Reed Smith LLP

Reed Smith Client Alerts

Privacy Compliance

Subscribe
Home Perspectives Privacy Compliance

How Can a Business Comply with its Privacy Obligations?

In response to the growth of the Internet and e-commerce, legislators and regulators around the world have adopted or proposed scores of new laws and regulations to protect personal or "private" information from unauthorized use, disclosure, or distribution. Privacy regulations are, for example, included among regulations governing personal financial information, personal health care information, website usage, and so on. Compliance with these new regulations is likely to prove challenging, if not daunting, for most businesses.

No business can develop an effective compliance program for privacy in a vacuum. To develop an effective privacy program, a business must have a clear picture of (1) where it is—i.e., its current information practices; (2) where it is going—i.e., the legal and practical standards governing its collection and use of private information; and (3) how it is going to get there—i.e., its technological, administrative, and practical tools for achieving compliance.

Identifying these reference points is not itself a trivial task. Most businesses have developed their information practices over decades without any centralized practices shared among divisions, departments, offices, and individual employees. To identify existing information, therefore, requires a business to create a blueprint, or flowchart, of often complex and diverse information uses. Likewise, compliance goals and implementation strategies will differ greatly among businesses.

With the foregoing issues in mind, we believe that a privacy "audit" may prove to be a necessary starting point for any business developing an effective compliance plan. Such a privacy audit must address: (1) compliance objectives, including privacy regulations that apply to the business; (2) current information flows; and (3) the resources and tools that are available or required to implement necessary changes. A suggested approach for addressing these issues is outlined below:

A. Identify Privacy Objectives

The starting point for an effective privacy audit is development of a clear set of objectives for compliance. Those objectives must be formed by existing legal requirements, anticipated future legal requirements, and the reasonable expectations of business partners and customers.

Currently, the need to articulate compliance objectives raises its own problems. First, many businesses face diverse and conflicting privacy regulations imposed by different agencies or governments. Second, it is unlikely that a single set of objectives will be optimal for all sensitive information handled by a business. To the extent possible, the level of protection afforded information should be commensurate with its degree of sensitivity.

Against this backdrop, the starting place for defining compliance objectives must be a review of applicable regulations. Depending on the nature and scope of a business, applicable regulations may include:

  • Federal Trade Commission regulations and standards governing websites.
  • Privacy and security requirements for personal health information under the Health Insurance Portability and Accountability Act (HIPAA).
  • Requirements for privacy of financial information under the Gramm-Leech-Bliley Act.
  • Other specific federal Statutes (COPPA, FCRA, etc.).
  • The European Union Privacy Directive.
  • State Unfair Competition and Consumer Protection Laws.

Key questions to consider when developing privacy objectives include:

  • What information must be protected under applicable law or regulation?
  • What information are business partners or consumers likely to consider most sensitive?
  • To what extent can privacy obligations be met by providing notice of how the business operates with respect to private information and disclaiming responsibility?
  • Who will have management responsibility for oversight of privacy?
  • What technological changes are required? What technological changes are feasible to implement new privacy policies?
  • What business procedures, policies, and training will be required?
  • What level of physical security of facilities will be required?

B. Assess Information Practices

After identifying compliance objectives and, most importantly, the private information requiring protection, the firm’s relevant information practices can be charted and assessed. This process can be time-consuming but it is manageable if well-organized.

First, the assessment must identify the sources of, and entry points for, private information. In the context of a health care business, sources may include patients, health care providers, insurers, and business partners. The "entry points" for information may include physician medical records, insurance applications, electronic entries through the Internet, e-mail, and so on. Each of these information entry points should be reviewed to determine:

  • The type of information collected—i.e., the data elements.
  • The reasons for the collection of each element of data.
  • The disclosures or disclaimers provided at the time information is submitted.

After identifying the sources and elements of data collected, the flows and uses of information should be charted. The process is likely to require:

  • Interviews of key personnel in all business units.
  • A review of information systems (inputs, storage, access restrictions).
  • A review of data exchanges with third parties.
  • A review of record-keeping capabilities.

When reviewing information flows, it is also important to characterize each use or disclosure of private information. In particular, the disclosure/uses should be reviewed to determine:

  • If irrelevant information is disclosed along with relevant information.
  • If the use requires consent from the subject of the information. And, if so, the type of consent required.

