An opt out notice • A reasonable period of time for the consumer to opt out Some of the Applicable Exceptions: • Processing transactions. Disclosures made: As necessary to effect, administer, or enforce a student loan that a student loan consumer requests or authorizes; or in connection with: –Servicing or processing the student loan customer's account with the financial institution –A proposed or actual securitization, secondary market sale, or similar transaction related to customer‟s student loan Applicable Exceptions (cont.) • Legal requirements • Consent • Rating or Guaranty Agencies. Disclosures to provide information to rating agencies, insurance rate advisory organizations, guaranty funds or agencies, and persons assessing the financial institution‟s compliance with industry standards Applicable Exceptions (cont.) • Credit bureau reporting • Loan Sales • Antifraud. Disclosures to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability (e.g. skiptracing) Reuse/Redisclosure Limitations • When a nonaffiliated 3rd party receives NPI pursuant to one of the “exceptions,” the 3rd party may use and redisclose such NPI only as follows: - The 3rd party may disclose the information to the financial institution's affiliates; - The 3rd party may disclose the information to the 3rd party‟s affiliates, but its affiliates may, in turn, disclose and use the information only to the extent that the 3rd party may disclose and use the information; and Reuse/Redisclosure Limitations (cont.) - The 3rd party may disclose and use the information pursuant to one of the “exceptions” in the ordinary course of business in order to carry out the activity covered by the exception under which it received the information. - Financial Institutions are not required to monitor the use of NPI by nonaffiliated 3rd parties to whom it properly (in accordance with notice and applicable opt-out requirements) discloses such information. Relationship to State Laws GLB Act does not pre-empt state laws, except to the extent that such laws are inconsistent tithe the GLB. State laws that the FTC determines provide greater protection to consumers are not inconsistent with the GLB Act. Information Security Rule GLB Act requires regulatory agencies to establish standards for financial institutions relating to administrative, technical and physical information standards • Banking agencies have issued final guidelines • FTC issued final regulation The objectives of the program are set in the GLB Act: 1. Ensure the security and confidentiality of customer information; 2. Protect against any anticipated threats or hazards to the security or integrity of such information; and 3. Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer. The program must cover handling of customer information, which is defined to include information that a financial institution collects from its own customers, and also customer information received from other financial institutions. • Both the Banking Agencies and FTC contemplate a flexible approach. Each call for safeguards that are appropriate to: – the size and complexity of the institution – the nature and scope of its activities, and – the sensitivity of the customer information at issue • The requirements in general are not prescriptive The FTC‟s rule requires that each program contain certain basic elements. Each financial institution must: 1. designate an employee or employees to coordinate its program; 2. assess internal & external risks in each area of its operations; 3. design and implement a written information security program to control these risks through ongoing risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards‟ key controls, systems, and procedures; 4. require service providers (by contract) to implement appropriate safeguards for the customer information at issue; and 5. adapt its program in light of testing and monitoring and material changes to its business that may affect its safeguards. Risk assessment should address responding to attacks and intrusions Bank regulators have issued proposed guidance on response programs - Determine nature and scope of security breach - Notify primary federal regulator - Contain incident to prevent further unauthorized access (e.g. shut down applications or connections, reconfigure firewalls, change codes) - Address harm to individuals -Flag accounts -Secure accounts -Customer notice when sensitive customer information disclosed (e.g., SSN‟s) Fair and Accurate Credit Transactions Act of 2003. (the “FACT Act”) FACT Act • Amends Fair Credit Reporting Act (FCRA) • Key Provisions – National uniformity – Creates new body of federal identity theft law – Additional credit reporting protections – Restriction on affiliated sharing National Uniformity • Top priority of banks was to extend and expand FCRA federal pre-emption provisions • Seven pre-existing pre-emption provisions would have expired on 1/1/04 (e.g. state laws restricting exchange information among affiliated entities). FACT Act makes these permanent. • New national uniformity on certain identity theft provisions (e.g. fraud alerts, “red flag” guidelines and regulations, identity verification) National Uniformity A Federal District Court in California has limited the pre-emptive effect of the FCRA. It held that FCRA only regulates dissemination and use of “consumer reports,” not consumer information generally. Identity Theft Provisions • Creates a national fraud alert system • Consumers can request consumer reporting agencies (CRA‟s) to place fraud alert in file. Proof of identity required • Good for 90 days (initial alert) or 7years (extended alert), if accompanied by an identity theft report Identity Theft Provisions • No user of consumer report with fraud alert may extend credit without utilizing reasonable procedures to verity identity • FTC directed to define what constitutes proof of identity Identity Theft Provisions • Consumer may request CRA‟s to block reporting of information resulting from alleged identity theft • CRA‟s must notify provider of information (who must -prevent repollution) • Debt collectors who are notified that a debt may be fraudulent must notify the creditor Identity Theft Provisions • Regulators directed to establish “red flag” guidelines that outline measures to prevent identity theft. The regulators also will require financial institutions to establish and adhere to reasonable procedures implementing the guidelines. • Consumer reporting agencies required to inform user if a credit request contains an address different from their records. Regulators directed to prescribe rules on what procedures users should follow. Identity Theft Provisions Most applicable to PLUS and alternative loans Credit Reporting Protections • Consumers entitled to one free credit report each year • CRA‟s also obligated to provide credit score information for a reasonable fee Credit Reporting Protections • Lenders must inform customers if they have or will report negative information to a CRA. May be a one time notice • Application to student loan delinquency reporting Credit Reporting Protections A financial institution that grants credit based in whole or in part on a consumer report on terms less favorable that those available to a substantial proportion of the institution's borrower must notify the customer Restrictions on Affiliate Sharing • Consumers must be given the ability to opt-out of the use of personal information for marketing purposes. Opt-outs are good for 5 years. • Some exceptions apply (e.g. where affiliate also has a customer relationship) Restrictions on Affiliate Sharing • Opt out notice maybe consolidated with other notices (GLB) • Financial regulators to issue regulations Sample of State Law Developments Financial Privacy The California Financial Information Privacy Act (SB1, effective 7/1/2001) - Opt-in for non-affiliate sharing - Opt-out for affiliate sharing - No requirement to provide opt-in or opt-out notices to Californians if NPI shared in certain situations (which are nearly identical to GLB Act exceptions) - Applicable to financial institutions doing business in California Confidentiality of Social Security Numbers California Confidentiality of Social Security Numbers Law (SB 168, effective 1/1/2002) The following are prohibited: • Requiring an individual to transmit a SSN over the internet unless the connection is secure or the number is encrypted • Requiring an individual to use a SSN for access to a website, unless a password or PIN is required • Printing an individual „s SSN on any materials (other than applications and forms) that are mailed to the individual, unless required by law Confidentiality of Social Security Numbers Texas (SB 473, effective 1/1/2005) • Essentially the same except - “mailed to individual” changed to “mailed” - forms and applications exception limited to applications • Are B to B mailings covered? Information Security CA (SB 1386, effective 1/1/2003) Requires a business that maintains computerized data that includes personal information, as defined, to disclose any threats of security of that data to any affected California resident Identity Theft CA (AB 1294, effective 1/1/2004) • Requires a debt collector to stop collecting a consumer debt for 30 business days if debtor provides police report and written statement that debtor is victim of identity theft • Requires the collector to review information submitted and to cease collections if information reasonably establishes that “debtor” did not incur debt Questions? Thank you for joining us! Please be sure to complete your conference evaluation form! Shelly Repp General Counsel National Council of Higher Education Loan Programs, Inc.
Pages to are hidden for
"Privacy Laws _____"Please download to view full document