8/11/2019 Privacy Laws.ppt
1/49
Privacy Laws_____
Shelly Repp
General Counsel
National Council ofHigher Education Loan Programs, Inc.
8/11/2019 Privacy Laws.ppt
2/49
Gramm-Leach-Bliley Act and
Regulations
8/11/2019 Privacy Laws.ppt
3/49
8/11/2019 Privacy Laws.ppt
4/49
8/11/2019 Privacy Laws.ppt
5/49
Regulatory and EnforcementAuthority
Banking Agencies (OCC, Fed, FDIC, OTS)
SEC
FTC (default regulator)
8/11/2019 Privacy Laws.ppt
6/49
The Framework is NotComplicated Requires financial institutions to provide notice to
customers about their privacy policies and practices
Describes conditions under which financial
institutions may disclose nonpublic personal
information about consumers to others
Provides consumers the opportunity to prevent
disclosures to most nonaffiliated 3rdparties by
opting-out (subject to extensive list of exceptions)
8/11/2019 Privacy Laws.ppt
7/49
Scope Applies to Financial Institutions, both regulated
and non-regulated (Guaranty Agencies arefinancial institutions; so are nonprofit secondary
markets, loan servicers and collection agencies)
Governs handling of
1) nonpublic personal information (NPI) aboutindividuals (information collected on an
application or derived from loan history)2) who obtain financial products or services
3) from financial institutions
4) primarily for personal, family or household
purposes (e.g., student loans).
8/11/2019 Privacy Laws.ppt
8/49
Rules Generally Apply to Customers
Special rule for loansonly one customer relationshipper loan
A school does not establish a customer relationship bycertifying a students eligibility for a FFELP loan.
A guarantor/insurer does not establish a customerrelationship by issuing to the lender itsguarantee/insurance on the FFELP loan or private
student loan.
An origination/disbursement agent or loan servicerdoes not establish a customer relationship byperforming loan origination and/or disbursement
functions, or servicing a loan, on the lenders behalf.
8/11/2019 Privacy Laws.ppt
9/49
Content of Privacy Notice Customers must be provided a clear and conspicuous
notice of privacy policies and , if applicable, areasonable opportunity to opt-out
Privacy notice must explain: The nature or types of information collected
The purposes for which information is collected
Types of entities where data is shared, and the purposes forsharing
Consumer rights to opt-out of sharing arrangements withnonaffiliated third parties, with clear direction on how theycan freely exercise these rights
Privacy statements need to be accurate and complete(due diligence needed)
8/11/2019 Privacy Laws.ppt
10/49
New Product Notice. What obligations apply whenadditional products/services are provided to anexisting customer?
New notice only needed if prior privacy notice isnot accurate with respect to the new product
E.g. A financial institution is not required to sendanother notice with each loan made under anMPN if the notice provided with the first loanremains accurate with respect to eachsubsequent loan.
Initial Notice Required WhenCustomer Relationship Established
8/11/2019 Privacy Laws.ppt
11/49
Annual Customer Notice- Must provide recurring annual notice of privacy policies and
practices during the continuation of the customerrelationship.
- Notice must be provided on a 12-month consistent basis.
Revised NoticeA financial institution must provide a new notice to all
existing customers if the institution changes its privacy
policies/practices in a way that makes the prior notice no
longer accurate.
8/11/2019 Privacy Laws.ppt
12/49
FYI - A bankruptcy condition does notexcuse the required notices. The notice is
not an attempt to collect a debt, and so does
not violate an automatic stay.
Notices to ConsumersNo notices required
unless and until the consumers NPI will
actually be shared. Notice, and a reasonableopportunity to opt-out (when required), must
be provided to consumer prior to sharing of
consumers NPI.
8/11/2019 Privacy Laws.ppt
13/49
Financial Institutions that share NPI about
consumers with nonaffiliated third partiesoutside of opt-out exceptions must
provide consumers with:
An opt out notice A reasonable period of time for the
consumer to opt out
Opt-Out Right
8/11/2019 Privacy Laws.ppt
14/49
Some of the Applicable Exceptions: Processing transactions. Disclosures made:
As necessary to effect, administer, or enforce a
student loan that a student loan consumerrequests or authorizes; or in connection with:
Servicing or processing the student loan
customer's account with the financial institution
A proposed or actual securitization, secondary
market sale, or similar transaction related to
customers student loan
8/11/2019 Privacy Laws.ppt
15/49
Applicable Exceptions (cont.)
