In our initial article announcing our top 10 considerations for financial institutions in 2016, which can be found here, our fourth consideration was data security and privacy. While the recent focus has been on cybersecurity, it is important to remember that financial institutions remain subject to privacy requirements, and that the appropriate security of nonpublic personal information (NPPI) remains an integral component of privacy, as it always has.
In order to protect consumers, the privacy provisions of the Gramm-Leach Bliley Act set forth a framework under which financial institutions must securely store NPPI, advise customers of their policies, and provide certain opt-out rights, especially as pertains to sharing with non-affiliates for those non-affiliates’ own marketing purposes. Regulatory implementation of those requirements resulted in a fairly specific set of categories of disclosures that are required in privacy notices, as well as a pre-approved form of privacy disclosures which would be deemed to satisfy the applicable requirements. The disclosures are provided both at the time of data collection and, thereafter, on an annual basis for ongoing customer relationships. Most of us are used to getting these notices in the mail. Notably, state laws may have specific, additional requirements (such as laws in California and Vermont), and other laws (such as state regulations applicable to insurers and insurance agencies) may apply depending on the line of business in which the financial institution is engaged.
Financial institutions should be careful to abide by the GLBA and various state law privacy requirements, including by honoring “hold” periods (during which certain types of sharing are prohibited to give the consumer/customer an opportunity to opt out). The Consumer Financial Protection Bureau’s Supervision and Examination Manual, version 2.0 provides a good roadmap for compliance.
Even beyond the privacy notification regime, financial institutions should take care to avoid running afoul of the prohibition under the Dodd Frank Wall Street Reform and Consumer Protection Act of 2010 against unfair, deceptive, and abusive acts or practices. The CFPB, which enforces that prohibition, has stated that it will follow the FTC’s lead in enforcing against “deceptive” practices which consist of material misrepresentations to consumers (e.g., in website privacy policies or other representations to consumers) regarding a financial institution’s privacy practices.
As applicable to all companies, a financial institution cannot appropriately administer privacy practices without appropriate security measures. Thus, a financial institution must ensure that information security measures provide the appropriate protections (including access controls and logging) to implement, maintain, and demonstrate the integrity the institution’s internal and external policies regarding sharing and use of NPPI. Needless to say, this also includes appropriate controls and oversight of a financial institution’s service providers.
As pointed out in our recent QuickStudy on the #3 consideration for financial institutions in 2016, cybersecurity, it is axiomatic that institutions must familiarize themselves with the personal information for which they are responsible, and the systems on which that information resides or may be accessed. Regulatory agencies have become keen observers when it comes to privacy matters, including associated data security measures. We expect continued focus from the financial institution regulators in the coming years on privacy compliance programs and practices.