Introduction to the the Gramm-Leach-Bliley
Act
Information that many would consider
private--including bank balances and account numbers--is regularly
bought and sold by banks, credit card companies, and other financial
institutions. The Gramm-Leach-Bliley Act (GLBA), which is also known
as the Financial Services Modernization Act of 1999, provides limited
privacy protections against the sale of your private financial information.
Additionally, the GLBA codifies protections against pretexting, the
practice of obtaining personal information through false pretenses.
The GLBA primarily sought to "modernize"
financial services--that is, end regulations that prevented the merger
of banks, stock brokerage companies, and insurance companies. The
removal of these regulations, however, raised significant risks that
these new financial institutions would have access to an incredible
amount of personal information, with no restrictions upon its use.
Prior to GLBA, the insurance company that maintained your health records
was distinct from the bank that mortgaged your house and the stockbroker
that traded your stocks. Once these companies merge, however, they
would have the ability to consolidate, analyze and sell the personal
details of their customers' lives. Because of these risks, the GLBA
included three simple requirements to protect the personal data of
individuals: First, banks, brokerage companies, and insurance companies
must securely store personal financial information. Second, they must
advise you of their policies on sharing of personal financial information.
Third, they must give consumers the option to opt-out of some sharing
of personal financial information.
History of the the Gramm-Leach-Bliley
Act
The history of the GLBA has its roots
in the separation of banks, brokerage companies, and insurance companies.
As a result of the financial failures of the Great Depression, Congress
in 1933 passed the Glass-Steagall Act prohibiting national and state
banks from affiliating with securities companies. In 1956, Congress
passed the Bank Holding Company Act that prohibited a bank from controlling
a non-bank company. In 1982 Congress amended the Bank Holding Act
to further forbid banks from conducting general insurance underwriting
or agency activities. This changed, however, in 1999, when the GLBA
repealed sections of these acts and allowed banks to engage in a wide
range of financial services.
The privacy risks from such mergers
were put onto the agenda by a series of international and domestic
events. On the international front, in 1995, the EU passed the Data
Protection Directive, which required that international data exchanges
that used EU citizens' personal data be accorded the same level of
protection that their home country would afford them. This meant that
US companies would have to ensure that when they used EU citizens'
personal data they provided the same level of protection these citizens
were afforded within the EU. The EU was especially concerned with
the US government's preference for self-regulatory approaches to privacy
and the lack of federal privacy legislation. While the EU-US agreed
to a Safe Harbor proposal, which allowed for companies to self-regulate
under FTC oversight, financial services industries were not included
in the original agreement.
In the United States, privacy was increasingly
cited as being at risk. Public polls at the time indicated citizen
privacy awareness and unhappiness with the banking industry's lack
of concern for consumer privacy issues. These poll responses led to
subsequent studies that indicated how much consumers were concerned
with ineffectual bank privacy standards and the lack of consumer protections
against unwanted information sharing.
These attitudes were further fueled
by a series of high profile cases involving banks selling consumer
information with adverse consequences for customers including marketing,
credit fraud, and identity theft.
In November 1997, Charter Pacific Bank
of Agoura Hills, California sold millions of credit card numbers to
an adult web site company, which then proceeded to bill customers for
access to Internet porn sites and other services they did not request.
Some of the customers billed did not even own a computer. The web site
company had set up numerous merchant accounts under different names
to avoid detection. In September 2000, the FTC
announced that it has won a $37.5 million judgment against the web site
company. While the bank maintained that it did not do anything wrong,
it has since then stopped selling credit card numbers to merchants.
In 1998, Nations Bank (later merged with
Bank of America) was fined millions for securities law violations
because it shared customer information with its affiliate subsidiary
Nations Securities. The subsidiary then convinced low risk customers
to buy high-risk investments. Many Nations Bank customers lost large
amounts and many senior citizens lost large amounts of their life
savings.
