Covering Business Credit Logo Home   About Us   Services   Credit Articles   Q&A   Contact  

  Business Credit Law and Regulations  

Your Customer's Privacy Rights
Whose Financial Information is it Anyway?

Credit Law Articles
All Articles •  Home

By Scott Blakeley Esq.
Reprinted by permission from Trade Vendor Quarterly Blakeley & Blakeley LLP

Whose Financial Information is it Anyway?

With the arrival of the Internet and sharing of a customer's financial information electronically, a customer's privacy rights to financial information is now at the forefront of legislation passed, and pending, by the U.S. Congress and state legislatures. The Federal Trade Commission, the federal agency that regulates federal privacy legislation, is active in interpreting this legislation and is concerned with the unauthorized release of private credit information to third parties, including the dramatic rise of the crime identity theft. Courts, including bankruptcy courts, have recently wrestled with the breadth of a customer's privacy rights and duties owed to customers.

Privacy groups and the press have made privacy rights a high profile topic. Indeed, according to a Wall Street Journal poll, Americans view loss of privacy rights as their greatest concern for the new century. Balancing the breadth of privacy rights and legislation is a difficult task, as information that is protected under privacy legislation means groups are denied access to financial information they believe they have a right to.

Credit professionals and their management must now consider whether to comply with new privacy legislation and audit their financial information gathering practices and disclose to customers how the information is shared. Compliance with the new privacy legislation is estimated to cost banks, insurance companies and finance companies billions of dollars. Big Five accounting firms and consulting firms now sell privacy audits to businesses to comply with privacy legislation and enforcement. With the arrival of new privacy legislation, it is expected that class action attorneys will gear up with private cause of action claims against businesses for tortuous invasion of privacy claims and negligence claims for failure to keep a customer's private financial information secure.

The essence of recent privacy legislation is to protect a party from the unauthorized release of private financial information to third parties. This means that there must now be disclosure by financial institutions to certain customers of their privacy policy, which includes disclosing that they collect financial information about the customer, that their financial information is shared with third parties, and that the customer may opt out of the sharing of the financial information.

What kind of business must comply with the new privacy legislation? Does Gramm-Leach- Bliley Act, also known as the Financial Services Modernization Act ("GLB") apply to a vendor extending commercial credit? What kind of customers may be protected under this privacy legislation? Are corporations and LLC's protected under the privacy legislation? What of sole proprietors? What kind of financial information is subject to the privacy legislation? Does private information include information publicly available? How does the privacy legislation affect the credit professional gathering and exchanging customer information with other credit professionals? What steps should the credit professional consider taking to comply with the legislation, especially with the threat of litigation?

Recently enacted privacy legislation, including the GLB, is intended to protect the unauthorized release of private financial information to third parties. However, in a rush to protect privacy rights, the U.S. Congress has enacted broadly worded legislation that attempts to protect financial information but may have the unintended consequence of impeding the sharing of certain account information as well as collection of commercial debts. The breadth of the new privacy legislation is starting to be tested in the courts.

I. Gramm-Leach-Bliley Act of 1999/ The Financial Services
Modernization Act/Title V

A. Purpose

GLB repeals the Glass-Steagall Act that separated commercial banking from other businesses. Under Title V of GLB, extensive privacy protections and restrictions are imposed on disclosure of information about certain customers. It also requires that safeguards are in place to protect a customer's private information.

GLB is a federal statute that applies to all states. States may adopt their own privacy legislation that imposes even greater privacy protections. GLB's focus is on protecting the financial information of the consumer. But what is a "consumer" under) GLB? Does GLB limit an individual's information to that relating to transactions for personal, family or household purposes? Does GLB protect the private financial information of sole proprietors, general partners or individual guarantors of business debt?

B. Key Terms of GLB

To consider whether GLB applies to a vendor extending commercial credit, an examination of the key terms of GLB is considered. The inquiries are: (1) is a vendor a "financial institution" under GLB?; if so, (2) what kind of customer is protected under GLB?; if a customer includes a party that obtains commercial credit, then (3) what kind of information is protected under GLB?; and, finally, (4) what are the steps to comply with GLB?

1. What is a Financial Institution?

GLB broadly defines "financial institution" as:

"any institution engaged in the business of providing financial services to customers who maintain a credit . . . relationship with the institution."

