- "I Know We Looked at this Before, but Does Gramm-Leach-Bliley Apply to Us?"
- April 16, 2010
- Law Firm: Troutman Sanders LLP - Atlanta Office
The effective date of the Gramm-Leach-Bliley Act (GLB), and its comprehensive privacy scheme applicable to financial institutions, was November 13, 2000, and companies were required to comply with its provisions by July 1, 2001. Back in the early part of the last decade, most organizations took a hard look at GLB to determine whether it applied to them. Still, the constantly changing privacy landscape, along with new and innovative business models and uses of personally identifiable information, make it worthwhile to ask the question again on occasion.
Generally, GLB applies to “financial institutions,” the definition of which is the starting point for any analysis of whether GLB applies to your organization. But the important thing to note is that GLB defines “financial institution” very broadly. It includes any business that engages in lending, exchanging, investing, safeguarding, insuring, and facilitating transfers of financial assets. Thus, GLB applies to services ranging from tax return preparation, to credit counseling, to residential real estate settlement and title services, as examples.
The “lending” hook is particularly interesting in light of the fairly recent advent of Red Flag Rules, which several of our Advisories have covered before. The FTC has interpreted those rules (which it issued) broadly as applying to any business that extends “credit,” which is defined as “the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefor.” This is, indeed, a very broad notion of credit, and it arguably includes just about any business that provides goods or services in advance of payment. The real question is this - what’s the difference between “providing credit” under the Red Flag Rules and “lending” under GLB? As of today, no court or agency has squarely addressed this issue. But you should consider taking a look at any business practices that could be considered “lending,” or otherwise covered by GLB, especially if these practices have arisen since you last considered GLB and involve the use of personally identifiable information.
If GLB does apply to your company, it requires a privacy notice at the time of establishing a customer relationship and annual notices during the continuation of the relationship. This notice requirement is mandatory, regardless of whether a business shares nonpublic information.
In addition, GLB requires compliance with the Safeguards Rule, which at the most basic level means that all organizations falling within its scope must have a written information security plan to protect the confidentiality and integrity of personal consumer information and a point person in charge of implementing and monitoring the plan. The plan must be appropriate to the company’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles.
So, if it’s been a few years since you last considered whether GLB covers your organization, think about it again. GLB’s scope is extremely broad and your organization’s information practices have undoubtedly changed. A periodic review of whether this watershed privacy law covers what your organization is doing is worth it.