In this series on defining your company’s information security classifications, we’ve already looked at Protected Information under state PII breach notification statutes, and PHI under HIPAA. What’s next? Customer information that must be safeguarded under the Gramm-Leach-Bliley Act (GLBA), a concern for any “financial institution” under GLBA.
GLBA begins with an elegant, concise statement of congressional policy: “each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.” Sounds straightforward, doesn’t it? Things get complicated, though, for three reasons: (1) the broad scope of what constitutes a “financial institution” subject to GLBA; (2) the byzantine structure of regulators authorized under GLBA to issue rules and security standards and to enforce them; and (3) the amorphous definition of nonpublic customer information.
GLBA “Financial Institution”
Traditionally-understood financial institutions are subject to GLBA, such as federal- and state-chartered banks, savings and loan associations, and the like. But GLBA also applies to “any institution the business of which is engaging in financial activities” as described in the Bank Holding Company Act, 12 USC § 1843(k). The list is expansive, encompassing such financial activities as lending, exchanging, transferring, investing for others, or safeguarding money or securities; acting as an insurance company or principal, agent, or broker in any state; providing financial, investment, or economic advisory services; and underwriting, dealing in, or making a market in securities. The statute also incorporates the Federal Reserve Board’s even longer regulatory list of activities that are “proper incident to” banking:
- Extending credit and servicing loans;
- Activities related to extending credit;
- Leasing personal or real property;
- Operating nonbank depository institutions;
- Trust company functions;
- Financial and investment advisory activities;
- Agency transactional services for customer investments;
- Investment transactions as principal;
- Management consulting and counseling activities;
- Specified management consulting;
- Specified support services;
- Insurance agency and underwriting;
- Specified community development activities;
- Issuing or selling money orders, savings bonds, and traveler’s checks; and
- Data processing of financial, banking, or economic data.
Other federal regulations give further examples of what is, and is not, a financial institution subject to GLBA, due to being “significantly engaged” in financial activities. The following are examples under FTC regulations, themselves subject to further exceptions:
- Retailers that extend credit by issuing their own credit cards directly to consumers;
- Personal property or real estate appraisers;
- Automobile dealerships that, as a usual part of their business, lease automobiles on a nonoperating basis for longer than 90 days;
- Career counselors that specialize in providing career counseling services to individuals currently employed by or recently displaced from a financial organization, individuals who are seeking employment with a financial organization, or individuals who are currently employed by or seeking placement with the finance, accounting or audit departments of any company;
- Businesses that print and sell checks for consumers, either as their sole business or as one of their product lines;
- Businesses that regularly wire money to and from consumers;
- Check cashing businesses;
- Accountants or other tax preparation services that are in the business of completing income tax returns;
- Businesses that operate a travel agency in connection with financial services;
- Providers of real estate settlement services;
- Mortgage brokers; and
- Investment advisory companies and credit counseling services.
As Forrest Gump would have observed, “’Financial Institution” is as financial institution does.” The outer reaches of GLBA applicability get blurry, and so legal counsel is advisable at the edges.
The myriad GLBA regulators
GLBA has no single regulator. Instead, rulemaking and enforcement authority for the GLBA security standards are housed in a regulatory jigsaw puzzle:
- Office of Comptroller of the Currency (OCC) – national banks and their subsidiaries (except brokers, dealers, persons providing insurance, investment companies, and investment advisers, see below);
- Board of Governors of the Federal Reserve – member banks of the Federal Reserve System (other than national banks) and bank holding companies and their non-bank subsidiaries (except brokers, dealers, persons providing insurance, investment companies, and investment advisers, seebelow);
- Federal Deposit Insurance Corporation (FDIC) – banks (other than Federal Reserve System members) insured by the FDIC, savings associations with deposits insured by the FDIC, and their subsidiaries (except brokers, dealers, persons providing insurance, investment companies, and investment advisers, see below);
- Board of the National Credit Union Association (NCUA) – federally insured credit unions and their subsidiaries;
- Commodity Futures Trading Commission (CFTC); – entities and persons subject to CFTC jurisdiction:
- Securities & Exchange Commission (SEC) – brokers and dealers, investment companies, and registered investment advisers;
- State Insurance Authorities – persons engaged in providing insurance; and
- Federal Trade Commission (FTC) – any other entity or person subject to GLBA but not regulated by the agencies above.
The Consumer Financial Protection Act of 2010, part of the Dodd-Frank Act, created the Bureau of Consumer Financial Protection (CFPB), and generally transferred to the CFPB the rulemaking and enforcement authority for federal consumer financial protection laws for banking institutions, including the privacy rules under GLBA. But the authority to set and enforce GLBA security standards did not transfer to the CFPB, instead remaining with the various original GLBA regulators above.
Who cares? One needs to identify the applicable GLBA regulator(s) to be sure that the right security standards are considered – different regulators express their GLBA security requirements in different ways.
Protected information to be secured under GLBA
Oddly, while GLBA requires the various GLBA regulators to issue security standards for customer information, the statute doesn’t define what is a “customer” – one must consult the rules of the various agencies. Generally, “customer” means a consumer who obtains a financial product or service to be used primarily for personal, family, or household purposes and who has a continuing relationship with the financial institution. “Customer information” is generally any record containing nonpublic personal information (“NPI”) about a customer, whether in paper, electronic, or other form, that is maintained by or on behalf of the financial institution.
NPI means: (1) personally identifiable financial information; and (2) any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available. For example, NPI includes any list of individuals’ names and street addresses that is derived in whole or in part using personally identifiable financial information that is not publicly available, such as account number.
“Personally identifiable financial information” means any information: (1) a consumer provides to a GLBA financial institution to obtain a financial product or service from the financial institution; (2) about a consumer resulting from any transaction involving a financial product or service between the financial institution and a consumer; or (3) the financial institution otherwise obtains about a consumer in connection with providing a financial product or service to that consumer. 12 C.F.R. § 1016.3(q)(1).
Examples of personally identifiable financial information include:
- Information a consumer provides to the financial institution on an application to obtain a loan, a credit card, a credit union membership, or other financial product or service (for example, the consumer’s name, phone number, address, income, etc.);
- Account balance information, payment history, overdraft history, and credit or debit card purchase information;
- The fact that an individual is or has been one of the financial institution’s customers or has obtained a financial product or service from it;
- Any information about the financial institution’s consumer if it is disclosed in a manner that indicates the individual is or has been the financial institution’s consumer;
- Any information that a consumer provides to the financial institution or that the financial institution or its agent obtain in collecting on or servicing a loan or a credit account;
- Any information the financial institution collects through an Internet “cookie”; and
- Information from a consumer report.
But personally identifiable financial information does not include a list of names and addresses of customers of an entity that is not a financial institution, and information that does not identify a consumer, such as aggregate information or blind data that does not contain personal identifiers such as account numbers, names, or addresses.
This is a lot to digest, and it merely hits the high points. One of those key points is this – any security classification framework for an entity subject to GLBA must be carefully vetted against the definitions and standards of the applicable regulators.