GLB clearly applies to banks, insurance companies and securities dealers. GLB also appears to apply to finance companies and mortgage companies. Is a vendor extending trade credit engaging in the business of providing financial services under GLB? According to rules set forth by the FTC, a business entity that is not a traditional financial institution, such as a bank, must be "significantly engaged" in financial activities before GLB applies. An argument can be made that a vendor regularly extending trade credit may be significantly engaged in financial activities.

In a recent court test that considered the breadth of the definition of Financial Institution, Trans Union credit reporting service sued the FTC contending it is not a Financial Institution under GLB. The federal court rejected Trans Union's claim, giving the FTC discretion to broadly interpret GLB's statutory definitions.

2. What is a Customer Relationship?

A Customer Relationship determines whether the Financial Institution must comply with privacy notice requirements of GLB. A Customer Relationship is defined as a continuing relationship between a Financial Institution and party under which the Financial Institution provides one or more products that are to be used primarily for personal purposes. If a Financial Institution does not have a customer relationship, then notice is required only where there is an intent to disclose nonpublic information to third parties.

The Federal Reserve and FDIC's commentary suggests that GLB does not apply to customers of a financial institution that are corporations or LLC's. The FTC's commentary also suggests that GLB does not apply to individuals, such as sole proprietors, when they obtain financial products for business or commercial purposes. Whether credit extended is for commercial purposes may be analyzed under the criteria set forth in Regulation Z and the Truth-in- Lending Act.

If a business is a Financial Institution under GLB and the customer is protected under GLB, the Financial Institution has a duty to protect the security of a customer's non-public personal information. A Financial Institution may not disclose non-public personal information to third parties unless an opt out notice is sent to the customer.

3. What Information is Covered?

GLB covers non-public personal information, which includes information resulting from a transaction with the customer. The FTC views any personally identifiable information provided to a Financial Institution, even if available from other public sources, covered by GLB.

An example of the broad interpretation of information protected under GLB, the Trans Union court ruled that credit bureaus are barred from selling "credit headers", which are a consumer's name, address and Social Security number, to marketers. Prior to GLB, "credit headers" were sold without consent. The FTC views "credit headers" as "financial information" under GLB Act and the Trans Union court agreed. Although the credit header does not include financial information about credit history or bank accounts, the FTC views that identifiable information provided to the FI, even if available from public sources, is covered by GLB.

C. Notice Requirements

GLB imposes notice to customers.

1. Initial Notice

GLB requires a Financial Institution to provide an initial notice to customers of their privacy policy, and if they will disclose personal information to third parties. The notice should state the institutions that the Financial Institution will disclose the information to. The initial notice should also state the security and confidentiality of a customer's personal information. Electronic notice to a customer is effective, provided the customer agrees.

2. Annual Notice

In addition to the initial notice requirement, a Financial Institution is required to provide an annual notice whether personal information is to be shared. As with the initial notice, electronic notice is effective, provided the customer agrees. The notice requirements of privacy policies are intended to allow potential customers the opportunity to review the privacy policy. Posting a notice on a Web site is acceptable if the customer agrees.

3. Opt Out/Consent

If the Financial Institution intends to share private information, it must provide a party with an opportunity to opt out. The opt out notice provides for consent by the customer to allow the Financial Institution to share information with third parties. Certain state agencies are refusing to release information of sole proprietors. For example, the California State Board of Equalization refuses to release information of sole proprietors holding licenses or permits, absent consent from the sole proprietor.

D. Complying with GLB

If GLB applies, the following steps should be considered.

1. Privacy Policy and Notices

The credit professional should consider how customer information is collected and shared. The credit professional should have its company adopt a policy as to notification of customers, storing private information and sharing private information with third parties. The notice should also provide for customers to opt out of the sharing of information prior to disclosing to third parties. A customer list should be maintained listing those that receive initial and annual notices. Employee access should be limited to customers' private information and protect against threats to customers' records.

2. Security

In addition to privacy notices, GLB requires a customer's information is secure. Personal information should be protected by reasonable security safeguards against such risks as loss or unintended disclosure of customers' information.

3. Written Manual

The vendor should have a company policy manual advising of its privacy policy.

