HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

A financial services industry group released guidance this week on managing the risks associated with using social media, including data protection concerns.  The guidance, titled "Social Media Risks and Mitigation," was released this week by BITS, a division of the Financial Services Roundtable, which represents 100 of the largest financial services companies.  The 71-page report details numerous risks that banks and other financial companies may face when using social media, including compliance, legal, operational and reputational risks.  These risks are discussed in the context of three types of social media use:

• By a financial institution to communicate with or service the financial institution's customers
• By the financial institution's employees in their personal or professional capacities
• By the financial institution's employees or contractors outside the office

The guidance thus addresses sector-specific regulatory requirements, such as Gramm-Leach-Bliley Act compliance and FINRA rules applicable to securities firms.  It also addresses concerns that are relevant to financial institutions as employers, such as bank employees' personal use of social media.

The BITS report is particularly significant because it responds to a need for guidance in an industry that is increasingly using social media, but still lacks clear rules from regulators regarding such activities.  While FINRA has issued guidance on use of social media by firms subject to FINRA's oversight, the federal banking agencies have not , to date, issued detailed guidance to the banking industry on banking compliance issues raised by use of social media.  

Also, while targeted at the financial services sector, the report also has relevance to many other types of users of social media.  It gives guidance, for instance, on coordinating a company's social media policies with its other policies, and performing a risk assessment to determine the risks a company's social media activities could pose.

• Email This
• Print

Comments are due December 29 on a proposal that would require banks and money transmitters to report information to the U.S. government regarding international fund transfers, including the Social Security numbers of individuals that send or receive such funds.  

On September 30, 2010, the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of the Treasury, published a Notice of Proposed Rulemaking (NPRM)   for public comment.  The proposal would amend Bank Secrecy Act (BSA) regulations to add two new requirements.  First, banks and money transmitters would be required to report transmittal information on cross-border electronic transmittals of funds (CBETFs) on an ongoing basis; banks would have to report transfers of any amount, while money transmitters would have to report transfers of at least $1,000.   For reportable transactions of $3,000 or more, money transmitters would have to include in the report the taxpayer identification number (TIN), alien identification number, or passport number of the transmitter or recipient.  Second, the proposal would require all banks to file an annual report with FinCEN of the account numbers and TINs associated with each  account that initiated or received a CBETF. 

The information that would be reported is largely information that banks and money transmitters already collect, even though they currently are not required to report it as they would be under the proposed rule.

The proposal is aimed at furthering the government’s efforts to combat money laundering, terrorist financing, and other violations of law such as tax evasion and customs fraud.  The reports, FinCEN asserts, would greatly facilitate the ability of authorities to investigate and prosecute such activity.  The reports would be submitted to FinCEN, but could be accessed by other federal and state authorities.  This is already the case with other data currently collected pursuant to BSA.   

However, the affirmative reporting of information on all CBETFs – including account numbers and TINs – would be a significant change.  FinCEN would be given the Social Security number of every individual that uses a U.S. bank to either send or receive funds electronically across U.S. borders, and of many other persons that use money transmitters for such transfers.  This raises possible privacy and data security concerns – due both to the fact of the government having such data and to the need to prevent improper access to or misuse of the data.    

FinCEN has acknowledged the privacy and security concerns raised by the proposal and states that it will maintain sufficient procedures to keep such information safe and secure.   The data, FinCEN observes in the NPRM, “is highly sensitive data containing details about the financial activity of private persons.  Without proper safeguards, this data could be at risk of inadvertent or deliberate disclosure or misuse[.]” 

FinCEN is statutorily prohibited from issuing a final rule until it has established adequate, secure systems to accept the required reports.  For that reason, FinCEN does not expect to issue a final rule before January 1, 2012, because it does not expect to have the information technology systems in place to accept the reports before that time.  Even after a final rule is issued, FinCEN anticipates delaying the mandatory compliance date for some period to allow time for financial institutions to implement procedures to comply with the rule.

• Email This
• Print

On October 27, the Commodity Futures Trading Commission (CFTC) published two Notices of Proposed Rulemaking (NPRMs) proposing privacy rules under the Gramm-Leach-Bliley Act (GLBA) and affiliate marketing and data disposal rules under the Fair Credit Reporting Act (FCRA). 

The rulemakings were prompted by the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act).

The CFTC, an independent federal agency, maintains oversight over the commodity and financial futures and options markets.  The Dodd-Frank Act creates two new categories of entities that are subject to CFTC jurisdiction:  “swap dealers” and “major swap participants.”  Thus, the CFTC has proposed that those two types of entities would explicitly be subject to the CFTC’s existing GLBA privacy rules, first issued in 2001. Those rules impose certain obligations regarding the treatment of consumers' nonpublic personal information - in particular, restricting the ability of a covered entity to disclose such information to a party not affiliated with that entity. 

The CFTC’s second NPRM proposes to implement sections of FCRA dealing with affiliate marketing and data disposal.  The CFTC's proposed affiliate marketing rule would closely resemble the affiliate marketing rules issued by the Federal Trade Commission and the federal banking agencies in late 2007. While the CFTC has joined those agencies in other rulemakings, it did not join that particular rulemaking.  However, the Dodd-Frank Act specifically authorizes the CFTC to issue rules implementing the affiliate marketing and data disposal provisions of FCRA.

