Whose Financial Information is it Anyway?
With the arrival of the Internet and sharing of a customer's
financial information electronically, a customer's privacy rights to
financial information is now at the forefront of legislation passed,
and pending, by the U.S. Congress and state legislatures. The Federal
Trade Commission, the federal agency that regulates federal privacy
legislation, is active in interpreting this legislation and is concerned
with the unauthorized release of private credit information to third
parties, including the dramatic rise of the crime identity theft. Courts,
including bankruptcy courts, have recently wrestled with the breadth
of a customer's privacy rights and duties owed to customers.
Privacy groups and the press have made privacy rights
a high profile topic. Indeed, according to a Wall Street Journal poll,
Americans view loss of privacy rights as their greatest concern for
the new century. Balancing the breadth of privacy rights and legislation
is a difficult task, as information that is protected under privacy
legislation means groups are denied access to financial information
they believe they have a right to.
Credit professionals and their management must now consider
whether to comply with new privacy legislation and audit their financial
information gathering practices and disclose to customers how the information
is shared. Compliance with the new privacy legislation is estimated
to cost banks, insurance companies and finance companies billions of
dollars. Big Five accounting firms and consulting firms now sell privacy
audits to businesses to comply with privacy legislation and enforcement.
With the arrival of new privacy legislation, it is expected that class
action attorneys will gear up with private cause of action claims against
businesses for tortuous invasion of privacy claims and negligence claims
for failure to keep a customer's private financial information secure.
The essence of recent privacy legislation is to protect
a party from the unauthorized release of private financial information
to third parties. This means that there must now be disclosure by financial
institutions to certain customers of their privacy policy, which includes
disclosing that they collect financial information about the customer,
that their financial information is shared with third parties, and
that the customer may opt out of the sharing of the financial information.
What kind of business must comply with the new privacy
legislation? Does Gramm-Leach- Bliley Act, also known as the Financial
Services Modernization Act ("GLB") apply to a vendor extending
commercial credit? What kind of customers may be protected under this
privacy legislation? Are corporations and LLC's protected under the
privacy legislation? What of sole proprietors? What kind of financial
information is subject to the privacy legislation? Does private information
include information publicly available? How does the privacy legislation
affect the credit professional gathering and exchanging customer information
with other credit professionals? What steps should the credit professional
consider taking to comply with the legislation, especially with the
threat of litigation?
Recently enacted privacy legislation, including the GLB,
is intended to protect the unauthorized release of private financial
information to third parties. However, in a rush to protect privacy
rights, the U.S. Congress has enacted broadly worded legislation that
attempts to protect financial information but may have the unintended
consequence of impeding the sharing of certain account information
as well as collection of commercial debts. The breadth of the new privacy
legislation is starting to be tested in the courts.
I. Gramm-Leach-Bliley Act of 1999/ The Financial Services
Modernization Act/Title V
A. Purpose
GLB repeals the Glass-Steagall Act that separated commercial
banking from other businesses. Under Title V of GLB, extensive privacy
protections and restrictions are imposed on disclosure of information
about certain customers. It also requires that safeguards are in place
to protect a customer's private information.
GLB is a federal statute that applies to all states.
States may adopt their own privacy legislation that imposes even greater
privacy protections. GLB's focus is on protecting the financial information
of the consumer. But what is a "consumer" under) GLB? Does
GLB limit an individual's information to that relating to transactions
for personal, family or household purposes? Does GLB protect the private
financial information of sole proprietors, general partners or individual
guarantors of business debt?
B. Key Terms of GLB
To consider whether GLB applies to a vendor extending
commercial credit, an examination of the key terms of GLB is considered.
The inquiries are: (1) is a vendor a "financial institution" under
GLB?; if so, (2) what kind of customer is protected under GLB?; if
a customer includes a party that obtains commercial credit, then (3)
what kind of information is protected under GLB?; and, finally, (4)
what are the steps to comply with GLB?
1. What is a Financial Institution?
GLB broadly defines "financial institution" as:
"any institution engaged in the business of providing
financial services to customers who maintain a credit . . . relationship
with the institution."
GLB clearly applies to banks, insurance companies and
securities dealers. GLB also appears to apply to finance companies
and mortgage companies. Is a vendor extending trade credit engaging
in the business of providing financial services under GLB? According
to rules set forth by the FTC, a business entity that is not a traditional
financial institution, such as a bank, must be "significantly
engaged" in financial activities before GLB applies. An argument
can be made that a vendor regularly extending trade credit may be significantly
engaged in financial activities.
