I frequently write about a creditor’s duty to safeguard customer information. See for example, here and here. This is an important duty that arises out of the Gramm-Leach-Bliley Financial Privacy Act. The Safeguards Rule issued early on by the FTC, set the standards for safeguarding customer information under GLB.
With the transition of authority resulting from the Dodd-Frank Consumer Protection Act, from the Federal Trade Commission (FTC) to the Consumer Financial Protection Bureau (CFPB), the FTC Safeguards Rule has gotten a little sidetracked. That is, the Dodd-Frank Act transferred the majority of the FTC’s rulemaking authority for Privacy to the CFPB, leaving the FTC with rulemaking authority only over certain motor vehicle dealers. (The FTC is still considering some changes to its Rule.)
The CFPB standards for safeguarding consumer’s nonpublic personal information (16 CFR Part 314) require a financial institution to disclose its policies and practices for protecting the confidentiality, security, and integrity of nonpublic personal information about consumers (whether or not they are customers). The required disclosure may describe in general terms who is authorized to have access to the information and whether the financial institution has security practices and procedures in place to ensure the confidentiality of the information. I have urged creditors to adopt a compliant policy.
Interestingly, many states have joined the effort to safeguard nonpublic personal information by adopting their own data breach notification laws. (Stay tuned for more on data breach notification laws.) The combination of federal and state law evidences the seriousness with which regulators view privacy of our information; and what happens if such information is inadvertently disclosed.
Creditors should make sure that their policies and practices concerning maintaining the privacy of nonpublic personal information held by them have been updated to address the appropriate response for inadvertent disclosure.
Major companies have been embarrassed (and worse) by data security breaches.
Please note: This is the one hundred fifteenth blog in a series of Back to Basics blogs, in which relevant and resourceful information can be easily accessed by clicking here.