Feud of the Forms -- The Battle of The GLBA Notices

Posted on April 22, 2009 by Brendon Tavelli

The U.S. Securities and Exchange Commission ("SEC”) announced on April 15, 2009 that it is reopening the period for public comment on proposed amendments to Regulation S-P, the SEC’s Gramm-Leach-Bliley Act (“GLBA”) implementing regulations. The SEC’s announcement follows the release of a report detailing the results of the second phase of the Interagency Notice Project (“INP”). The report by Drs. Alan Levy and Manoj Hastak, Consumer Comprehension of Financial Privacy Notices, uses the results of a mall-intercept study to compare the performance of a prototype financial privacy notice developed by the Kleimann Communication Group (“KCG”) during the first phase of the INP against three alternative notices. The Levy-Hastak report, among other things, confirms what proponents of the INP suspected – some GLBA privacy notices are largely ineffective in conveying information to consumers that allows them to make rational decisions about the sharing of their personal financial information.

Launched in 2004, the INP is directed to evaluating consumer comprehension of GLBA privacy notices and the communication effectiveness of different notice formats. The INP’s ultimate goal is to facilitate the adoption of a model form which may be used by financial institutions to provide GLBA-required notices. In order to assess the relative effectiveness of different GLBA notice formats, researchers distributed one of four alternative notices to mall shoppers in five locations across the United States. These notice recipients were then asked a series of questions designed to test their ability to (a) compare banks’ information collection and sharing practices, (b) evaluate available “opt-out” choices described in the notices, and (c) make informed and reasoned choices between banks. The Levy-Hastak report used the results of this quantitative study to analyze four different notice formats: 

  • KCG Table Notice: This notice, the Phase I model form, uses a table on page one to describe (1) the types of sharing engaged in by financial institutions; (2) for each type of sharing, whether a particular institution shares personal information; and (3) whether the institution offers the consumer an opportunity to opt out or limit such sharing.
  • KCG Prose Notice: This notice is the prose version of the Phase I model form. This notice differs from the KCG Table notice only in that it replaces the table on page one with a bulleted list that describes the information contained in the table.
  • Current Notice: This notice is a composite notice that is generally representative of GLBA notices currently provided by financial institutions to consumers.
  • Sample Clause Notice: This notice is comprised solely of Sample Clauses that provide only the specific information that relates to the individual financial institution.

The Levy-Hastak report points out the weakness of the Current Notice, but stops short of declaring a clear winner in the battle of forms. The Sample Clause Notice’s strong performance with respect to tasks that merely required respondents to find information within the notice underscores the importance of short forms. But the KCG Table Notice outperformed the other notice formats across “a diverse set of communication effectiveness measures.” Specifically, the survey results demonstrated that the KCG Table Notice helped respondents better understand the information contained in the notice which enabled them to make informed and logical decisions about financial information sharing.

The complete Levy-Hastak report is available here. The SEC’s public comment period will remain open until May 20, 2009.
Tags: , , , , , , , , ,

FTC Sets Sights on Goal: Student Lender Taken to School for Data Security Breakdowns

Posted on March 17, 2008 by Proskauer Rose LLP

On March 4 the FTC announced that a consent agreement has been reached in its 17th case challenging data security practices by a company handling sensitive consumer information. Goal Financial, LLC, a San Diego-based student loan company, has agreed to implement a comprehensive information security program, avoid future misrepresentations about its data security practices, and receive independent, third-party audits of its data security program every two years for the next 10 years. The consent order does not provide for a civil fine.

According to the FTC's Complaint, Goal Financial "failed to provide reasonable and appropriate security for consumers' sensitive personal information" starting no later than September 1, 2004. The company's faulty security practices allowed employees to transfer over 7000 consumer files containing personally identifying information and financial histories to third parties. Additionally, in 2006 a Goal Financial employee allegedly sold company hard drives containing sensitive personal information of approximately 34,000 consumers in readable text.

The complaint identified five specific security failures:

  • failure to adequately assess risks to the information stored on the network and in paper files,
  • failure to adequately restrict access to personal information to authorized employees only,
  • failure to implement a comprehensive information security program,
  • failure to provide adequate training about handling and protecting personal information and responding to security incidents, and
  • failure to require third-party service providers by contract to protect the security and confidentiality of personal information.