In a recent court test that considered the breadth of
the definition of Financial Institution, Trans Union credit reporting
service sued the FTC contending it is not a Financial Institution under
GLB. The federal court rejected Trans Union's claim, giving the FTC
discretion to broadly interpret GLB's statutory definitions.
2. What is a Customer Relationship?
A Customer Relationship determines whether the Financial
Institution must comply with privacy notice requirements of GLB. A
Customer Relationship is defined as a continuing relationship between
a Financial Institution and party under which the Financial Institution
provides one or more products that are to be used primarily for personal
purposes. If a Financial Institution does not have a customer relationship,
then notice is required only where there is an intent to disclose nonpublic
information to third parties.
The Federal Reserve and FDIC's commentary suggests that
GLB does not apply to customers of a financial institution that are
corporations or LLC's. The FTC's commentary also suggests that GLB
does not apply to individuals, such as sole proprietors, when they
obtain financial products for business or commercial purposes. Whether
credit extended is for commercial purposes may be analyzed under the
criteria set forth in Regulation Z and the Truth-in- Lending Act.
If a business is a Financial Institution under GLB and
the customer is protected under GLB, the Financial Institution has
a duty to protect the security of a customer's non-public personal
information. A Financial Institution may not disclose non-public personal
information to third parties unless an opt out notice is sent to the
customer.
3. What Information is Covered?
GLB covers non-public personal information, which includes
information resulting from a transaction with the customer. The FTC
views any personally identifiable information provided to a Financial
Institution, even if available from other public sources, covered by
GLB.
An example of the broad interpretation of information
protected under GLB, the Trans Union court ruled that credit bureaus
are barred from selling "credit headers", which are a consumer's
name, address and Social Security number, to marketers. Prior to GLB, "credit
headers" were sold without consent. The FTC views "credit
headers" as "financial information" under GLB Act and
the Trans Union court agreed. Although the credit header does not include
financial information about credit history or bank accounts, the FTC
views that identifiable information provided to the FI, even if available
from public sources, is covered by GLB.
C. Notice Requirements
GLB imposes notice to customers.
1. Initial Notice
GLB requires a Financial Institution to provide an initial
notice to customers of their privacy policy, and if they will disclose
personal information to third parties. The notice should state the
institutions that the Financial Institution will disclose the information
to. The initial notice should also state the security and confidentiality
of a customer's personal information. Electronic notice to a customer
is effective, provided the customer agrees.
2. Annual Notice
In addition to the initial notice requirement, a Financial
Institution is required to provide an annual notice whether personal
information is to be shared. As with the initial notice, electronic
notice is effective, provided the customer agrees. The notice requirements
of privacy policies are intended to allow potential customers the opportunity
to review the privacy policy. Posting a notice on a Web site is acceptable
if the customer agrees.
3. Opt Out/Consent
If the Financial Institution intends to share private
information, it must provide a party with an opportunity to opt out.
The opt out notice provides for consent by the customer to allow the
Financial Institution to share information with third parties. Certain
state agencies are refusing to release information of sole proprietors.
For example, the California State Board of Equalization refuses to
release information of sole proprietors holding licenses or permits,
absent consent from the sole proprietor.
D. Complying with GLB
If GLB applies, the following steps should be considered.
1. Privacy Policy and Notices
The credit professional should consider how customer
information is collected and shared. The credit professional should
have its company adopt a policy as to notification of customers, storing
private information and sharing private information with third parties.
The notice should also provide for customers to opt out of the sharing
of information prior to disclosing to third parties. A customer list
should be maintained listing those that receive initial and annual
notices. Employee access should be limited to customers' private information
and protect against threats to customers' records.
2. Security
In addition to privacy notices, GLB requires a customer's
information is secure. Personal information should be protected by
reasonable security safeguards against such risks as loss or unintended
disclosure of customers' information.
3. Written Manual
The vendor should have a company policy manual advising
of its privacy policy.
4. Training
Train credit and sales as to the privacy policy. GLB
applies to agents of the company cloaked with authority to request
information from applicant. Some companies have employed a Chief Privacy
Officer or an information manager to comply with privacy policy.