Legal requirements
Consent
Rating or Guaranty Agencies. Disclosures to
provide information to rating agencies, insurancerate advisory organizations, guaranty funds or
agencies, and persons assessing the financial
institutions compliance with industry standards
8/11/2019 Privacy Laws.ppt
16/49
Applicable Exceptions (cont.)
Credit bureau reporting
Loan Sales
Antifraud. Disclosures to protect against or
prevent actual or potential fraud, unauthorizedtransactions, claims, or other liability (e.g. skip-
tracing)
8/11/2019 Privacy Laws.ppt
17/49
When a nonaffiliated 3rdparty receives NPI
pursuant to one of the exceptions, the 3rd
party may use and redisclose such NPI onlyas follows:
- The 3rdparty may disclose the information to the
financial institution's affiliates;
- The 3rdparty may disclose the information to the3rdpartys affiliates, but its affiliates may, in turn,
disclose and use the information only to the
extent that the 3rdparty may disclose and use the
information; and
Reuse/Redisclosure Limitations
8/11/2019 Privacy Laws.ppt
18/49
Reuse/Redisclosure Limitations
(cont.)
- The 3rdparty may disclose and use theinformation pursuant to one of the
exceptions in the ordinary course ofbusiness in order to carry out the activitycovered by the exception under which itreceived the information.
- Financial Institutions are not required tomonitor the use of NPI by nonaffiliated 3rdparties to whom it properly (in accordancewith notice and applicable opt-outrequirements) discloses such information.
8/11/2019 Privacy Laws.ppt
19/49
GLB Act does not pre-empt state laws,
except to the extent that such laws areinconsistent tithe the GLB.
State laws that the FTC determinesprovide greater protection to consumersare not inconsistent with the GLB Act.
Relationship to State Laws
8/11/2019 Privacy Laws.ppt
20/49
Information Security Rule
GLB Act requires regulatory agencies to
establish standards for financialinstitutions relating to administrative,
technical and physical information
standards
Banking agencies have issued final
guidelines
FTC issued final regulation
8/11/2019 Privacy Laws.ppt
21/49
The objectives of the program are set inthe GLB Act:
1. Ensure the security and confidentiality of
customer information;2. Protect against any anticipated threats or
hazards to the security or integrity of such
information; and
3. Protect against unauthorized access to oruse of such information that could result in
substantial harm or inconvenience to any
customer.
8/11/2019 Privacy Laws.ppt
22/49
The program must cover handling of
customer information, which is defined to
include information that a financialinstitution collects fromits own customers,
andalso customer information received
fromother financial institutions.
8/11/2019 Privacy Laws.ppt
23/49
Both the Banking Agencies and FTCcontemplate a flexible approach. Each
call for safeguards that are appropriate
to:
the size and complexity of the institution
the nature and scope of its activities, and
the sensitivity of the customer information
at issue
The requirements in general are not
prescriptive
8/11/2019 Privacy Laws.ppt
24/49
1. designate an employee or employees tocoordinate its program;
2. assess internal & external risks in each areaof i ts operat ions ;
3. design and implement a wri t teninformationsecurity program to control these risks
through ongoing risk assessment, andregularly test or otherwise monitor theeffectiveness of the safeguards key controls,systems, and procedures;
The FTCs rule requires that each program
contain certain basic elements. Each financialinstitution must:
8/11/2019 Privacy Laws.ppt
25/49
8/11/2019 Privacy Laws.ppt
26/49
Risk assessment should address responding to
attacks and intrusions
Bank regulators have issued proposed guidance on
response programs
- Determine nature and scope of security
breach
- Notify primary federal regulator
8/11/2019 Privacy Laws.ppt
27/49
- Contain incident to prevent furtherunauthorized access (e.g. shut downapplications or connections, reconfigure
firewalls, change codes)- Address harm to individuals
-Flag accounts-Secure accounts
-Customer notice when sensitivecustomer information disclosed (e.g.,SSNs)
8/11/2019 Privacy Laws.ppt
28/49
Fair and Accurate Credit
Transactions Act of 2003.
(the FACT Act)
8/11/2019 Privacy Laws.ppt
29/49
FACT Act
Amends Fair Credit Reporting Act
(FCRA) Key Provisions
National uniformity
Creates new body of federal identity theftlaw
Additional credit reporting protections
Restriction on affiliated sharing
8/11/2019 Privacy Laws.ppt
30/49
National Uniformity Top priority of banks was to extend and expand
FCRA federal pre-emption provisions
Seven pre-existing pre-emption provisions would
have expired on 1/1/04 (e.g. state laws restricting
exchange information among affiliated entities).
