Gramm Leach Bliley Act Part II: Safeguard Rules

1
Gramm Leach Bliley ActPart II Safeguard Rules

• Lawrence A. Laskey
• Vice President, Counsel
• Van Ru Credit Corporation

2
G-L-B Act

• Part One Privacy
• Limits disclosure
• Requires disclosures
• Part Two Safeguard standards
• Effective May 23, 2003
• Later for some servicers

3
Safeguard Standards Federal Agencies

• G-L-B Act 501(b)
• Banking agencies
• Securities and Exchange Comm.
• Federal Trade Commission
• All others
• Established by rule

4
FTC Safeguard Standards

• Diversity
• Consistency
• Potential for overlap
• Affiliates
• Servicers
• Recipients from multiple sources

5
Safeguard Standards Objectives

• Ensure security and confidentiality of customer
  records/information
• Protect against anticipated threats to security/
  integrity
• Protect against unauthorized access/use

6
Why Comply?

• Impact identity theft
• Penalties for non-compliance
• No private suits, but..
• Investigation of complaints
• Consumer damages

7
Compliance with other privacy laws ?

• Not adequate
• Comparable protections
• Banking agencies

8
What Information is covered?

• Nonpublic personal information
• Privacy rules consumer (applies for loan)
  customer (gets the loan)
• G-L-B Act 501(b) customer information
• May include consumer information
• Protect customer information
• Reliably separated?

9
Who Must Comply?

• Financial institutions
• Originator
• Recipient (from financial institution)
• Non-financial institutions
• Affiliates
• Service providers
• FTC encourages oversight

10
Written Information Security Plan

• Appropriate to the organization
• Size/complexity
• Nature/scope of activities
• Sensitivity of information
• Need not be in single document
• Must remain current

11
Scope of Plan Five Steps

• Designate a coordinator
• Identify risks/assess safeguards
• Design and implement safeguards
• Assure service provider compliance
• Regularly evaluate and adjust

12
Designate a coordinator

• Point of Contact
• Accountability
• Position of responsibility
• Appropriate focus level
• Flexibility
• Outsource/oversight
• Multiple coordinators

13
Identify Risks/Assess Safeguards

• Concerns center on
• Security
• Confidentiality
• Integrity
• Internal and external
• For each operational area
• What are the risks?
• How (well) are they met?

14
Identify Risks/Assess Safeguards

• Risk Assessment Focus
• Employee training and management
• Information systems
• Processing, storage, transmission, disposal
• Management of system failures
• Attacks, intrusions, failures
• Limited (currently) guidance

15
Design Implement Safeguards

• To control identified risks
• Reasonable response
• Regularly test/monitor
• Are procedures followed?
• Are they effective?
• Can they be improved?

16
Service Provider Compliance

• Broadly read
• Contractually bound
• Capable of maintaining appropriate safeguards
• Level of review reasonable steps
• Servicer detect and respond
• You discover and respond to known failures

17
Evaluate and Adjust

• Technology
• Business changes
• Operational methods
• Type of business
• Organizational changes
• Outsourcing
• Results of testing/monitoring

18
Testing/Monitoring Example

• Monitoring log files
• Who is accessing what? Doing what?
• Who failed, and how often?
• Conducting audits
• Rent-a-hacker ?
• Audit software
• Talk to IT
• List salting

19
Proactive approach

• Risk awareness
• Response in advance
• Active monitoring and audits
• Adequate resources

20
FTC Educational Materials

• Generality and flexibility of rules
• Lots of it depends
• Training sessions June, 2003
• http//www.ftc.gov/privacy/ privacyinitiatives/safe
  guards_educ.html
• Employees/ Systems/ Failure management

21
FTC Educational Materials Employees

• Reference checks
• Written agreements
• Training
• Types of information
• Security rules
• Fraud detection/reporting
• Information request referral