5. Credit Application
The credit application should disclose the policy of
gathering and sharing private information with third parties. A signature
block may be added to the credit application to have the customer opt
out of the sharing of information.
6. Guarantee
The personal or corporate guarantee should disclose the
policy of gathering and sharing private information with third parties.
7. Privacy Audit
Big Five accounting firms and consulting firms have launched
specialized units that sell privacy audits to comply with legislation.
Consultants review a company's computer databases to determine how
personal identifiable information is used.
E. Violation of GLB Act
GLB prohibits disclosure of information that is obtained
from the customer by deception. GLB creates liability for anyone who
obtains or discloses information, without knowledge of any inappropriate
conduct. Liability is not limited to the party participating in the
violation, but may extend through the chain of custody of the tainted
information.
1. Defense to Alleged Violation
A possible defense to an alleged violation of GLB is
the doctrine of corporate free speech. A vendor may contend that attempts
to outlaw or restrict the sale or sharing of personal information and
public records violates the First Amendment right to communicate with
customers.
In the Trans Union case, Trans Union's right of corporate
free speech in selling "credit header" information failed.
The court ruled that the FTC's interest in protecting privacy rights
under GLB outweighs Trans Union's First Amendment Rights of commercial
speech.
F. Regulation and Enforcement of GLB Act
1. Private Cause of Action
GLB does not provide for standing for a private cause
of action. However, it may be that private parties will be authorized
to pursue claims under GLB. Traditionally, class action lawyers have
pursued a claim for corporation invasion of privacy. However, prior
to the enactment of GLB, privacy laws protected against invasions by
the government, not by business. GLB may provide class action lawyers
with a fresh approach to invasion of privacy claims. Privacy watchdog
groups have also formed, such as the Privacy Foundation, who investigate
whether businesses are complying with privacy legislation.
2. Public Enforcement
The Federal Trade Commission enforces GLB on behalf of
the government.
3. Penalties and Liabilities
GLB provides for punitive damages, attorneys' fees and
costs. GLB also provides for criminal liability of up to five years.
II. Bankruptcy Privacy Issues
A customer's privacy rights in the context of a bankruptcy
are also being considered by bankruptcy courts, the FTC, privacy groups
and the U.S. Congress.
A. Toysmart.com: Customer Lists and the Privacy Pledge
Problem
A dot-com's customer list may be its most valuable asset,
as the customer list contains information concerning a customer's buying
preferences, names and ages of children, credit card numbers, birth
dates, and other information, which customers may not wish to disclose
to third parties. For years, brick-and-mortar companies have sold their
customer lists as assets in bankruptcy proceedings without objections
by government agencies. However, due to the detailed nature of the
customer list and the dot-com's privacy pledge, its treatment in an
e-bankruptcy may bring conflicting interests with the FTC and State
Attorneys General.
There is no federal privacy law that expressly prohibits
a dot-com from selling its customer list, although the pending Bankruptcy
Reform Act of 2001 proposes to address this. However, a dot-com may
still encounter opposition from federal and state regulatory agencies
in trying to sell its customer list, where privacy was promised by
the dot-com when the customer information was collected.
The dot-com Toysmart.com generated controversy with
its attempts to sell its customer list. Unable to pay its creditors,
Toysmart filed Chapter 11. Toysmart solicited bids for its assets,
which included its customer list, despite a posted privacy statement
promising not to share such information. Toysmart's customer list comprised
250,000 customer names and related information, including addresses,
shopping preferences, order history, billing information, credit card
numbers, family profiles, including information about customers' children.
Toysmart believed the customer list was worth millions of dollars.
Toysmart pledged to its customers that information provided would be
private in an effort to attract traffic to its website:
Privacy Guarantee
[W]e take great pride in our relationships with
our customers and pledge to maintain your privacy while visiting
our site. Personal information voluntarily submitted by visitors
to our site, such as name, address, billing information and shopping
preferences, is never shared with a third party.
Toysmart had its web site's privacy policy certified
by the TRUSTe Privacy Seal Program. Under the privacy seal program,
a customer can protect information by clicking on the seal. Using its
police powers, the FTC sued Toysmart for deceptive trade practice under
Section 5 of the FTC Act, alleging that in attempting to sell its customer
list, Toysmart was breaking its own posted privacy policy and violated
fair trade practices, and that the bankruptcy court should stop any
sale of the customer list. 38 state attorney generals filed objections
with the bankruptcy court also seeking to bar the sale of the list.
