Nearly 10 years have passed since financial institutions first began sending privacy notices required under the GrammLeach-Bliley Act (GLBA). Over this time period, we’ve all become accustomed to the annual flood of notices from our banks, brokers, insurance companies and other financial services providers that, in many cases, disclose the same practices year after year. In spite of this, numerous regulatory agency and consumer activist studies indicate that few consumers take the time to read the notices they receive, and even fewer understand them well enough to make educated choices about how their personal information may be used.
In an effort to address these concerns, the federal regulatory agencies responsible for implementing GLBA requirements issued a significantly revised model disclosure form on December 1, 2009, with an implementation date of December 31, 2010. The new model notice, which is based on the results of extensive consumer studies, replaces the paragraph format of the earlier model language with a tabular format designed to make it easier for consumers to compare notices furnished by different financial service providers, and to find the disclosure elements of interest to them more quickly. Although institutions are not required to use the model form, those that do not will lose the safe harbor protections provided under GLBA and its implementing regulations, thereby increasing their exposure to regulatory scrutiny and, potentially, litigation.
Challenges and Opportunities
At a minimum, all institutions that are subject to GLBA’s privacy notice requirements should review and carefully consider whether to implement the new model form. Proper use of the model language is likely to mitigate a firm’s regulatory compliance risk and, at the same time, may well be easier for consumers and customers to understand. This will reduce the time and cost associated with answering questions and/or responding to complaints about the firm’s privacy practices.
However, regardless of whether the new model form is utilized, it is critically important that a firm’s disclosed privacy standards properly reflect its actual practices. Given the amount of time that has passed since the GLBA requirements took effect, it is increasingly common that financial institutions’ privacy notices – while accurate at inception – no longer reflect the types of information an institution is actually collecting, or fully describe how or why that information is being used, shared, stored or protected. In fact, the Federal Trade Commission has taken several public enforcement actions against firms in recent years for, in part, failing to ensure that statements made within their privacy notices reflected controls actually in place.
The release of the new model form provides the ideal impetus for institutions of all types and sizes to perform comprehensive reviews of their actual privacy practices. This is especially important considering that the safe harbor applies only if the model language is used exactly as drafted. Accordingly, institutions that want to take advantage of the safe harbor must be certain that the new model language accurately reflects, without modification, their practices before using it to replace their existing privacy notices.
Our Point of View
In order to implement the new requirements effectively, institutions should:
- Conduct a comprehensive inventory of their actual information collection use, sharing, retention, protection and disposal practices (or ensure that their existing inventories are up-to-date).
- Develop and execute action plans to resolve any gaps between actual and intended or required practices.
- Carefully review the revised model form and map their actual practices (or intended future practices, once identified gaps are closed) to the corresponding model disclosure clauses.
- Assess the time and cost required to replace existing initial and annual privacy notices with the new model forms, as compared to the compliance risk management and customer service benefits of doing so.
- If the decision is made to utilize the revised model language, develop an action plan to draft, review and distribute revised notices in advance of the December 31, 2010, effective date.
How We Help Companies Succeed
Protiviti’s Regulatory Risk Consulting and Privacy & Data Security professionals have extensive experience assisting financial services providers of all types and sizes with the development of effective privacy compliance programs. Our services include:
- Conducting global data privacy inventories and risk assessments
- Executing privacy compliance audits
- Assisting companies in implementing new or revised privacy requirements imposed under GLBA, the Fair Credit Reporting Act and similar state-specific requirements
- Developing information security risk assessment frameworks, written compliance programs, board reporting strategies and templates, and independent testing plans
- Developing breach response programs and assisting in the investigation and resolution of actual breaches
A leading consumer lender with more than US$100 billion in assets engaged Protiviti to conduct a comprehensive assessment of its controls to provide initial and annual privacy notices to customers and consumers. Our review produced recommendations to ensure that all required customers received accurate notices, improve documentation to demonstrate compliance more effectively, and reduce costs through increased automation and elimination of duplicate notices sent to certain categories of customers. We also designed and implemented a monitoring program to help ensure that the privacy notice process remained sustainable and effective over time.