22
FTC Educational Materials Employees

• Regular reminders
• Refresher training
• Updates
• Posting
• Limit access
• Enforcement

23
FTC Educational Materials Information Systems

• Network and software design
• Information handling
• Protect against
• Hackers
• Disgruntled employees
• Carelessness
• Physical/ transmission/ disposal security

24
Information SystemsPhysical Security

• Limited access
• Locked storage
• Secure servers
• Strong passwords

25
Information SystemsPhysical Security

• Avoid storage on equipment with Internet
  connection
• Inventory control (equipment and media)
• Protect from destruction/damage
• Maintain secure back up/archives

26
Information Systems Transmission Security

• Both collected and transmitted
• In-transit encryption
• Automatic secure transmission of information
  from customers
• Email
• Caution against using it, or
• Protect against unauthorized access

27
Information Systems Transmission Security

• Top 20 Internet/ top 10 Web application
  security vulnerabilities
• www.sans.org/top20
• www.owasp.org

28
Information SystemsDisposal Security

• Shredding
• Erasure of electronic media
• Clear and appropriate retention policies
• Retention supervision/accountability

29
FTC Educational Materials Managing System
Failures

• Prevention, detection and response to attacks,
  intrusions and system failures
• Contingency planning for failures
• Physical
• Administrative
• Technical

30
FTC Educational Materials Managing System
Failures

• Know your vulnerabilities
• Top20/top 10
• Check with vendors
• www.ftc.gov/infosecurity
• Up to date virus software/firewalls
• Centralize management of security tools for
  employees
• Routine data back up

31
FTC Educational Materials Managing System
Failures

• Communicate risks/breaches
• Notify customers
• CA. Security Breach Information Act
• Notification of Risk to Personal Data Act (SB
  1350)
• Unencrypted data
• Name plus ID/PIN/SSN

32
FTC Safeguard Standards Conclusion

• Protect privacy
• Customer information
• Originator or recipient
• Affiliates, servicers
• Flexible approach
• Detailed review
• Proactive, ongoing assessments

33
Thank You!
34
Fair Credit Reporting Act

• Presentation for 2003 Fall Training Conference
• Arthur J. Rotatori
• McGlinchey Stafford, PLLC
• Telephone 216-378-9932
• Email arotatori_at_mcglinchey.com

35
Overview

• FCRA establishes rules within which consumer
  reporting agencies (CRAs) must operate
  establishes disclosure requirements for users of
  consumer reports.

36
Definitions

• Consumer Individual or natural person.

37
Definitions

• Consumer Report Any communication of
  information by a CRA bearing on consumers
  creditworthiness, credit standing, credit
  capacity, character, general reputation, personal
  characteristics or mode of living that is used to
  establish consumers eligibility for consumer
  purpose credit or insurance, for employment
  purposes or for any other authorized purpose.

38
Definitions

• Excludes
• Reporters own transactions or experiences with
  consumer
• Interaffiliate communication of other information
  if consumer is first given notice and opt out
  opportunity
• Credit card issuers approval of specific credit
  extension
• Report in which creditor conveys credit decision
  to third party who requested that the creditor
  extend credit to the consumer if the third party
  gives the creditors name and address to consumer

39
Definitions

• Consumer Reporting Agency Entity that, for
  compensation or on a cooperative nonprofit basis,
  regularly assembles or evaluates credit or other
  information about consumers for the purpose of
  furnishing consumer reports to third parties.