4. Training

Train credit and sales as to the privacy policy. GLB applies to agents of the company cloaked with authority to request information from applicant. Some companies have employed a Chief Privacy Officer or an information manager to comply with privacy policy.

5. Credit Application

The credit application should disclose the policy of gathering and sharing private information with third parties. A signature block may be added to the credit application to have the customer opt out of the sharing of information.

6. Guarantee

The personal or corporate guarantee should disclose the policy of gathering and sharing private information with third parties.

7. Privacy Audit

Big Five accounting firms and consulting firms have launched specialized units that sell privacy audits to comply with legislation. Consultants review a company's computer databases to determine how personal identifiable information is used.

E. Violation of GLB Act

GLB prohibits disclosure of information that is obtained from the customer by deception. GLB creates liability for anyone who obtains or discloses information, without knowledge of any inappropriate conduct. Liability is not limited to the party participating in the violation, but may extend through the chain of custody of the tainted information.

1. Defense to Alleged Violation

A possible defense to an alleged violation of GLB is the doctrine of corporate free speech. A vendor may contend that attempts to outlaw or restrict the sale or sharing of personal information and public records violates the First Amendment right to communicate with customers.

In the Trans Union case, Trans Union's right of corporate free speech in selling "credit header" information failed. The court ruled that the FTC's interest in protecting privacy rights under GLB outweighs Trans Union's First Amendment Rights of commercial speech.

F. Regulation and Enforcement of GLB Act

1. Private Cause of Action

GLB does not provide for standing for a private cause of action. However, it may be that private parties will be authorized to pursue claims under GLB. Traditionally, class action lawyers have pursued a claim for corporation invasion of privacy. However, prior to the enactment of GLB, privacy laws protected against invasions by the government, not by business. GLB may provide class action lawyers with a fresh approach to invasion of privacy claims. Privacy watchdog groups have also formed, such as the Privacy Foundation, who investigate whether businesses are complying with privacy legislation.

2. Public Enforcement

The Federal Trade Commission enforces GLB on behalf of the government.

3. Penalties and Liabilities

GLB provides for punitive damages, attorneys' fees and costs. GLB also provides for criminal liability of up to five years.

II. Bankruptcy Privacy Issues

A customer's privacy rights in the context of a bankruptcy are also being considered by bankruptcy courts, the FTC, privacy groups and the U.S. Congress.

A. Customer Lists and the Privacy Pledge Problem

A dot-com's customer list may be its most valuable asset, as the customer list contains information concerning a customer's buying preferences, names and ages of children, credit card numbers, birth dates, and other information, which customers may not wish to disclose to third parties. For years, brick-and-mortar companies have sold their customer lists as assets in bankruptcy proceedings without objections by government agencies. However, due to the detailed nature of the customer list and the dot-com's privacy pledge, its treatment in an e-bankruptcy may bring conflicting interests with the FTC and State Attorneys General.

There is no federal privacy law that expressly prohibits a dot-com from selling its customer list, although the pending Bankruptcy Reform Act of 2001 proposes to address this. However, a dot-com may still encounter opposition from federal and state regulatory agencies in trying to sell its customer list, where privacy was promised by the dot-com when the customer information was collected.

The dot-com generated controversy with its attempts to sell its customer list. Unable to pay its creditors, Toysmart filed Chapter 11. Toysmart solicited bids for its assets, which included its customer list, despite a posted privacy statement promising not to share such information. Toysmart's customer list comprised 250,000 customer names and related information, including addresses, shopping preferences, order history, billing information, credit card numbers, family profiles, including information about customers' children. Toysmart believed the customer list was worth millions of dollars. Toysmart pledged to its customers that information provided would be private in an effort to attract traffic to its website:

Privacy Guarantee

[W]e take great pride in our relationships with our customers and pledge to maintain your privacy while visiting our site. Personal information voluntarily submitted by visitors to our site, such as name, address, billing information and shopping preferences, is never shared with a third party.

Toysmart had its web site's privacy policy certified by the TRUSTe Privacy Seal Program. Under the privacy seal program, a customer can protect information by clicking on the seal. Using its police powers, the FTC sued Toysmart for deceptive trade practice under Section 5 of the FTC Act, alleging that in attempting to sell its customer list, Toysmart was breaking its own posted privacy policy and violated fair trade practices, and that the bankruptcy court should stop any sale of the customer list. 38 state attorney generals filed objections with the bankruptcy court also seeking to bar the sale of the list.