The FTC reached a settlement with Toysmart that allowed
the company to sell its customer list, but only if the bidder complied
with the same privacy policy. The creditors' committee of Toysmart
objected to the settlement between Toysmart and the FTC, complaining
that the settlement would chill bidding. The bankruptcy court refused
to accept the deal, instead waiting to see if bidders surfaced. No
company bid for the customer list. Toysmart was paid $50,000 by Disney
to have its customer database destroyed rather than being sold off
to pay creditors.
The privacy pledge issue recently was raised in the e-Toys
Chapter 11 bankruptcy. eToys, an e-tailer, had made a privacy pledge
to its customers that their personal information would remain confidential.
eToys was unable to pay its obligations and filed Chapter 11. eToys
proposed to sell all of its assets to a competitor, including its customer
list. Several State Attorney Generals objected to the sale of the customer
list complaining breach of privacy policy. In a settlement, eToys agreed
that no customer information would go to its competitor without customer
consent. An opt-in notice is sent to customers. eToys will not give
credit card information to the competitor, even for those who opt-in.
The U.S. Congress is expected to pass federal legislation
to protect a consumer's privacy rights on the Internet in the context
of a privacy pledge. States have also stepped-up their interest in
pursuing their own claims under state consumer protection laws. Several
states have proposed laws concerning online privacy. Federal and state
regulatory agencies do not believe that the Bankruptcy Code, as presently
enacted, preempts their police powers to enjoin a dot-com from selling
its customer list where it has made a privacy pledge.
In an attempt to avoid Toysmart's problems of blocking
the sale of a customer list, some dot-com e-tailers have changed their
privacy statement. Amazon now discloses:
In the unlikely event that Amazon.com, or substantially
all of its assets are acquired, customer information will, of course,
be one of the transferred assets.
The new disclosure may allow a dot-com to sell its customer
list should it fall into insolvency, given that the FTC and attorney
generals' claims were based on Toysmart's alleged misrepresentations
to its customers.
However, if the dot-com e-tailer has made a privacy pledge
to its customers like in Toysmart, and attempts to sell its customer
list through bankruptcy, the FTC and state and attorney general will
likely attempt to bar the sale.
B. Information on Bankruptcy Petitions
The Bankruptcy Code requires individual debtors, including
sole proprietors and guarantors of business debt, to provide sensitive
information, including account numbers, social security numbers, tax
returns, balances, income sources and payment histories. A national
electronic database of bankruptcy information has been established
with this detailed information to answer creditor inquiries. As the
bankruptcy courts have gone electronic with their dockets of debtor
cases, creditors have easier access to what is viewed by Congress in
other contexts as private information. A creditor may now use the PACER
electronic network to access information of court cases.
A number of federal courts have put entire civil case
files online. Courts scan filed documents and make them available over
the Internet. Privacy groups are concerned that electronic dockets
create the opportunity for identity theft to commit credit card or
bank fraud. Courts do not have a uniform policy as to public access
to electronic court records. Courts are now considering restricting
certain information on electronic court dockets. The FTC requests that
courts withhold personal information from electronic court dockets.
The Bankruptcy Reform Act of 2001, which still awaits
President Bush's signature, requires even more details concerning an
individual's income and expenses under the "means test",
which conflicts with GLB's privacy protections and what would be publicly
available. The U.S. Congress, the Office of the United States Trustee
and private bankruptcy trustees are wrestling with how to safeguard
tax returns, wage statements and other sensitive data that are supplied
in bankruptcy cases.
C. Bankruptcy Reform Act of 2001
In response to the Toysmart.com privacy pledge problem,
Congress includes a provision in the Bankruptcy Reform Act of 2001
that prohibits companies in bankruptcy from selling their customer
lists to raise money to pay creditors. Rather, a consumer privacy ombudsman
is appointed in a bankruptcy case where a debtor attempts to sell its
customer list. The ombudsman determines whether the customer list may
be sold.
III. Fair Credit Reporting Act
In reaction to concerns over the privacy rights of an
individual's consumer credit report, the FTC recently issued an opinion
as to the application of the Fair Credit Reporting Act (FCRA) to commercial
credit. The FTC states that a vendor must obtain a consumer's consent
prior to pulling a consumer credit report, even for a legitimate business
purpose. The FTC opinion also does not recognize a right to pull a
consumer credit report for a personal guarantee without first obtaining
consent.
