No name

1
Privacy Initiatives

• Presentation for 2003 Fall Training Conference
• David W. Thompson
• McGlinchey Stafford, PLLC
• Telephone 216-378-9998
• Email dthompson_at_mcglinchey.com

2
Starting At The Top FCRA Preemption And Sunset
Date

• Section 624 Relationship Between FCRA and State
  Laws No State Law Requirement or Prohibition May
  Be Imposed Related To
• Permissible Purpose for Prescreening/Extending
  Firm Offers of Credit Prescreening Opt-Out
  Procedures
• Timing for CRAs To Investigate and Give Notices
  of Disputed Information
• Duties of Report User Taking Adverse Action or
  Extending Firm Offers of Credit
• Kind of Info Contained in Consumer Report

3
Starting At The Top - FCRA Preemption And Sunset
Date

• Section 624 Relationship Between FCRA and State
  Laws No State Law Requirement or Prohibition May
  Be Imposed Related To
• Responsibilities of Information Furnishers
• Exchange of Information Among Affiliates (Except
  pre-existing Vermont law)
• Form and Content of Notice CRAs Provide Consumers
  Summarizing Their Rights

4
Starting At The Top - FCRA Preemption And Sunset
Date

• Section 624 Preemption by FCRA Will NOT Apply
  to State Laws
• Enacted After 1/1/2004
• Stating Their Intention to Supplement FCRA and
• Giving Greater Protection Than Provided Under FCRA

5
Removal of FCRA Preemption Sunset

• HR 2622 (Fair and Accurate Credit Transactions
  Act of 2003) Approved by Full House 9/10/03 in
  392-to-30 Vote With Minor Amendments
• S 1753 (National Consumer Credit Reporting
  System Improvement Act of 2003) Reported To
  Senate Floor by Senator Shelby On 10/17/03
• Both Would Permanently Remove Sunset on FCRA
  Preemptions of State Law in Section 624
• Wild Cards Senate Appetite For Re-opening GLBA
  Opt-In v. Opt-Out Debate For Sharing Information
  With Nonaffiliates For Lifting Preemptive
  Effect of FCRA On Information Sharing by
  Affiliates Under California Law

6
FCRA Identity Theft Provisions

• New Identity Theft/Red Flag Investigation and
  Notification Obligations On Credit and Debit Card
  Issuers That Receive Requests For Additional or
  Replacement Cards From Existing Accounts After
  Receiving Address Change Notice
• Could Require That Card Issuers Notify Cardholder
  Of Card Request At Old Address Pursuant To Bank
  Agency Regulations And Means Of Promptly
  Reporting Problems (Or Follow Other Reasonable
  Procedures For Assessing The Validity of Address
  Change)
• Regulations Could Include Obligation For Issuer
  to Give Red Flag Notice To Consumer After Use Of
  Account Dormant For Previous Two Years And In
  Other Appropriate Circumstances

7
FCRA Identity Theft Provisions

• Requires That Consumer Reporting Agencies
• Include Fraud Alerts For At Least 90 Days About
  Consumers Who Think They Might Be Fraud Victims
  (Longer Upon Consumers Request)
• Disclose That Consumer May Obtain Free Copy(ies)
  of Their File Within 3 Days of Request
• Exclude Consumer From Prescreened Lists
• Share Fraud Alert With Other Nationwide CRAs
• Give Consumer Option of Including More Complete
  File Information Through Which Users May Obtain
  Authorization For Future Credit Extensions
• Establish Procedures For Including Active
  Military Duty Alerts

8
FCRA Identity Theft Provisions

• Requires That Consumer Reporting Agencies
• Block Reporting Of Information Within 3-5 Days
  That Consumer Says Resulted From Alleged Identity
  Theft AFTER CRA Receives
• Proof of Consumer Identity
• Identity Theft Report Evidencing Consumers Claim
• Identification Of Information By Consumer
• Promptly Notify Information Furnisher That
• Information May Be Result of Identity Theft
• Police Report Filed And Block Requested

9
FCRA Identity Theft Provisions

• Might Require That Fraud Alert Include
  Information Notifying Prospective Users That
  Consumer Does Not Authorize Any New Credit Plans
  In Their Name Unless User Follows Reasonable
  Procedures To Confirm Consumer Identity (May
  Require Obtaining Verbal Authorization Of
  Consumer At Their Designated Telephone Number Or
  Some Other Agreed-Upon Means of Communication)