The FTC reached a settlement with Toysmart that allowed the company to sell its customer list, but only if the bidder complied with the same privacy policy. The creditors' committee of Toysmart objected to the settlement between Toysmart and the FTC, complaining that the settlement would chill bidding. The bankruptcy court refused to accept the deal, instead waiting to see if bidders surfaced. No company bid for the customer list. Toysmart was paid $50,000 by Disney to have its customer database destroyed rather than being sold off to pay creditors.

The privacy pledge issue recently was raised in the e-Toys Chapter 11 bankruptcy. eToys, an e-tailer, had made a privacy pledge to its customers that their personal information would remain confidential. eToys was unable to pay its obligations and filed Chapter 11. eToys proposed to sell all of its assets to a competitor, including its customer list. Several State Attorney Generals objected to the sale of the customer list complaining breach of privacy policy. In a settlement, eToys agreed that no customer information would go to its competitor without customer consent. An opt-in notice is sent to customers. eToys will not give credit card information to the competitor, even for those who opt-in.

The U.S. Congress is expected to pass federal legislation to protect a consumer's privacy rights on the Internet in the context of a privacy pledge. States have also stepped-up their interest in pursuing their own claims under state consumer protection laws. Several states have proposed laws concerning online privacy. Federal and state regulatory agencies do not believe that the Bankruptcy Code, as presently enacted, preempts their police powers to enjoin a dot-com from selling its customer list where it has made a privacy pledge.

In an attempt to avoid Toysmart's problems of blocking the sale of a customer list, some dot-com e-tailers have changed their privacy statement. Amazon now discloses:

In the unlikely event that, or substantially all of its assets are acquired, customer information will, of course, be one of the transferred assets.

The new disclosure may allow a dot-com to sell its customer list should it fall into insolvency, given that the FTC and attorney generals' claims were based on Toysmart's alleged misrepresentations to its customers.

However, if the dot-com e-tailer has made a privacy pledge to its customers like in Toysmart, and attempts to sell its customer list through bankruptcy, the FTC and state and attorney general will likely attempt to bar the sale.

B. Information on Bankruptcy Petitions

The Bankruptcy Code requires individual debtors, including sole proprietors and guarantors of business debt, to provide sensitive information, including account numbers, social security numbers, tax returns, balances, income sources and payment histories. A national electronic database of bankruptcy information has been established with this detailed information to answer creditor inquiries. As the bankruptcy courts have gone electronic with their dockets of debtor cases, creditors have easier access to what is viewed by Congress in other contexts as private information. A creditor may now use the PACER electronic network to access information of court cases.

A number of federal courts have put entire civil case files online. Courts scan filed documents and make them available over the Internet. Privacy groups are concerned that electronic dockets create the opportunity for identity theft to commit credit card or bank fraud. Courts do not have a uniform policy as to public access to electronic court records. Courts are now considering restricting certain information on electronic court dockets. The FTC requests that courts withhold personal information from electronic court dockets.

The Bankruptcy Reform Act of 2001, which still awaits President Bush's signature, requires even more details concerning an individual's income and expenses under the "means test", which conflicts with GLB's privacy protections and what would be publicly available. The U.S. Congress, the Office of the United States Trustee and private bankruptcy trustees are wrestling with how to safeguard tax returns, wage statements and other sensitive data that are supplied in bankruptcy cases.

C. Bankruptcy Reform Act of 2001

In response to the privacy pledge problem, Congress includes a provision in the Bankruptcy Reform Act of 2001 that prohibits companies in bankruptcy from selling their customer lists to raise money to pay creditors. Rather, a consumer privacy ombudsman is appointed in a bankruptcy case where a debtor attempts to sell its customer list. The ombudsman determines whether the customer list may be sold.

III. Fair Credit Reporting Act

In reaction to concerns over the privacy rights of an individual's consumer credit report, the FTC recently issued an opinion as to the application of the Fair Credit Reporting Act (FCRA) to commercial credit. The FTC states that a vendor must obtain a consumer's consent prior to pulling a consumer credit report, even for a legitimate business purpose. The FTC opinion also does not recognize a right to pull a consumer credit report for a personal guarantee without first obtaining consent.

