If You Let Them Build It, They Will Come: Regulatory Agencies Release Model Privacy Notice Online Form Builder

Posted on May 6, 2010 by Kevin Khurana

More than five months ago, eight federal regulatory agencies released their final model privacy notice form (“Model Form”) (which we blogged about here) to help financial institutions satisfy the disclosure requirements established by the Gramm-Leach-Bliley Act (“GLBA”) and help consumers understand how these institutions collect and share their information. On April 15, 2010, those same agencies attempted to ease the burden of completing the Model Form by releasing an Online Form Builder.

The Online Form Builder provides the financial institution with the choice of four form options depending on the financial institution’s data sharing practices and the opt-out rights it extends to consumers.

Some financial institutions will gravitate towards the Model Form because by using it, they will obtain a legal “safe harbor” which confirms their compliance with the GLBA’s disclosure requirements. It remains to be seen, however, whether all financial institutions will adopt the Model Form given the difficulty a financial institution may have in conveying its complex affiliate relationships and the fact that the Model Form rules do not allow the form to be modified in any material respect.
Tags: , , , , , ,

Innocent Mall Shoppers, You're Off the Hook: Federal Agencies Release Model GLBA Privacy Notice Form

Posted on November 20, 2009 by Brendon Tavelli

On November 17, 2009, eight federal regulatory agencies released their final model privacy notice form that is intended to make it easier for consumers to understand how financial institutions collect and share information about them. The model privacy notice form, which features a version that offers consumers an opt-out and one with no opt-out, represents the culmination of extensive research and testing by the various agencies, which included a nationwide mall-intercept study (see our previous post here), and their analysis of public comments on the model form first proposed on March 29, 2007. The agencies’ efforts in this regard were spurned by the Financial Services Regulatory Relief Act of 2006, which amended the Gramm-Leach-Bliley Act (“GLBA”) and called upon the federal financial services agencies to jointly propose a succinct and comprehensible format for GLBA privacy notices.

The final model privacy notice form was developed jointly by the Board of Governors of the Federal Reserve System, Commodity Futures Trading Commission, Federal Deposit Insurance Corporation, Federal Trade Commission, National Credit Union Administration, Office of the Comptroller of the Currency, Office of Thrift Supervision, and Securities and Exchange Commission. It is hailed as a consumer-friendly notice that allows consumers to easily compare the privacy practices of different financial institutions. Financial institutions that choose to use the model form, which will take effect 30 days after publication in the Federal Register, will obtain a “safe harbor” that declares them in compliance with the GLBA’s disclosure requirements. Publication of the final model privacy notice in the Federal Register is expected soon.

With the release of the model form, despite opposition from major industry players, the agencies plan to eliminate the existing sample clauses and accompanying compliance safe harbors, which limited the liability of financial institutions that issued privacy notices containing these sample clauses. Existing safe harbors and sample clauses will be phased out over a one-year period.
Tags: , , , , , ,

SEC Seeks to Better Protect Investors' Privacy With Proposed Amendments to Regulation S-P

Posted on March 17, 2008 by Scott J. Carpenter
In light of growing concerns over identity theft, data breaches, and the hacking of online brokerage accounts, the Securities and Exchange Commission (“SEC”) has recently proposed new amendments to Regulation S-P – the SEC’s existing privacy rules mandated under the Gramm-Leach-Bliley Act. The SEC’s unanimous approval of these proposed rules signals the Commission’s desire to more closely align its privacy guidelines with those of the Federal Trade Commission (“FTC”) and the Federal Banking Agencies, which adopted data breach notice rules in 2005. For regulated companies, however, the amendments could mean additional costs and liabilities.

Specifically, the amendments would require covered entities, such as brokers, dealers and investment advisers and companies, to adopt more detailed policies for safeguarding and disposing clients’ confidential personal information. The proposed rules also would require regulated businesses to establish standards for responding to data breaches. However, the new regulations would ease existing restrictions on firms recruiting registered representatives by allowing representatives who switch firms to disclose certain client information without having to comply with the usual notice and opt-out rules under Regulation S-P. 

Safeguards and Disposal Rule Expanded To Require Comprehensive Information Security Program

The SEC’s proposed amendments to Regulation S-P develop and broaden the existing safeguards rule. Under the current rule, broker-dealers, registered advisers and investment companies must adopt written policies and procedures that address administrative, technical and physical safeguards to protect customer records and information.  The proposed amendments build upon the existing rule by requiring each business subject to the safeguards rule to develop, implement, and maintain a comprehensive “information security program.” Such a program must be designed to:

(i) ensure the security and confidentiality of personal information; (ii) protect against any anticipated threats or hazards to the security or integrity of personal information; and (iii) protect against unauthorized access to or use of personal information that could result in substantial harm or inconvenience to any consumer, employee, investor or securityholder who is a natural person.

Companies also would need to preserve written records of the information security program, as well as written records that they have met the requirements of developing, maintaining and implementing the program. 

Moreover, the amendments would broaden the type of information covered under the safeguards and disposal rules. According to the SEC, the current rules do not adequately define the scope of personal information subject to Regulation S-P, and thus, the new rules would define personal information broadly “to encompass any record containing either ‘nonpublic personal information’ or ‘consumer report information.’” Consumer report information is defined in the Fair Credit and Reporting Act as any information from a consumer reporting agency related to a consumer's credit worthiness, credit standing, credit capacity, character, or general reputation.

Responding to Data Breaches

Firms also would be required under the proposed amendments to implement policies and procedures to respond to data breaches. The proposed regulations compel companies experiencing incidents of unauthorized access to personal information to promptly notify affected customers “if misuse of sensitive personal information has occurred or is reasonably possible.” Companies also would have to notify the SEC of a data breach if “an individual identified with the information has suffered substantial harm or inconvenience or an unauthorized person has intentionally obtained access to or used sensitive personal information.”

Recruiting Registered Representatives

According to the proposed amendments, registered representatives seeking to join a new firm could bring with them certain personal information related to their clients without violating Regulation S-P’s notice and opt-out requirements, which require that a consumer give consent, either express or implied, before a company may disclose the consumer’s personal information to a non-affiliated third party. In particular, a migratory representative may bring to his or her new firm “a customer’s name, a general description of the type of account and products held by the customer’s name, and the customer’s home address, telephone, and email information.”

Under the current standards, before a representative joins a new firm, the representative and the new firm must obtain consent from clients if they intend to use client information. This policy sparked considerable controversy in 2007 when the SEC initiated an administrative proceeding against NEXT Financial Group, Inc., a registered broker-dealer, claiming that NEXT allowed registered representatives to take nonpublic client information without client consent when they left NEXT for other firms. The SEC also alleged that NEXT aided and abetted violations of Regulation S-P by requiring its recruited representatives to provide NEXT with the client information from the representative’s previous firm. For more on the NEXT Financial, see our post of last year here.

Companies and commentators argued that the position the SEC took with NEXT interferes with the broker-client relationship, causes substantial delays in the account transfer process, and creates a “blackout period” in which clients cannot place trades because receipt of notice and consent are still pending. The proposed amendment to Regulation S-P would reduce the burdens on representatives by permitting them to use certain information to solicit clients for their new firm.

The proposed rule to amend Regulation S-P can be found here. The SEC is accepting comments on the proposed amendments until May 12, 2008.
Tags: , , , , , ,