10
FCRA Identity Theft and Credit Score Disclosures

• Consumer Reporting Agencies Must Provide
  Consumers Who Believe They Are Fraud Victims With
  Summary of Their Legal Rights And Procedures For
  Remedying Offense FTC and Banking Regulations To
  Develop Model Summary of Rights
• Changes To Availability of Free Reports
  Nationwide CRAs Must Provide And Required
  Disclosures About Availability and Meaning of
  Credit Score Information
• Disclosure/Prescribed Notice Requirements For
  Mortgage Brokers And Lenders About Credit Score,
  Factors Resulting In Score Related To Open-End
  Closed-End Mortgage Credit For Consumer Purposes

11
FCRA Furnishing Of Information

• HR 2622 Prohibits Furnisher From Reporting
  Information It Has Reasonable Cause To Believe
  Is Inaccurate (Enough To Give Reasonable Person
  Substantial Doubts About Accuracy), and Requires
  That Furnishers Establish Reasonable Procedures
  For Furnishing Accurate Information
• Allows Consumers To Dispute Accuracy DIRECTLY
  With Furnisher By Sending Notice, Complete
  Investigation Of All Relevant Information Within
  Prescribed Time AND Promptly Correct Inaccurate
  Information With CRAs
• Not Contained in S 1753

12
FCRA Information Furnishing and Penalty APR
Disclosures

• HR 2622 Requires That Information Furnishers Give
  Consumer One-Time Written Notice Using Model
  Federal Reserve Disclosure Indicating That
  Negative Information (Delinquencies, Late
  Payments, Insolvency, Any Default) Might Be
  Furnished To Nationwide CRAs No Later Than 30
  Days After Furnishing Any Such Negative
  Information
• HR 2622 Requires That Credit Card Issuers
  Disclose in Prescreened Offers If APR of Credit
  Card Account Might Increase For Reasons Unrelated
  To Particular Account Performance
• Not Contained in S 1753

13
FCRA Identity Theft Disclosures and Truncation

• If FDCPA Debt Collector Learns Information
  Reported Is Result Of Identity Theft Or Fraud,
  Debt Collector Must Notify Furnisher (If
  Collector Works For That Furnisher) Or CRA About
  That Information and Provide Consumer With Such
  Information Upon Request
• No Merchant Accepting Credit or Debit Cards May
  Print More Than Last Few Digits of Card Number Or
  Print Card Expiration Date On Any
  Electronically-Printed Point Of Sale Receipt
  (Still Acceptable When Receipt Is Based On Card
  Imprint)

14
FCRA Affiliate Information Sharing

• HR 2622 Is Largely Silent About Information
  Sharing Among Affiliates, But S 1753
• Limits Entitys Ability To Use Info It Might
  Receive From Affiliates To Solicit Consumers For
  Marketing Purposes, Unless Consumer Has Received
  Conspicuous Affiliate Information Sharing Notice
  And Opt-Out Opportunity
• Requires That Consumer Opt-Out Prevent All
  Solicitation For Marketing Purposes, Unless
  Consumer Elects To Selectively Limit Only Certain
  Kinds Of Solicitations
• Exceptions Pre-Existing Business Relationship
  Service Provider Direct Response to Interested
  Consumer

15
California Financial Information Privacy Act

• Codified as Division 1.2 of California Financial
  Code, Sections 4050 et seq., effective 7/1/2004
  (CA-FIPA)
• Includes GLBA (or Similar) Definitions for
• Nonpublic Personal Information
• Personally Identifiable Financial Information
• Affiliates (except to include Franchisor as an
  Affiliate of Its Franchisee For CA-FIPA Purposes)
• Nonaffiliated Third Party

16
CA-FIPA Definitions

• Includes Unique Definitions for
• Financial Institution
• Means Institution Engaged in 1843(k) Financial
  Activities AND Doing Business in California
• Excludes Institutions Primarily Engaged in
  Providing Hardware, Software, or Interactive
  Services If They Do Not
• Act as an FDCPA Debt Collector
• Engage in Activities Requiring a Charter,
  License, or Registration from Governmental
  Banking, Insurance, or Securities Agency
• Excludes GSEs, Professionals Bound by Client
  Confidentiality Requirements
• Excludes CA-Licensed Vehicle Dealers and Lessors
  That Assign Substantially All of Its Installment
  and Lease Contracts to Financial Institutions
  Within 30 Days