The FCRA regulates the use of individual credit reports and credit information. Generally the collection of business, trade, and commercial credit reports are not covered by FCRA. The FCRA insures that credit reporting agencies, and the users of such reports, will respect a consumer's right to privacy by pulling consumer credit reports only after express written authorization of the consumer.

The FCRA requires that a credit grantor provide notice to the consumer if the credit grantor is denying credit, or otherwise taking adverse action with respect to the credit application, based upon the information obtained in the credit report. Thus, a credit grantor will provide notice to the company of the denial of credit; the credit grantor must also provide notice to the president, shareholder or guarantor with respect to whom the credit report was obtained.

The private enforcement provisions of the FCRA permit a consumer to bring civil suit for willful noncompliance with the FCRA, with no ceiling on punitive damages. The consumer may sue for negligent noncompliance, for actual damages sustained. The consumer may also seek to recover the consumer's attorneys' fees. In addition, criminal penalties may also be assessed including fines and imprisonment against any person who knowingly and willfully obtains a consumer report under false pretenses.

In light of the FTC's concerns over an individual's privacy rights, a credit professional should obtain express written permission to run a consumer credit report. The following type of authorization language should be considered in the credit application and personal guarantee form.

A. FCRA Authorization Contained In Credit Application

A credit professional extending trade credit may consider including the following language in the credit application to authorize obtaining consumer credit reports on the corporation's individual insiders, or LLC's individual members. This language should be included as a separate statement with signature block, or addendum to accompany the credit application, as the party that the credit professional seeks authorization is not the same party that signs the credit application. It should be noted that a credit application that provides general authority for the credit professional to pull a consumer credit report on a corporation's of ficers may be insufficient. Rather, the credit professional should obtain an authorization form from each party that a credit application is to be pulled.

The undersigned consents to [insert: Name of Your Business] obtaining a consumer credit report on _________ [insert??name of the sole proprietor/ President/Officer of corporation, LLC, partnership] for the purpose of evaluating the creditworthiness of __________ [insert??name of the sole proprietor/ President/Officer of corporation, LLC, partnership], in connection with this Application.

B. FCRA Authorization Contained In Personal Guarantee

A credit professional requiring a personal guarantee for extensions of trade credit may consider including the following language in a personal guarantee form to authorize obtaining a consumer credit report from the guarantor.

The undersigned consents to [insert: Name of Your Business] obtaining a consumer credit report on _________ [insert??name of the guarantor] for the purpose of evaluating the creditworthiness of _________ [insert??name of the guarantor], in connection with an application for business credit.

IV. Privacy Commission

In reaction to privacy concerns raised by privacy groups and the states, the U.S. Congress has appointed a commission to make recommendations to Congress on privacy legislation. The commission comprises a 17 member bipartisan Privacy Protection Commission. Congress has given the commission 18 months to study privacy issues and report to Congress. The commission will consider the need for privacy protection and the purpose for sharing information, as well as existing legislation and regulation.

V. Right to Financial Privacy Act

This federal law prohibits a financial institution from providing the U.S. government access to financial records of its customer, absent consent.

VI. Pending Federal and State Privacy Legislation

The U.S. Congress is considering the following privacy legislation: Consumer Internet Privacy Enhancement Act; Consumer Privacy Protection Act; Consumer Online Privacy and Disclosure Act; and Spyware Control and Privacy Protection Act. In addition, the U.S. Congress is considering a bill to restrict the sale of Social Security numbers. State legislatures are considering over 100 privacy bills.

Privacy Legislation is Only Beginning

A customer's privacy rights are at the forefront of legislation and regulation, and appear a hot topic into the future. Courts will be asked to interpret the legislation. As technology continues to shape the electronic credit department and the ease in which customer information may be collected and shared, a credit professional should be mindful of a customer's privacy rights and enactment of new legislation in this area.

Reprinted by permission from Trade Vendor Quarterly Blakeley & Blakeley LLP
Summer 01

Share |

Business Credit Articles
Send to a Friend
Ask A Credit Question
Questions & Answers
Business Credit News
Your Privacy
Site Map