The FCRA regulates the use of individual credit reports
and credit information. Generally the collection of business, trade,
and commercial credit reports are not covered by FCRA. The FCRA insures
that credit reporting agencies, and the users of such reports, will
respect a consumer's right to privacy by pulling consumer credit reports
only after express written authorization of the consumer.
The FCRA requires that a credit grantor provide notice
to the consumer if the credit grantor is denying credit, or otherwise
taking adverse action with respect to the credit application, based
upon the information obtained in the credit report. Thus, a credit
grantor will provide notice to the company of the denial of credit;
the credit grantor must also provide notice to the president, shareholder
or guarantor with respect to whom the credit report was obtained.
The private enforcement provisions of the FCRA permit
a consumer to bring civil suit for willful noncompliance with the FCRA,
with no ceiling on punitive damages. The consumer may sue for negligent
noncompliance, for actual damages sustained. The consumer may also
seek to recover the consumer's attorneys' fees. In addition, criminal
penalties may also be assessed including fines and imprisonment against
any person who knowingly and willfully obtains a consumer report under
false pretenses.
In light of the FTC's concerns over an individual's privacy
rights, a credit professional should obtain express written permission
to run a consumer credit report. The following type of authorization
language should be considered in the credit application and personal
guarantee form.
A. FCRA Authorization Contained In Credit Application
A credit professional extending trade credit may consider
including the following language in the credit application to authorize
obtaining consumer credit reports on the corporation's individual insiders,
or LLC's individual members. This language should be included as a
separate statement with signature block, or addendum to accompany the
credit application, as the party that the credit professional seeks
authorization is not the same party that signs the credit application.
It should be noted that a credit application that provides general
authority for the credit professional to pull a consumer credit report
on a corporation's of ficers may be insufficient. Rather, the credit
professional should obtain an authorization form from each party that
a credit application is to be pulled.
The undersigned consents to [insert: Name of Your Business]
obtaining a consumer credit report on _________ [insert??name of
the sole proprietor/ President/Officer of corporation, LLC, partnership]
for the purpose of evaluating the creditworthiness of __________
[insert??name of the sole proprietor/ President/Officer of corporation,
LLC, partnership], in connection with this Application.
B. FCRA Authorization Contained In Personal Guarantee
A credit professional requiring a personal guarantee
for extensions of trade credit may consider including the following
language in a personal guarantee form to authorize obtaining a consumer
credit report from the guarantor.
The undersigned consents to [insert: Name of Your Business]
obtaining a consumer credit report on _________ [insert??name of
the guarantor] for the purpose of evaluating the creditworthiness
of _________ [insert??name of the guarantor], in connection with
an application for business credit.
IV. Privacy Commission
In reaction to privacy concerns raised by privacy groups
and the states, the U.S. Congress has appointed a commission to make
recommendations to Congress on privacy legislation. The commission
comprises a 17 member bipartisan Privacy Protection Commission. Congress
has given the commission 18 months to study privacy issues and report
to Congress. The commission will consider the need for privacy protection
and the purpose for sharing information, as well as existing legislation
and regulation.
V. Right to Financial Privacy Act
This federal law prohibits a financial institution from
providing the U.S. government access to financial records of its customer,
absent consent.
VI. Pending Federal and State Privacy Legislation
The U.S. Congress is considering the following privacy
legislation: Consumer Internet Privacy Enhancement Act; Consumer Privacy
Protection Act; Consumer Online Privacy and Disclosure Act; and Spyware
Control and Privacy Protection Act. In addition, the U.S. Congress
is considering a bill to restrict the sale of Social Security numbers.
State legislatures are considering over 100 privacy bills.
Privacy Legislation is Only Beginning
A customer's privacy rights are at the forefront of legislation
and regulation, and appear a hot topic into the future. Courts will
be asked to interpret the legislation. As technology continues to shape
the electronic credit department and the ease in which customer information
may be collected and shared, a credit professional should be mindful
of a customer's privacy rights and enactment of new legislation in
this area.
Reprinted by permission from Trade Vendor Quarterly Blakeley & Blakeley
LLP
Summer 01
|