The FTC Complaint charged Goal Financial with violating the FTC Act by disseminating a false or misleading privacy policy that claimed to "implement[] reasonable and appropriate measures to protect personal information from unauthorized access." Because Goal Financial qualifies as a "financial institution" under the Gramm-Leach-Bliley Act, the Complaint also alleged violations of the GLBA Safeguards Rule and the GLBA Privacy Rule. The Safeguards Rule allegation reflected the company's failure to identify privacy risks and design appropriate safeguards, while the Privacy Rule charge stemmed from the company's privacy policy and notices inaccurately representing the actual security of consumer information.

The public comment period on the proposed consent order runs until April 3, after which the FTC will decide whether to finalize the order.
Tags: , , , , , , , , ,

Federal Regulators Propose Federal Privacy Notice and Seek Comments

Posted on March 21, 2007 by Proskauer Rose LLP

On March 21, 2007, eight federal regulatory agencies (“Joint Agencies”) with jurisdiction over Gramm-Leach-Bliley Act (“GLBA”) regulated “financial institutions” issued an interagency proposal for a new model privacy form. The proposal is the result of a lengthy process the Joint Agencies began in 2001 to improve the format of GLBA privacy notices to make them more comprehensible to consumers. In addition to a lack of clarity, the Joint Agencies and consumer and privacy advocates have been concerned about the length of notices and the overuse of legal terms. 

Section 503 of the GLBA, 15 U.S.C. § 1603 and current rules, require financial institutions to provide their customers with a notice that describes, among other things, how they protect nonpublic personal information, the categories of nonpublic personal information collected, the affiliates and the nonaffiliated third parties to whom such information is disclosed, and a description of the customer’s right to prevent certain disclosures to nonaffiliated third parties. These notices must be provided at the outset of the institution’s relationship with a customer and, in the case of long-standing relationships, on an annual basis. Current rules do not mandate a standard format or particular wording for the notices, however, they provide sample clauses that financial institutions can use to satisfy the notice requirements.     

While the Joint Agencies had deferred policy action in the midst of studying how to improve privacy notices, on October 13, 2006, President Bush signed the Financial Services Regulatory Relief Act of 2006 (“Regulatory Relief Act”). Section 728 of the Regulatory Relief Act amended Section 503 of the GLBA (15 U.S.C. § 1603) to require the Joint Regulators to propose a model form by April 11, 2007. Although financial institutions will not be required to use the model form, the Regulatory Relief Act includes a safe harbor that deems any financial institution using the form to be in compliance with the Section 503 disclosures.    

The model form is largely based on a report issued by the Kleimann Communications Group in March 2006. The proposed model form would be 2-3 pages, depending on whether there is an opt-out. The first page would include general background information and a keyframe with why, what and how information regarding a financial institution’s use of personal information, reasons for sharing, and opt-out rights. The second page includes supplementary information such as definitions and further explanatory information in the form of Frequently Asked Questions. The final page includes an opt-out form for those financial institutions that share information in a manner that triggers consumer opt-out rights. The proposed rules would require a minimum font size and that financial institutions provide sufficient spacing between lines of type with further recommendations on font type, spacing, paper size and color. One year after enactment of the model proposal, financial institutions will lose any safe harbor from using the sample clauses in the current rules for their notices.     

Comments on the proposal will be due 60 days from publication in the federal register, which is expected later in March. The Joint Agencies are seeking comment on the content of the model form, including whether modifications to the opt-out are necessary and whether financial institutions intend to incorporate the Fair Credit Reporting Act opt-out for affiliate marketing into the form, the format of the form, and other issues such as the likelihood financial institutions will use the form and issues regarding some financial institutions’ requirement that consumers provide their social security numbers to opt-out. Interested parties need only submit comments to one of the Joint Agencies.   

The Joint Agencies include the Office of the Comptroller of the Currency, Treasury; Board of Governors of the Federal Reserve System; Federal Deposit Insurance Corporation; Office of Thrift Supervision, Treasury; National Credit Union Administration; Federal Trade Commission; Commodity Futures Trading Commission; and the Securities and Exchange Commission.
Tags: , , , , , ,