C. Develop the Compliance Plan

A clear understanding of both compliance objectives and the firm’s use of private information provides the foundation for an effective compliance plan. Obviously, the first step in developing a plan is to identify the shortcomings of current practices by comparing the firm’s actual privacy practices to its compliance objectives and requirements. The final compliance plan itself must then address two distinctive components—information management and security. An effective compliance should address:

  • Technical security measures to protect both sorted and transmitted information. Such measures should include access controls, audit tools, backup procedures, and methods to assure the authenticity and integrity of stored electronic data.
  • Physical security and access to private information.
  • Policy and procedures, including training, security, HR practices, record-keeping and audit controls, management responsibilities, and the like.

Conclusion

Like many compliance requirements facing modern businesses, privacy compliance requires a structured approach that addresses each firm’s unique circumstances.

Reed Smith stands ready to address the privacy concerns confronting our clients and to work with them to develop a cost-efficient approach for managing their compliance efforts.

PRIVACY UPDATE: A Reminder Regarding Gramm-Leach-Bliley
By the REED SMITH PRIVACY TASK FORCE

The implementing regulations (the "Privacy Regulations") for Title V of the Gramm-Leach-Bliley Act (the "Title V")(fn1) became effective on November 13, 2000.(fn2) While mandatory compliance is delayed until July 1, 2001, Reed Smith would like to take this opportunity to provide a timely reminder to our clients and friends regarding the requirements of Title V and the Privacy Regulations.

At the outset, it is important to recognize that Title V and the Privacy Regulations reach far beyond the common notion of what constitutes a "financial institution." In addition to banks, insurance companies and securities firms, covered companies include mortgage bankers and brokers, automobile dealerships, and certain retailers, travel agencies and institutions of higher education.(fn3)

For a covered financial institution, Title V imposes substantial disclosure and procedural obligations on the financial institution regarding nonpublic personal information about its customers. If they have not done so already, a financial institution needs to begin implementing procedures for complying with the initial and annual privacy notice and other requirements of Title V described below.

Equally as important, a financial institution needs to examine its contracts with nonaffiliated third-party service providers with whom it shares nonpublic personal information. As discussed below, these contracts will need to be revised or amended to require that the parties with whom the financial institution shares nonpublic personal information maintain the confidentiality of such information and use the information solely for the purposes for which the information was disclosed or as otherwise permitted under Title V and the Privacy Regulations.

Scope of Coverage

Overall, Title V and the Privacy Regulations are aimed at protecting the dissemination of nonpublic personal information about consumers who obtain financial products or services from financial institutions for personal, family or household purposes. Title V and the Privacy Regulations do not apply to information about businesses or business purpose transactions.

"Customers" and "Consumers"

Title V and the Privacy Regulations differentiate between "customers" and "consumers." A "consumer" is an individual who obtains financial products or services from a financial institution, while a "customer" is a consumer who has a continuing "customer relationship" with a financial institution. Required disclosures are far more extensive for customers than consumers. Customers must be given initial and annual privacy notices, while consumers need only be given initial notices if the financial institution decides to share information about them with nonaffiliated third parties and, if so, before such sharing occurs.

Initial and Annual Privacy Notices

Title V and the Privacy Regulations require that both the initial and annual privacy notices (a) be clear and conspicuous (including the hypertext link or dialogue box, if electronically given); (b) be provided in writing, on paper, or if the consumer conducts transactions electronically and agrees, electronically (no oral notices), such that each recipient can reasonably be expected to receive actual notice (e.g., by hand delivery, mailing a copy to customer’s last known address, or e-mail if the customer receives a financial product electronically and agrees to such form of communication); and (c) accurately reflect the privacy policies of the financial institution as of the time the notices are provided. The notices also must contain (a) the categories of nonpublic personal information that the financial institution collects; (b) the categories of nonpublic personal information that the financial institution discloses; and (c) the categories of affiliates and nonaffiliated third parties to whom the financial institution discloses nonpublic personal information.

