privacy laws.ppt

8/11/2019 Privacy Laws.ppt

1/49

Privacy Laws_____

Shelly Repp

General Counsel

National Council ofHigher Education Loan Programs, Inc.


2/49

Gramm-Leach-Bliley Act and

Regulations


3/49


4/49


5/49

Regulatory and EnforcementAuthority

Banking Agencies (OCC, Fed, FDIC, OTS)

SEC

FTC (default regulator)


6/49

The Framework is NotComplicated Requires financial institutions to provide notice to

customers about their privacy policies and practices

Describes conditions under which financial

institutions may disclose nonpublic personal

information about consumers to others

Provides consumers the opportunity to prevent

disclosures to most nonaffiliated 3rdparties by

opting-out (subject to extensive list of exceptions)


7/49

Scope Applies to Financial Institutions, both regulated

and non-regulated (Guaranty Agencies arefinancial institutions; so are nonprofit secondary

markets, loan servicers and collection agencies)

Governs handling of

1) nonpublic personal information (NPI) aboutindividuals (information collected on an

application or derived from loan history)2) who obtain financial products or services

3) from financial institutions

4) primarily for personal, family or household

purposes (e.g., student loans).


8/49

Rules Generally Apply to Customers

Special rule for loansonly one customer relationshipper loan

A school does not establish a customer relationship bycertifying a students eligibility for a FFELP loan.

A guarantor/insurer does not establish a customerrelationship by issuing to the lender itsguarantee/insurance on the FFELP loan or private

student loan.

An origination/disbursement agent or loan servicerdoes not establish a customer relationship byperforming loan origination and/or disbursement

functions, or servicing a loan, on the lenders behalf.


9/49

Content of Privacy Notice Customers must be provided a clear and conspicuous

notice of privacy policies and , if applicable, areasonable opportunity to opt-out

Privacy notice must explain: The nature or types of information collected

The purposes for which information is collected

Types of entities where data is shared, and the purposes forsharing

Consumer rights to opt-out of sharing arrangements withnonaffiliated third parties, with clear direction on how theycan freely exercise these rights

Privacy statements need to be accurate and complete(due diligence needed)


10/49

New Product Notice. What obligations apply whenadditional products/services are provided to anexisting customer?

New notice only needed if prior privacy notice isnot accurate with respect to the new product

E.g. A financial institution is not required to sendanother notice with each loan made under anMPN if the notice provided with the first loanremains accurate with respect to eachsubsequent loan.

Initial Notice Required WhenCustomer Relationship Established


11/49

Annual Customer Notice- Must provide recurring annual notice of privacy policies and

practices during the continuation of the customerrelationship.

- Notice must be provided on a 12-month consistent basis.

Revised NoticeA financial institution must provide a new notice to all

existing customers if the institution changes its privacy

policies/practices in a way that makes the prior notice no

longer accurate.


12/49

FYI - A bankruptcy condition does notexcuse the required notices. The notice is

not an attempt to collect a debt, and so does

not violate an automatic stay.

Notices to ConsumersNo notices required

unless and until the consumers NPI will

actually be shared. Notice, and a reasonableopportunity to opt-out (when required), must

be provided to consumer prior to sharing of

consumers NPI.


13/49

Financial Institutions that share NPI about

consumers with nonaffiliated third partiesoutside of opt-out exceptions must

provide consumers with:

An opt out notice A reasonable period of time for the

consumer to opt out

Opt-Out Right


14/49

Some of the Applicable Exceptions: Processing transactions. Disclosures made:

As necessary to effect, administer, or enforce a

student loan that a student loan consumerrequests or authorizes; or in connection with:

Servicing or processing the student loan

customer's account with the financial institution

A proposed or actual securitization, secondary

market sale, or similar transaction related to

customers student loan


15/49

Applicable Exceptions (cont.)

Legal requirements

Consent

Rating or Guaranty Agencies. Disclosures to

provide information to rating agencies, insurancerate advisory organizations, guaranty funds or

agencies, and persons assessing the financial

institutions compliance with industry standards


16/49

Applicable Exceptions (cont.)

Credit bureau reporting

Loan Sales

Antifraud. Disclosures to protect against or

prevent actual or potential fraud, unauthorizedtransactions, claims, or other liability (e.g. skip-

tracing)


17/49

When a nonaffiliated 3rdparty receives NPI

pursuant to one of the exceptions, the 3rd

party may use and redisclose such NPI onlyas follows:

- The 3rdparty may disclose the information to the

financial institution's affiliates;

- The 3rdparty may disclose the information to the3rdpartys affiliates, but its affiliates may, in turn,

disclose and use the information only to the

extent that the 3rdparty may disclose and use the

information; and

Reuse/Redisclosure Limitations


18/49

Reuse/Redisclosure Limitations

(cont.)

- The 3rdparty may disclose and use theinformation pursuant to one of the

exceptions in the ordinary course ofbusiness in order to carry out the activitycovered by the exception under which itreceived the information.

- Financial Institutions are not required tomonitor the use of NPI by nonaffiliated 3rdparties to whom it properly (in accordancewith notice and applicable opt-outrequirements) discloses such information.


19/49

GLB Act does not pre-empt state laws,

except to the extent that such laws areinconsistent tithe the GLB.

State laws that the FTC determinesprovide greater protection to consumersare not inconsistent with the GLB Act.

Relationship to State Laws


20/49

Information Security Rule

GLB Act requires regulatory agencies to

establish standards for financialinstitutions relating to administrative,

technical and physical information

standards

Banking agencies have issued final

guidelines

FTC issued final regulation


21/49

The objectives of the program are set inthe GLB Act:

1. Ensure the security and confidentiality of

customer information;2. Protect against any anticipated threats or

hazards to the security or integrity of such

information; and

3. Protect against unauthorized access to oruse of such information that could result in

substantial harm or inconvenience to any

customer.