FACT Act makes these permanent.
New national uniformity on certain identity theft
provisions (e.g. fraud alerts, red flag guidelines
and regulations, identity verification)
8/11/2019 Privacy Laws.ppt
31/49
National Uniformity
A Federal District Court in California has
limited the pre-emptive effect of theFCRA. It held that FCRA only regulates
dissemination and use of consumer
reports, not consumer informationgenerally.
8/11/2019 Privacy Laws.ppt
32/49
Identity Theft Provisions
Creates a national fraud alert system
Consumers can request consumer reporting
agencies (CRAs) to place fraud alert in file.
Proof of identity required
Good for 90 days (initial alert) or 7years(extended alert), if accompanied by an
identity theft report
8/11/2019 Privacy Laws.ppt
33/49
Identity Theft Provisions
No user of consumer report with fraud
alert may extend credit without utilizingreasonable procedures to verity
identity
FTC directed to define what
constitutes proof of identity
8/11/2019 Privacy Laws.ppt
34/49
Identity Theft Provisions Consumer may request CRAs to block
reporting of information resulting fromalleged identity theft
CRAs must notify provider ofinformation (who must -prevent
repollution) Debt collectors who are notified that a
debt may be fraudulent must notify thecreditor
8/11/2019 Privacy Laws.ppt
35/49
Identity Theft Provisions Regulators directed to establish red flag
guidelines that outline measures to prevent
identity theft. The regulators also will requirefinancial institutions to establish and adhere toreasonable procedures implementing theguidelines.
Consumer reporting agencies required to informuser if a credit request contains an addressdifferent from their records. Regulators directedto prescribe rules on what procedures users
should follow.
8/11/2019 Privacy Laws.ppt
36/49
Identity Theft Provisions
Most applicable to PLUS and alternative
loans
8/11/2019 Privacy Laws.ppt
37/49
8/11/2019 Privacy Laws.ppt
38/49
Credit Reporting Protections
Lenders must inform customers if they
have or will report negative informationto a CRA. May be a one time notice
Application to student loandelinquency reporting
8/11/2019 Privacy Laws.ppt
39/49
Credit Reporting Protections
A financial institution that grants credit
based in whole or in part on a consumerreport on terms less favorable that those
available to a substantial proportion of
the institution's borrower must notify the
customer
8/11/2019 Privacy Laws.ppt
40/49
Restrictions on Affiliate Sharing
Consumers must be given the ability to
opt-out of the use of personalinformation for marketing purposes.
Opt-outs are good for 5 years.
Some exceptions apply (e.g. where
affiliate also has a customer
relationship)
8/11/2019 Privacy Laws.ppt
41/49
Restrictions on Affiliate Sharing
Opt out notice maybe consolidated
with other notices (GLB)
Financial regulators to issue
regulations
8/11/2019 Privacy Laws.ppt
42/49
Sample of State Law
Developments
8/11/2019 Privacy Laws.ppt
43/49
Financial PrivacyThe California Financial InformationPrivacy Act (SB1, effective 7/1/2001)
- Opt-in for non-affiliate sharing- Opt-out for affiliate sharing
- No requirement to provide opt-in or opt-outnotices to Californians if NPI shared in
certain situations (which are nearly identicalto GLB Act exceptions)
- Applicable to financial institutions doingbusiness in California
8/11/2019 Privacy Laws.ppt
44/49
8/11/2019 Privacy Laws.ppt
45/49
Confidentiality of Social Security
Numbers
Texas (SB 473, effective 1/1/2005)
Essentially the same except- mailed to individual changed to mailed
- forms and applications exception limited to
applications Are B to B mailings covered?
8/11/2019 Privacy Laws.ppt
46/49
Information Security
CA (SB 1386, effective 1/1/2003)
Requires a business that maintains
computerized data that includes
personal information, as defined, todisclose any threats of security of that
data to any affected California resident
8/11/2019 Privacy Laws.ppt
47/49
Identity TheftCA (AB 1294, effective 1/1/2004)
Requires a debt collector to stop collecting a
consumer debt for 30 business days if debtorprovides police report and written statementthat debtor is victim of identity theft
Requires the collector to review informationsubmitted and to cease collections ifinformation reasonably establishes thatdebtor did not incur debt
8/11/2019 Privacy Laws.ppt
48/49
Questions?
8/11/2019 Privacy Laws.ppt
49/49
Thank you for joining us!Please be sure to complete your
conference evaluation form!Shelly Repp
General Counsel
National Council ofHigher Education Loan Programs, Inc.
Top Related