Title V seems to recognize that privacy concerns are not intended to disrupt the ordinary course of business. Accordingly, Title V and the Privacy Regulations provide some important exceptions to the restrictions on information-sharing. Significant among these are: (1) agreements for joint marketing of products and services; (2) disclosures of nonpublic personal information as necessary to effect, administer or enforce a transaction that a consumer requests or authorizes; (3) disclosures in connection with a proposed or actual securitization, secondary market sale (including sales of servicing rights) or similar transaction related to a transaction of the consumer; (4) disclosures to which the consumer consents; (5) disclosures to protect confidentiality and security and to prevent fraud; (6) disclosures to persons holding a legal or beneficial interest relating to the consumer; (7) disclosures to a consumer reporting agency in accordance with the Fair Credit Reporting Act ("FCRA");(fn4) (8) disclosures in connection with a business sale or merger; and (9) disclosures to comply with federal, state or local law and legal process.

The initial privacy notice also must contain an explanation of the consumer’s opt-out rights under Title V, any disclosures regarding information-sharing with affiliates under the FCRA, and the financial institution’s policies and practices with respect to protecting the confidentiality and security of nonpublic personal information.

Opt-Out Notices

With special regard to the explanation of the consumer’s right to opt out, i.e., the right to direct that the consumer’s nonpublic personal information not be shared with nonaffiliated third parties, the financial institution also must describe the method by which the consumer may exercise that right. In that connection, the Privacy Regulations require that a clear and conspicuous opt-out notice also be given to the consumer at the time the initial notice is given. The opt-out notice must state that (a) the financial institution discloses or reserves the right to disclose the consumer’s nonpublic personal information to nonaffiliated third parties; (b) the consumer has the right to opt out of that disclosure; and (c) the consumer may exercise his or her opt-out right by a reasonable means.

Joint Marketing/Service Agreements

Under Title V and the Privacy Regulations, a consumer does not have the right to opt out, and the nondisclosure requirement does not apply, where (1) a financial institution provides nonpublic personal information to a non-affiliated third party to perform services for or functions on behalf of the financial institution (including, without limitation, marketing of the financial institution’s own products or services or financial products offered pursuant to joint marketing agreements between two or more financial institutions); (2) the financial institution fully discloses such arrangement to the consumer in the initial privacy notice; and (3) the financial institution enters into a contractual agreement with the third-party service provider (which may be a joint marketing agreement) that (a) requires the third-party service provider to maintain the confidentiality of the information to at least the same extent that the financial institution must maintain that confidentiality under Title V and the Privacy Regulations; and (b) limits the third party’s use of the information solely to the purposes for which the information was disclosed or as otherwise permitted by the Proposed Privacy Rules.

Under the Privacy Regulations, contracts with nonaffiliated third parties entered into after July 1, 2000 must comply fully with the above restrictions on the reuse of nonpublic personal information acquired from a financial institution at the time such contracts are executed. Contracts entered into on or before July 1, 2001 must comply fully with the above restrictions on the reuse of nonpublic personal information acquired from financial institutions by July 1, 2002.

The Privacy Regulations also clarify that when a financial institution is permitted to disclose nonpublic personal information under Title V and the Privacy Regulations to a non-affiliated third-party pursuant to an exception in Section 502(e) of Title V, such disclosure may be made without first complying with the above restrictions. The exceptions in Section 502(e) of Title V permit, among other exceptions, disclosing non-public personal information as necessary to effect, administer or enforce a transaction requested or authorized by a consumer, or in connection with servicing or processing a financial product or service requested or authorized by the consumer, or maintaining or servicing the consumer’s account with the financial institution or with another entity as part of a private label credit card program.

Enforcement

Enforcement of Title V and the Privacy Regulations is assigned to the financial institution’s federal functional regulator, if it has one (i.e., the federal banking agencies for banks and the SEC for securities firms), or its state insurance authority (i.e., for insurance companies), or, for all other entities, the Federal Trade Commission. A privacy violation will be considered a violation of the laws generally administered by the relevant regulator and will subject the violator to the penalties prescribed under those laws. While there is the possibility of litigation, neither Title V nor the Privacy Regulations addresses private rights of action.

