On top of addressing general cybersecurity concerns, financial institutions must also minimize the risk of a data breach that could compromise customer financial or personally identifiable information. This means that standards financial institutions adopt for housing sensitive data must comply with privacy regulations, as well as with traditional federal and state privacy statutes that require privacy notices and restrict sharing customer information for marketing purposes.
It is particularly important to ensure that customers’ nonpublic personal information, or NPPI, remains secure. The Gramm-Leach Bliley Act (GLBA) requires financial institutions to securely store NPPI, to advise customers of information-sharing practices, and to provide certain opt-out rights to customers. The regulations implementing the GLBA require a range of disclosures in privacy notices. Financial institutions must provide certain disclosures when they collect data, and then on an annual basis for ongoing customers. Fortunately, financial institution regulators released a pre-approved voluntary model privacy form builder in 2010 to assist financial institutions in complying with the requirements.
Relatedly, the Consumer Financial Protection Bureau (CFPB), established by the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, has the authority to address unfair, deceptive, and abusive acts or practices. These practices include, but are not limited to, material misrepresentations by financial institutions to consumers regarding the financial institutions’ privacy policies. Indeed, the CFPB’s Supervision and Examination Manual provides a good resource for compliance with the regulations, including Regulation P, which implements part of the GLBA and relates to the privacy of consumer financial information.
Financial institutions, like other companies, must also be aware of state laws that impose additional data security and privacy requirements, which have not yet been clearly preempted by federal law, as well as specific data breach notification procedures. For example, certain states require “hold periods” which prohibit financial institutions from sharing certain types of information so consumers have the opportunity to opt-out of such sharing. Nearly all 50 states have adopted data breach notification laws. These laws include specific definitions of “personal information” and requirements for notifying consumers, as well as state agencies, the state’s attorney general, consumer reporting agencies or other third parties, within certain specified time periods.
The risk of a data breach is similar to what we identified in our recent article on cybersecurity in this “Top 10 Issues Facing Financial Institutions in 2017” series, noting that financial institutions must take appropriate security measures to ensure customer privacy and data security at all levels of the organization. Institutions should implement, maintain, and be able to demonstrate the integrity of their security and privacy policies that address the use and sharing of NPPI. Financial institutions must also take appropriate measures and put appropriate controls in place to ensure the integrity of their vendors’ security and privacy policies. Financial institution regulators will continue to focus on data security and privacy protection practices, because the failure to protect customer data is a critical threat to a bank’s viability, safety and soundness.
About Schiff Hardin’s Financial Institutions Team
Schiff Hardin has a dedicated team of financial institution transactional, regulatory, and litigation attorneys with significant experience handling various aspects of bank and non-bank financial institution matters. Our attorneys regularly advise financial institutions on corporate matters, mergers and acquisitions, regulatory compliance, enforcement matters, and litigation throughout the U.S.
Visit Schiff Hardin’s Financial Institutions Practice website or contact the authors with questions or assistance.