Posted on April 16, 2010 by Bret Cohen

Federal Regulators Release Customizable Version of Model Privacy Notice

Thanks to Elizabeth Khalil in the Hogan & Hartson privacy group for providing this report:

April 15 marked the release of the long-awaited customizable version of the Model Privacy Notice, a form that provides a safe harbor for compliance with the notice requirements of the Gramm-Leach-Bliley Act (GLBA).

The GLBA statute and the privacy rules issued thereunder by the above agencies impose obligations on “financial institutions” with regard to “nonpublic personal information.” Institutions subject to GLBA are required to provide initial and annual notices regarding their privacy policies to customers, and must allow their customers to opt out of having their nonpublic personal information shared in certain ways. Financial institutions are also required to provide the notice and opt-out opportunity to “consumers” who are not their customers before sharing their nonpublic personal information.

The customizable form, called the Online Form Builder, was issued jointly by the Board of Governors of the Federal Reserve System (FRB), Commodity Futures Trading Commission (CFTC), Federal Deposit Insurance Corporation (FDIC), Federal Trade Commission (FTC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), Office of Thrift Supervision (OTS), and Securities and Exchange Commission (SEC). The agencies had first issued the Model Privacy Notice regulation on November 17, 2009, culminating a rulemaking process initiated more than six years earlier However, until April 15, no fillable PDF or other customizable version of the Model Privacy Notice was available. The Online Form Builder was developed by the FRB and is available on the FRB’s website.

The Online Form Builder allows a user to choose the version of the Model Privacy Notice that fits its particular information collection and sharing practices. To obtain the safe harbor, institutions must follow the instructions in the Model Privacy Notice regulation when using the Online Form Builder.

Tags: , , , , , , , , , , , ,
Posted on November 18, 2009 by Christopher Wolf

Agencies Issue Model GLBA Form That Provides Safe Harbor

The Gramm-Leach-Bliley Act ("GLBA") requires covered institutions to notify consumers of their information-sharing practices and inform them of their right to opt out of certain sharing practices.  For years, people have been complaining that the notices sent to consumers were dense and confusing.  Indeed, the Financial Services Regulatory Relief Act of 2006 amended GLBA to required that the financial regulatory agencies propose a succinct, comprehensible model form that would allow consumers to compare easily the privacy practices of different financial institutions, and one that would be easy to read.

Yesterday, after a lengthy drafting process, eight federal regulatory agencies (the Board of Governors of the Federal Reserve System; thr Commodity Futures Trading Commission; the Federal Deposit Insurance Corporation;  the Federal Trade Commission; the National Credit Union Administration; the Office of the Comptroller of the Currency; the Office of Thrift Supervision; and Securities and Exchange Commission) released a final model privacy notice form designed to make it easier for consumers to understand how financial institutions collect and share information about consumers.   The model form provides standardized language in easy-to-read form.

According to the FTC press release, "the agencies conducted extensive consumer research and testing in developing the model form issued today.  Then they solicited public comments and considered those comments in developing a model form that is easier for consumers to understand and use."

The final rule provides that a financial institution that chooses to use the model form obtains a “safe harbor” and will satisfy the disclosure requirements for notices.  Here is a link to the FTC announcement of the model form, which contains links to the form and the rule adopting it.

Tags: , , ,
Posted on September 30, 2009 by Scott Loughlin

North Carolina and Montana Data Breach Statutes Amendments Now in Effect

Recently-enacted amendments to the Montana and North Carolina data breach notifications go into effect today, October 1, 2009.

  • North CarolinaThe amendment to North Carolina’s statute increases the state’s notification requirements for smaller breaches. Under the amended law, businesses and public agencies are required to notify the state attorney general every time a resident is notified. Prior to the amendment, notification to the state attorney general was only necessary if the breach affected more than 1,000 state residents. In addition, the amendment expands the contents of any notice to residents. 
  •  Montana.   The amendment to Montana’s data breach statute expands the state’s private sector data breach notification statute to cover public-sector entities. State agencies that maintain computerized data containing personal information in a data system must make “reasonable efforts” to notify any person whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person. In addition, the modified law requires state agencies to develop procedures to protect social security numbers.   

The amendments to the Montana and North Carolina laws exemplify the growing number of states strengthening their data breach notification laws.   It is likely that additional states will join the trend, so compliance will require monitoring amendments.

Tags: , , , , ,