17
CA-FIPA Definitions

• Includes Unique Definitions for
• Consumer
• Means Individual California Resident Who Obtains
  or Has Obtained Financial Product or Service Used
  Primarily for Personal, Family, or Household
  Purposes
• Individual Resident of California Is Someone
  Whose Last Known Mailing Address (other than
  Armed Forces or Fleet PO address) On Financial
  Institutions Records Is Located in California
• Necessary to Effect, Administer, or Enforce
• Includes Special Rules for Sharing With Co-Brand
  Retailer Partners
• Includes Special Rules Related to RESPA for
  Advance Settlement Services Disclosure

18
CA-FIPA Overview

• Explicit Prior Consent of Consumer Required
  Before Financial Institution May Share or
  Disclose NPI With Any Nonaffiliated Third Parties
  With LIMITED EXCEPTIONS
• Consumers May Be Entitled To Opt-Out of Certain
  Information Sharing Among Affiliates
  (Preemption?) and With Joint Marketing Partners
• Opt-In/ Opt-Out Notices NOT Required If NPI
  Disclosures Limited To Permissible Disclosures
  Under CA-FIPA Exception

19
CA-FIPA Opt-In For Sharing With Nonaffiliated
Third Parties

• Financial Institution MUST Obtain Consent
  Acknowledgment In Prescribed Form From Consumer
  Before Sharing NPI with Nonaffiliated Third Party
• Financial Institution May Not Discriminate
  Against or Deny Otherwise Qualified Consumer
  Because They Withhold Consent, Unless Sharing Is
  Fundamentally Required Before Product or Service
  Can Be Provided
• HOWEVER, Financial Institution May Offer
  Incentive or Discount to Elicit Specific Response
  From Consumer

20
CA-FIPA Opt-In for Sharing With Nonaffiliated
Third Parties

• Consent Acknowledgment Form MUST
• Be Separate Document, Not Attached to Any Other
  Document
• Dated and Signed by Consumer
• Clearly and Conspicuously Disclose That
• Consumer Is Consenting to Financial Institutions
  Disclosure of NPI to Nonaffiliated Third Parties
  By Signing
• Consent Remains In Effect Until Revoked or
  Modified
• Consent May Be Revoked At Any Time And
• Procedure for Revoking Consent
• Financial Institution Will Maintain Consent Form
• Consumer Is Entitled To Copy of Document Upon
  Request
• Consumer May Want to Make Copy for Consumers
  Records

21
CA-FIPA Sharing With Joint Marketing Partners
Opt-Out

• Consent Requirement Does Not Prohibit Financial
  Institution From Disclosing NPI When Jointly
  Offering Financial Product Under Written
  Agreement with Receiving Financial Institution
  PROVIDED
• Product Is One Provided By At Least One of the
  Financial Institutions That is Party To The
  Written Agreement
• Product Is Jointly Offered/Endorsed/Sponsored By
  Disclosing and Receiving Institutions That Are
  Conspicuously Identified
• Written Agreement Requires That Disclosing
  Financial Institution Maintain Confidentiality of
  NPI AND Prohibits Disclosure or Use For Any
  Purpose Other Than Joint Offering or Servicing of
  Identified Product (Grandfathering Through
  1/1/2005 of Contracts Dated Before 1/1/2004)
• Disclosing Financial Institution Delivers
  Prescribed Opt-Out Notice and Consumer Has Not
  Exercised Opt-Out

22
CA-FIPA Affiliate Information Sharing (If Not
Preempted)

• Financial Institution May NOT Disclose NPI With
  AFFILIATE Unless It Has Notified Consumer
  ANNUALLY In Writing About Affiliate-Sharing And
  Consumer Has Not Opted-Out (Annual Notice Not
  Required If Continuing Relationship Has Ended)
• Maintenance of Information in Common Information
  Systems Not Considered Disclosure to Affiliate If
  Receiving Affiliate Does Not Make Further Use or
  Disclosure of NPI About Consumer Who Exercised
  Opt-Out

23
CA-FIPA Affiliate Information Sharing (If Not
Preempted)

• No Restriction On Sharing of NPI Between
  Institution and Wholly Owned Subsidiaries or
  Among Financial Institutions Wholly Owned By Same
  Holding Company PROVIDED BOTH Disclosing and
  Receiving Financial Institutions
• Are Regulated by Same Functional Banking,
  Insurance or Securities Regulator (OCC, OTS, NCUA
  and Any State Depository Institution Regulator
  Deemed Same Functional Regulator)
• Are Principally Engaged in Same Line of Business
  (Either Insurance, Banking, or Securities)
• Share Common Brand Within Marks/Name