22/49

The program must cover handling of

customer information, which is defined to

include information that a financialinstitution collects fromits own customers,

andalso customer information received

fromother financial institutions.


23/49

Both the Banking Agencies and FTCcontemplate a flexible approach. Each

call for safeguards that are appropriate

to:

the size and complexity of the institution

the nature and scope of its activities, and

the sensitivity of the customer information

at issue

The requirements in general are not

prescriptive


24/49

1. designate an employee or employees tocoordinate its program;

2. assess internal & external risks in each areaof i ts operat ions ;

3. design and implement a wri t teninformationsecurity program to control these risks

through ongoing risk assessment, andregularly test or otherwise monitor theeffectiveness of the safeguards key controls,systems, and procedures;

The FTCs rule requires that each program

contain certain basic elements. Each financialinstitution must:


25/49


26/49

Risk assessment should address responding to

attacks and intrusions

Bank regulators have issued proposed guidance on

response programs

- Determine nature and scope of security

breach

- Notify primary federal regulator


27/49

- Contain incident to prevent furtherunauthorized access (e.g. shut downapplications or connections, reconfigure

firewalls, change codes)- Address harm to individuals

-Flag accounts-Secure accounts

-Customer notice when sensitivecustomer information disclosed (e.g.,SSNs)


28/49

Fair and Accurate Credit

Transactions Act of 2003.

(the FACT Act)


29/49

FACT Act

Amends Fair Credit Reporting Act

(FCRA) Key Provisions

National uniformity

Creates new body of federal identity theftlaw

Additional credit reporting protections

Restriction on affiliated sharing


30/49

National Uniformity Top priority of banks was to extend and expand

FCRA federal pre-emption provisions

Seven pre-existing pre-emption provisions would

have expired on 1/1/04 (e.g. state laws restricting

exchange information among affiliated entities).

FACT Act makes these permanent.

New national uniformity on certain identity theft

provisions (e.g. fraud alerts, red flag guidelines

and regulations, identity verification)


31/49

National Uniformity

A Federal District Court in California has

limited the pre-emptive effect of theFCRA. It held that FCRA only regulates

dissemination and use of consumer

reports, not consumer informationgenerally.


32/49

Identity Theft Provisions

Creates a national fraud alert system

Consumers can request consumer reporting

agencies (CRAs) to place fraud alert in file.

Proof of identity required

Good for 90 days (initial alert) or 7years(extended alert), if accompanied by an

identity theft report


33/49


No user of consumer report with fraud

alert may extend credit without utilizingreasonable procedures to verity

identity

FTC directed to define what

constitutes proof of identity


34/49

Identity Theft Provisions Consumer may request CRAs to block

reporting of information resulting fromalleged identity theft

CRAs must notify provider ofinformation (who must -prevent

repollution) Debt collectors who are notified that a

debt may be fraudulent must notify thecreditor


35/49

Identity Theft Provisions Regulators directed to establish red flag

guidelines that outline measures to prevent

identity theft. The regulators also will requirefinancial institutions to establish and adhere toreasonable procedures implementing theguidelines.

Consumer reporting agencies required to informuser if a credit request contains an addressdifferent from their records. Regulators directedto prescribe rules on what procedures users

should follow.


36/49


Most applicable to PLUS and alternative

loans


37/49


38/49

Credit Reporting Protections

Lenders must inform customers if they

have or will report negative informationto a CRA. May be a one time notice

Application to student loandelinquency reporting


39/49

Credit Reporting Protections

A financial institution that grants credit

based in whole or in part on a consumerreport on terms less favorable that those

available to a substantial proportion of

the institution's borrower must notify the

customer


40/49

Restrictions on Affiliate Sharing

Consumers must be given the ability to

opt-out of the use of personalinformation for marketing purposes.

Opt-outs are good for 5 years.

Some exceptions apply (e.g. where

affiliate also has a customer

relationship)


41/49

Restrictions on Affiliate Sharing

Opt out notice maybe consolidated

with other notices (GLB)

Financial regulators to issue

regulations


42/49

Sample of State Law

Developments


43/49

Financial PrivacyThe California Financial InformationPrivacy Act (SB1, effective 7/1/2001)

- Opt-in for non-affiliate sharing- Opt-out for affiliate sharing

- No requirement to provide opt-in or opt-outnotices to Californians if NPI shared in

certain situations (which are nearly identicalto GLB Act exceptions)

- Applicable to financial institutions doingbusiness in California


44/49


45/49

Confidentiality of Social Security

Numbers

Texas (SB 473, effective 1/1/2005)

Essentially the same except- mailed to individual changed to mailed

- forms and applications exception limited to

applications Are B to B mailings covered?


46/49

Information Security

CA (SB 1386, effective 1/1/2003)

Requires a business that maintains

computerized data that includes

personal information, as defined, todisclose any threats of security of that

data to any affected California resident


47/49

Identity TheftCA (AB 1294, effective 1/1/2004)

Requires a debt collector to stop collecting a

consumer debt for 30 business days if debtorprovides police report and written statementthat debtor is victim of identity theft

Requires the collector to review informationsubmitted and to cease collections ifinformation reasonably establishes thatdebtor did not incur debt


48/49

Questions?


49/49

Thank you for joining us!Please be sure to complete your

conference evaluation form!Shelly Repp

General Counsel

National Council ofHigher Education Loan Programs, Inc.

privacy laws.ppt

Documents