In June 1999, the Minnesota Attorney
General initiated a lawsuit against U.S. Bankcorp for sharing customer
information with third party marketers in violation of its own policies
without customer knowledge or authorization. The telemarketers then
illicitly charged those customers. US Bankcorp eventually settled
that case, along with those brought by 39 other state attorneys general.
In April 2000, Minnesota settled with the third party telemarketer,
Memberworks, that US Bankcorp used. According to Memberworks' SEC
filings, 19 out of the 25 largest banks in the US had contracts with
it. Other prominent banks, including Chase Manhattan and Citibank,
have been involved in schemes where personal account information is
sold to telemarketers.
This confluence of international and
domestic events prompted Congress to include Title V in its GLBA provisions,
which contains limited privacy protections for financial information.
The GLBA was introduced in the Senate by Senator Phil Gramm (R-TX)
as 106 S. 900 and in the House of Representatives by Representative
James Leach (R-IA) as 106 H.R. 10. It was signed by President Clinton
and became Public Law 106-102 (113 Stat. 1338) on November 11, 1999.
The privacy protections are codified at 15 USC § 6801-6810.
Privacy protections under the Gramm-Leach-Bliley
Act
The GLBA's privacy protections only
regulate financial institutions--businesses
that are engaged in banking, insuring, stocks and bonds, financial
advice, and investing.
First, these financial institutions,
whether they wish to disclose your personal information or not, must
develop precautions to ensure the security and confidentiality of
customer records and information, to protect against any anticipated
threats or hazards to the security or integrity of such records, and
to protect against unauthorized access to or use of such records or
information which could result in substantial harm or inconvenience
to any customer.
Second, financial institutions are required
to provide you with a notice of their information sharing policies
when you first become a customer, and annually thereafter. That notice
must inform the consumer of the financial institutions' policies on:
disclosing nonpublic personal information (NPI) to affiliates and
nonaffiliated third parties, disclosing NPI after the customer relationship
is terminated, and protecting NPI. "Nonpublic personal information"
means all information on applications to obtain financial services
(credit card or loan applications), account histories (bank or credit
card) and the fact that an individual is or was a customer. This interpretation
of NPI makes names, addresses, telephone numbers, Social Security
Numbers and other data subject to the GLBA's data sharing restrictions.
Third, the GLBA gives consumers the
right to opt-out from a limited amount of NPI sharing. Specifically,
a consumer can direct the financial institution to not share information
with unaffiliated companies.
Consumers have no right under the GLBA
to stop sharing of NPI among affiliates. An affiliate is any company
that controls, is controlled by, or is under common control with another
company. The individual consumer has absolutely no control over this
kind of "corporate family" trading of personal information.
There are several exemptions under the
GLBA that can permit information sharing over the consumer's objection.
For instance, if a financial institution wishes to engage the services
of a separate company, they can transfer personal information to that
company by arguing that the information is necessary to the services
that the company will perform. A financial institution can transfer
information to a marketing or sales company to sell new products (different
stocks) or jointly offered products (co-sponsored credit cards). Once
this unaffiliated third party has your personal information, they
can share it with their own "corporate family." However,
they themselves cannot likewise transfer the information to further
companies through this exemption.
In addition, financial institutions
can disclose your information to credit reporting agencies, financial
regulatory agencies, as part of the sale of a business, to comply
with any other laws or regulations, or as necessary for a transaction
requested by the consumer.
Fourth, financial institutions are prohibited
from disclosing, other than to a consumer reporting agency, access
codes or account numbers to any nonaffiliated third party for use
in telemarketing, direct mail marketing, or other marketing through
electronic mail. Thus, even if a consumer fails to "opt-out"
of a financial institutions' transfers, your credit card numbers,
pins or other access codes cannot be sold, as they had been in some
previous cases.