24
CA-FIPA Form of Opt-Out Notice

• Prescribed Form for Opt-Out Notice With
• Title, Caption, Type, Margin, Spacing
  Requirements
• Separate Document, Not More Than One Page
• Check-Off Box for Consumer Choices
• Plain Language and Reading Ease Requirements
• Forms May Be Submitted for Functional Regulators
  Approval
• Envelope Disclosure and Other Requirements for
  Outbound Envelope Enclosed Self-Addressed Reply
  Envelope and Cost-Free Reply Alternatives

25
CA-FIPA Opt-Out Opportunity

• Financial Institutions Must Comply With Opt-Out
  Within 45 Days of Receiving Direction From
  Consumer
• Financial Institution That Did Not Describe
  Opt-Out Opportunity in Annual Notice Must Give
  Notice and Wait 45 Days From Mailing Before
  Disclosing NPI

26
CA-FIPA Other Issues

• Financial Institution May Not Discriminate
  Against or Deny Otherwise Qualified Consumer
  Because They Exercised Opt-Out, Unless Sharing Is
  Fundamentally Required Before Product or Service
  Can Be Provided
• HOWEVER, Financial Institution May Offer
  Incentive or Discount to Elicit Specific Response
  From Consumer

27
CA-FIPA Other Issues

• Nothing in CA-FIPA Prevents Financial Institution
  From Marketing Its Own Products Or Those Of
  Affiliates and Nonaffiliated Third Parties
  PROVIDED
• NPI Is Disclosed Only As Permitted Under
  Servicing Exception
• If Nonaffiliated Third Party Could Learn NPI
  About Responding Consumer, That Nonaffiliated
  Third Party Has Signed Contract
• Prohibiting Use of Information For Any Purpose
  Other Than Purpose For Which It Was Provided and
• Granting Financial Institution Audit/Inspection
  Right to Verify Compliance By Nonaffiliated Third
  Party

28
CA-FIPA Other Issues

• Entity Receiving NPI From Financial Institution
  May NOT Disclose Information To Any Other Entity,
  Unless Disclosure Would Be Lawful If Mad Directly
  by Financial Institution
• Entity Receiving NPI Under Servicing Exception
  May NOT Use or Disclose Information Except In
  Ordinary Course of Business To Carry Out Activity
  Covered By Exception Under Which Information Was
  Received

29
CA-FIPA Other Issues

• Financial Institution Providing Financial Product
  For/With Non-Financial Affinity Partner May
  Disclose Customer Name, Home and E-Mail Address,
  Phone (Plus Purchases With Affinity Credit Card)
  PROVIDED
• Customer Has Not Exercised Opt-Out
• Affinity Partner Contractually Obligated To
  Maintain NPIs Confidentiality and Prohibited
  From Using Information For Purpose Other Than
  Verifying Membership/ Contact Information Or
  Offering Its Own Products or Services
• Affinity Partner Cannot Learn Any Additional NPI
• Affinity Partner Includes E-Mail Notice That
  Would Allow Customer To Opt-Out Of Future E-Mails
• Section Does NOT Apply To Credit Cards Issued In
  Retail Sellers Name

30
CA-FIPA Servicing Exceptions

• Most Servicing Exceptions Under GLBA That Permit
  Financial Institution To Share NPI With Others
  Also Included in CA-FIPA
• One Unique CA-FIPA Exception Permits Disclosure
  of NPI To Affiliate Or Nonaffiliated Third Party
  That Performs Business or Professional Services,
  Such As Printing, Mailing Services, Data
  Processing or Analysis, Customer Surveys for
  Financial Institution PROVIDED
• Institution Could Lawfully Perform Services For
  Itself
• Contract In Place Prohibiting Receiving Party
  From Disclosing or Using NPI For Other Purposes
• NPI Disclosed Is Limited To Information Necessary
  To Perform Services
• Disclosing Financial Institution Is NOT Paid By
  Recipient

31
CA-FIPA Civil Penalties

• Negligent Disclosure of NPI Could Result In Civil
  Penalty of 2,500 Per Violation (Capped At 500K
  If NPI of More Than One Person Disclosed)
• Entity That Knowingly and Willfully OBTAINS,
  DISCLOSES, SHARES, or USES NPI In Violation of
  CA-FIPA Could Result In Civil Penalty of 2,500
  Per Violation (Capped By Net Worth of Entity,
  Harm Caused, Profit Derived, Seriousness and
  Persistence of Violation, Etc.)
• Civil Penalties Doubled If CA-FIPA Violation
  Results In Identity Theft
• No Private Right of Action Action May Only Be
  Brought by AG or Functional Regulator