40
Sharing Information with Affiliates

• Before creditor can share consumers other
  information with its affiliates, consumer must
  be notified that such sharing is possible and
  given an opportunity to opt out of that sharing.
• No final regulatory requirements yet regarding
  content or timing of FCRA notice

41
Adverse Action Notices/Consumer Report Information

• User must provide notice when, based in whole
  part on consumer report information, it takes
  adverse action on a credit request or other
  application initiated by consumer
• Notice must include
• Name, address, phone number of CRA that furnished
  report
• Statement that CRA did not make credit decision
  and cannot provide specific reasons for adverse
  action

42
Adverse Action Notices/Consumer Report
Information

• Notice must include
• Statement that consumer has 60 days to request
  free copy of his consumer report
• Statement that consumer has right to dispute with
  the CRA the accuracy and completeness of any
  information in the report

43
Adverse Action Notices/Third Party Information

• If creditor takes adverse action based on
  information from other than CRA, it must provide
  adverse action notice within reasonable period of
  time.
• Notice must inform consumer of his right to make
  written request within 60 days for disclosure of
  nature of information on which adverse action was
  based
• Nature of information should provide enough
  detail to enable consumer to question accuracy of
  information he thinks is erroneous

44
Adverse Action Notices/Affiliate Information

• If adverse action is based on other information
  obtained from affiliate, consumer must be given
  adverse action notice as if information came from
  non-affiliated party.
• No FCRA notice required for adverse action based
  on transaction or experience information from
  affiliate (although Regulation B adverse action
  notice is still required).

45
Prescreening

• Creditor may obtain prescreened list to use in
  marketing its products and post-screen those who
  respond to the offer if
• Creditor establishes specific criteria for the
  product being offered before prescreening starts.
• Creditor compiles record of those criteria and
  retains it for three years.

46
Prescreening

• Solicitation sent to consumers on list must
  include notice that
• Credit offer is result of prescreening done by
  CRA
• Credit offer is consolidated on verification that
  consumer still meets criteria for offer and (if
  applicable) his providing required collateral
• Consumer may notify CRA if he wants to be
  excluded from future prescreening lists that CRA
  compiles.

47
Furnishing Information to CRAs

• Accuracy of Information
• Creditor cannot report information that it
  knows/should have known is inaccurate
• After discovering inaccuracy, creditor cannot
  report that information again until it is
  corrected
• Information already reported must be promptly
  corrected

48
Furnishing Information to CRAs

• Accuracy of Information
• Creditor can prescribe address that consumers
  must use in reporting informational inaccuracies
  to it.
• Creditor is not thereafter responsible for
  responding to notices sent elsewhere.

49
Furnishing Information to CRAs

• Reporting Account Closures, Collection Accounts
  or Chargeoffs
• When consumer voluntarily closes account,
  creditor must notify CRA that it was voluntary if
  it was done solely at consumers request.
• When reporting to CRA that loan has been assigned
  for collection or charged off, creditor must also
  report the month/year when the delinquency began
  that led to the action.

50
Furnishing Information to CRAs

• Investigating Disputes
• Creditor has affirmative duty to participate in
  CRAs reinvestigation of disputes regarding
  accuracy of information.
• CRA must notify creditor of consumer dispute
  within 5 days of receiving his notice.
• Creditor must investigate the disputed
  information and report back to CRA within 30 days
  after consumer notified CRA of dispute creditor
  gets 15 days more to investigate if consumer
  subsequently submits additional information.

51
Compliance Obligations for Users of Consumer
Reports

• Permissible Purpose User must have permissible
  purpose for obtaining consumer report.
• Evaluating job applicant or establishing
  employees eligibility for promotion,
  reassignment or continued employment
• Insurance underwriting
• Determining eligibility for license or other
  benefit from governmental entity
• Legitimate business need

52
Compliance Obligations for Users of Consumer
Reports

• Permissible Purpose User must have permissible
  purpose for obtaining consumer report.
• Court order or subpoena
• Consumer authorization
• Extension or collection of consumer credit
• For individual who will be personally liable on a
  business debt (borrower, co-signer or guarantor)
• Pre-screened lists to be used in marketing

53
Fair Credit Reporting Act

• Presentation for 2003 Fall Training Conference
• Arthur J. Rotatori
• McGlinchey Stafford, PLLC
• Telephone 216-378-9932
• Email arotatori_at_mcglinchey.com