Fifth, certain types of "pretexting"
were prohibited by the GLBA. Pretexting is the practice of collecting
personal information under false pretenses. Pretexters pose as authority
figures (law enforcement agents, social workers, potential employers,
etc.) and manufacture seductive stories (that the victim is about
to receive a sweepstakes award or insurance payment) in order to elicit
personal information about the victim. The GLBA prohibits the use
of false, fictitious or fraudulent statements or documents to get
customer information from a financial institution or directly from
a customer of a financial institution; the use of forged, counterfeit,
lost or stolen documents to get customer information from a financial
institution or directly from a customer of a financial institution;
and asking another person to get someone else's customer information
using false, fictitious, or fraudulent documents or forged, counterfeit,
lost or stolen documents.
However, investigators still can call
friends, relatives, or entities not covered by the GLBA under false
pretenses in order to gain information on the victim.
Problems with the Gramm-Leach-Bliley
Act
First, the GLBA does not protect consumers.
It unfairly places the burden on the individual to protect privacy
with an opt-out standard. By placing the burden on the customer to
protect their data, GLBA weakens customer power to control their financial
information. The agreement's opt-out provisions do not require institutions
to provide a standard of protection for their customers regardless
of whether they opt-out of the agreement. This provision is based
on the assumption that financial companies will share information
unless expressly told not to by their customers and if customers neglect
to respond, it gives institutions that freedom to disclose customer
nonpublic personal information.
Second, the GLBA notices are confusing
and limit the transparency of information practices. GLBA assumes
a company will explain a complex set of legal definitions added to
numerous exceptions to the law in a way that will allow for an informed
choice and in transparent language. There are reservations about a
company's desire to do this.
Moreover, according to recent studies,
most privacy and opt-out policies are usually convoluted, confusing,
and misleading since they are created by entities whose interests
are better served when there is no effective notice. GLBA does little
to deal with the lack of transparency in the privacy notices themselves.
Typical privacy notices do not include any specific information about
how the data is actually used. GLBA notices do inform consumers that
their personal information will be shared, but they generally do not
inform the individual of who will receive the information or the purposes
for which it will be used.
Third, the GLBA fails to enhance consumers'
control over affiliate information sharing. Consumers have no opt-out
right against affiliate information sharing. In today's world of mega-mergers,
a bank may have over one thousand affiliates, some of which may be
completely unrelated to financial services.
Fourth, financial institutions can evade
opt-out requirements by exploiting the exceptions in the GLBA. The
service provider/joint marketing exemption allows financial institutions
to share information with non-affiliated third parties despite a consumer's
opt-out.
Fifth, the GLBA has weak enforcement
and compensation mechanisms. GLBA's enforcement mechanisms are inadequate
to assure compliance with even existing weak privacy protections.
Enforcement rests solely with federal government agencies, leaving
the individual no private right of action.
How the Gramm-Leach-Bliley Act could
be improved
Privacy advocates and industry groups
have asked for some substantial changes to the GLBA to ensure greater
protection and consumer security. Some of these changes include:
1. Financial institutions should implement
an opt-in approach to the use of personal information because this
minimizes any unwanted or unknowing disclosure of information and
places the burden of responsibility on those actors who will gain
from the disclosure of information.
2. If an opt-out framework is maintained, financial institutions should
be obligated to give and accept alternative opt-out methods. They
should be required to provide simple opt-out processes including easy
access to privacy policies at branch offices and online through a
single web site with opt-out information,
3. In order to ensure greater transparency and accountability, financial
institutions should include in their privacy reports what information
is going to be used for. Financial institutions should be required
to provide customers with a statutory right of access to learn more
about industry practices in order to know how the information is collected,
who its affiliates are, and what the information collected for is
used.
4. Financial institutions
should provide simply stated and clear privacy policies. Financial
institutions should be required to follow acceptable standards for
readability by displaying clearer and more transparent privacy reports.
5. Expand enforcement authority to give states concurrent jurisdiction
to enforce the provisions of GLBA in order to ensure a more efficient
enforcement program.
6. Individuals should have the right to protect their privacy and
seek remedies and redress under GLBA. As GLBA currently stands, there
is no private right of action.
7. Give individuals the right to review information that is disclosed
or to correct inaccurate or incomplete data.