Primacy of FCRA and State Law

Title V and the Privacy Regulations explicitly provide that they do not modify, limit or supersede any of the provisions of the FCRA.(fn5) Moreover, they supersede state law only to the extent that state law is "inconsistent." However, a state law is not "inconsistent" with Title V if the state law affords "greater protection" to the consumer. Although states have been slow to enact more restrictive privacy laws, apparently preferring to wait and see how Title V will operate, the tide may be shifting. For example, the New York State Insurance Department issued new privacy regulations that require insurers to distribute an opt-out notice in conjunction with the annual privacy notice to customers, going beyond the Title V requirement that the opt-out notice accompany only the initial notice. Legislatures in Alabama, California, Delaware, Illinois, Massachusetts, Minnesota, Nebraska, New Jersey, New York, South Carolina, Virginia and Washington also have considered, or are considering, enacting privacy legislation.

Complying with Title V and the Privacy Regulations

Complying with Title V and the Privacy Regulations will require each financial institution to develop a privacy policy, develop disclosure forms, examine its contracts with third-party vendors and revise or amend such contract to comply with Title V and the Privacy Regulations, and develop and implement compliance programs. At a minimum, before developing privacy notices, financial institutions will need to have an intimate understanding of their existing practices and procedures relating to the access to, and movement of, customer information both within the institution and between the institution and affiliated and nonaffiliated third parties. Institutions involved in telemarketing and Internet sales also will need to know whether nonpublic personal information is obtained from customers over the telephone or online, where that information goes once obtained, and whether and how access to that information is provided to third parties.  (For more information, see /library/article.asp?pubid=11412211162000 .)

Each financial institution will have to draft a privacy notice tailored to its own plans and procedures. Compliance programs to enforce an institution’s privacy policy and to segregate the nonpublic personal information of those who opt out will have to be developed. As with compliance programs adopted to ensure compliance with other consumer projection laws, the board of directors should assume responsibility for the approval and adoption of all notices and compliance programs.

Timing considerations are critical. Because compliance with disclosure requirements will be mandatory on July 1, 2001, institutions should consider mailing Privacy and Opt Out Notices to customers at least one month prior to that date, giving customers 30 days to opt out. If the Notices are not mailed out until July 1, 2001, nonpublic personal information may not be shared with nonaffiliated third parties until the expiration of 30 days after mailing (assuming that consumers do not opt out).

As noted above, contracts with nonaffiliated third parties entered into after July 1, 2000 must comply fully with the provisions restricting the reuse of nonpublic personal information acquired from financial institutions at the time such contracts are executed. Contracts entered into on or before July 1, 2001 must comply fully with the provisions restricting the reuse of nonpublic personal information acquired from financial institutions by July 1, 2002. Whatever the date of the contract, all vendors must observe the Privacy Regulations’ rules governing reuse of information on and after July 1, 2002.

Conclusion

With mandatory compliance with the Privacy Regulations being just over six months away (July 1, 2001), there is not much time for financial institutions to finalize and implement compliance programs. Reed Smith attorneys are assisting all types of financial institutions on a daily basis to develop compliance programs and appropriate disclosure forms. We welcome both current clients and new friends to call upon our up-to-the-minute expertise in this emerging field of law.

Endnotes:

    1. The Gramm-Leach-Bliley Act, Pub. L. 106-102, 113 Stat. 1338 (November 12, 1999). Additional information on Title V and the GLBA can be found in the February 2000 Reed Smith Bulletin entitled "Privacy Rules Under Title V of Gramm-Leach Proposed" at /library/article.asp?pubid=1323187212000 and the November 1999 Reed Smith Bulletin entitled "The Gramm-Leach-Bliley Act of 1999" at http://www/reedsmith.com/library/article.asp?pubid=1227427282000.
    2. Nearly identical Privacy Regulations were issued last spring by the federal banking agencies, the SEC and the FTC. The National Association of Insurance Commissioners also has adopted similarly formatted model regulations for states to adopt.
    3. It also is important to remember that in today’s global economy, financial institutions need to be aware of privacy laws and regulations that have been enacted in jurisdictions outside of the United States. While we do not discuss foreign privacy initiatives in this article, more information on the European Union Privacy Directive can be found in the November 2000 Reed Smith Bulletin entitled "Privacy Update" at /library/article.asp?pubid=11412211162000.

    4. 15 U.S.C. § 1681 et seq.