As with the other agencies' affiliate marketing rules, under the proposed rule an entity generally could not use a consumer's "eligibility information" received from an affiliate to make marketing solicitations to that consumer unless the consumer had first been given notice that such marketing may occur, a reasonable opportunity to opt-out of such use, and had not opted out. 

The disposal rule would require entities subject to CFTC jurisdiction that possess or maintain consumer information to develop and implement written policies and procedures for the proper safeguarding and disposal of such information.  The policies and procedures would be required to address, among other things, administrative, technical, and physical safeguards for consumer information, including protections against unauthorized access to or use of such information in connection with its disposal.  Such requirements are similar to the disposal rules issued by the FTC and federal banking agencies in 2004.

The CFTC is proposing to make the rules effective on July 21, 2011, the planned "transfer date" on which certain authority over consumer protection matters is to be transferred from other federal agencies to the Consumer Financial Protection Bureau created by Dodd-Frank. 

Public comments are due on each proposal by December 27, 2010.

• Email This
• Print

On September 15th, the Federal Deposit Insurance Corporation (FDIC) issued guidance (Financial Institution Letter FIL-56-2010, "FDIC Guidance on Mitigating Risk Posed by Information Stored on Photocopiers, Fax Machines and Printers") urging banks under its supervision to ensure that they have written policies for the erasure or destruction of sensitive or confidential customer information stored in photocopiers, fax machines, or printers.  Such storage may occur when the device's hard drive or flash memory stores digital images of documents that were photocopied, faxed, or printed using the device.

This is a particular concern for banks that lease office equipment - which may be used to process a significant amount of confidential information relating to financial transactions - and then return the equipment or sell it to another party.  If the memory of such devices is left intact, it is possible that such a third party could access data constituting "nonpublic personal information" under the Gramm-Leach-Bliley Act, such as information in consumers' loan applications or account statements, or other confidential information.

FDIC-supervised banks must, therefore, implement written policies and procedures to ensure that a hard drive or flash memory in office equipment containing sensitive data is erased, encrypted or destroyed prior to the device being returned to a leasing company, sold, or otherwise disposed of.  If the bank chooses to erase or encrypt the hard drive rather than destroy it, the bank should ensure that the method used will render the information on the disk unrecoverable.

While FIL-56-2010 applies only to banks supervised by the FDIC, all financial institutions are required to ensure the proper safeguarding and disposal of customer information.  Therefore, even non-FDIC-supervised financial institutions would be well advised to consider and implement the guidance contained in FIL-56-2010.

• Email This
• Print

The FTC announced today that it is delaying enforcement of its FACTA Red Flags Rule yet again, this time through December 31, 2010. This is the fifth time the FTC has delayed enforcement of its beleaguered red flag rule, which it originally had planned to enforce beginning November 1, 2008. This latest delay, just like the previous one, comes at the request of members of Congress who plan to amend the FACTA red flag provisions to narrow the scope of the entities that are covered. On May 25, 2010, members of Congress introduced S. 3416, which would exclude health care, accounting and law practices with fewer than 20 employees as well as certain other small businesses. 

• Email This
• Print

Thanks to Elizabeth Khalil in the Hogan & Hartson privacy group for providing this report:

April 15 marked the release of the long-awaited customizable version of the Model Privacy Notice, a form that provides a safe harbor for compliance with the notice requirements of the Gramm-Leach-Bliley Act (GLBA).

The GLBA statute and the privacy rules issued thereunder by the above agencies impose obligations on “financial institutions” with regard to “nonpublic personal information.” Institutions subject to GLBA are required to provide initial and annual notices regarding their privacy policies to customers, and must allow their customers to opt out of having their nonpublic personal information shared in certain ways. Financial institutions are also required to provide the notice and opt-out opportunity to “consumers” who are not their customers before sharing their nonpublic personal information.

The customizable form, called the Online Form Builder, was issued jointly by the Board of Governors of the Federal Reserve System (FRB), Commodity Futures Trading Commission (CFTC), Federal Deposit Insurance Corporation (FDIC), Federal Trade Commission (FTC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), Office of Thrift Supervision (OTS), and Securities and Exchange Commission (SEC). The agencies had first issued the Model Privacy Notice regulation on November 17, 2009, culminating a rulemaking process initiated more than six years earlier.  However, until April 15, no fillable PDF or other customizable version of the Model Privacy Notice was available. The Online Form Builder was developed by the FRB and is available on the FRB’s website.

The Online Form Builder allows a user to choose the version of the Model Privacy Notice that fits its particular information collection and sharing practices. To obtain the safe harbor, institutions must follow the instructions in the Model Privacy Notice regulation when using the Online Form Builder.

• Email This
• Print

The Federal Trade Commission (FTC) announced today that it is delaying enforcement of its FACTA Red Flags Rule until June 1, 2010 “[a]t the request of Congress.”  This is the fourth time the FTC has delayed the controversial red flags rule and it follows shortly on the heels of the U.S. District Court for the District of Columbia's ruling that the Red Flags Rule does not apply to lawyers.  It also follows the House of Representatives' unanimous passage last week of HR 3763, which proposes to amend FCRA to exempt certain small businesses from the Red Flags Rule.  The FTC's Red Flags Rule has been marred by confusion and uncertainty since it was proposed in July 2006.

• Email This
• Print