    5. It is important to remember that compliance with Title V and the Privacy Regulations does not ensure compliance with the FCRA. The FCRA generally prohibits the written, oral or other communication of any information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living which is used or intended to be used for credit, insurance or employment purposes, unless (a) the information solely relates to transactions or experiences between the consumer and the disclosing party; (b) the information (other than experience information within clause (a)) is provided to an affiliate of the disclosing party after the disclosing party has given the consumer notice that the information may be disclosed to its affiliates and the consumer is given the opportunity to opt out of that disclosure prior to the disclosure being made; (c) the consumer consents to the disclosure of such information or certain other exceptions in the FCRA are satisfied; or (d) the disclosing party complies with extensive notice and procedural requirements that are imposed on consumer reporting agencies or credit bureaus under the FCRA. See 15 U.S.C §§ 1681a-1681s. Moreover, financial institutions that gather or process medical information about consumers also should be familiar with the interplay between Title V, the FCRA affiliate information-sharing rules and the Department of Health and Human Services ("HHS") privacy standards, which are expected to be published in final form within the next few weeks. More information regarding the HHS privacy standards will be provided in upcoming Reed Smith Bulletins.


    Impact of the Gramm-Leach-Bliley Act Privacy Requirements on
    State Insurance Law and Regulations

    On November 12, 1999, President Clinton signed into law the Gramm-Leach-Bliley Act ("Act"). Title V of the Act, codified at 15 USC 6801-6807, states that it is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information. The Act defines "financial institution" by participation in "financial activities" as enumerated at 12 USC 1843(k). Among these activities are "[i]nsuring, guaranteeing, or indemnifying against loss, harm, damage, illness, disability, or death, or providing or issuing annuities, and acting as principal, agent, or broker for purposes of the foregoing, in any State." Therefore, the Act’s privacy requirements cover all insurers and insurance producers, regardless of any involvement or affiliation with a banking or securities entity.

    State insurance regulators preparing to enforce the provisions of the Gramm-Leach-Bliley Act (the "Act") have several options including preserving or upgrading existing privacy legislation to meet the Act’s standards, creating new legislation and/or adopting, in whole or in part, model legislation such as the National Conference of Insurance Legislators ("NCOIL") Financial Information Privacy Protection Model Act or model regulations such as the National Association of Insurance Commissioners ("NAIC") Privacy of Consumer Financial and Health Information Regulation.

    As an aside, insurers and insurance producers in the health care industry should be mindful of privacy regulations that will be promulgated by the Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act of 1996. These regulations will apply to medical records created by health care entities, including insurers. They are designed to set standards on the use and disclosure of protected health information and to give patients basic rights with respect to the use and disclosure of their health data. These rules are expected to be released in final form in the very near future, and would go into effect two years and sixty days after publication.

    The Legal Landscape

    At the legislative level, a prominent starting point for state action is NCOIL’s Model Act. At the regulatory level, the NAIC model regulation is most prominent. These two models are not identical. For instance, the NAIC model requires insurers to seek an "opt-in" form from a consumer in order to disclose personally identifiable health information. The NCOIL model, however, is less restrictive with regard to medical privacy than the NAIC model in that it requires such an "opt-in" only when the insurer intends to use the personally identifiable medical data solely for the purpose of marketing. This less restrictive approach is based upon the expectation of regulations covering the privacy of personally identifiable health information from the Department of Health and Human Services that could make a state regulation redundant.

    Even though the precise legal requirements for compliance with the Act’s privacy standards are not yet available, insurers can take general steps to prepare for future compliance. Insurers should be certain to understand their existing practices and procedures relating to the access to, and movement of, customer information both within the institution and between the institution and affiliated and nonaffiliated third parties. To the extent feasible without specific regulations in force, insurers should begin to develop a privacy policy and the processes to implement that policy. Insurers should consult legal privacy counsel to determine the extent to which such policies can be developed in the face of pending and somewhat uncertain regulation. Counsel would also be helpful in identifying insurers’ activities that are required or authorized by other applicable law that should be carried out in accordance with the privacy standards.

    Pending State Enforcement of the Gramm-Leach-Bliley Privacy Provisions

    Delaware—The Delaware Department of Insurance will draft regulations detailing compliance with the privacy provisions of the Act. These will be made known to all aff