Difference between revisions of "Gramm Leach Bliley Act"

From Privacy Wiki
Jump to navigation Jump to search
m
 
(7 intermediate revisions by the same user not shown)
Line 1: Line 1:
'''113 Stat.-1341 GrammLeach Bliley Act 1999 (Financial Modernization Act and Privacy of Consumer)'''
+
{{Law
 
+
|Short title=Gramm–Leach–Bliley Act (GLBA)
'''Text of Law'''
+
|Official text=https://www.govinfo.gov/content/pkg/STATUTE-113/pdf/STATUTE-113-Pg1338.pdf
 
+
|Country/Jurisdiction=United States
TITLE V-PRIVACY-SUBTITLE A-Sec. 501 and etc. :
+
|Regulatory bodies=FTC
 
+
|Date enacted=1999/11/12
SEC. 502. OBLIGATIONS WITH RESPECT TO DISCLOSURES OF PERSONAL INFORMATION.
+
|Scope of the law=Financial Institutions
(a) NOTICE REQUIREMENTS.—Except as otherwise provided in
+
|Short summary introduction=The Gramm–Leach–Bliley Act (GLBA) provides customers to have secured information by financial institutions. The Act also prevents financial institutions from disclosing individuals' nonpublic personal information which is confidential. However, individuals have the right to choose whether the information is disclosed under the Act.
this subtitle, a financial institution may not, directly or through
+
|Text of the law=:{{SectionHarm|Section=SEC. 501. PROTECTION OF NONPUBLIC PERSONAL INFORMATION.|Harms=Insecurity, Breach of Confidentiality}}
any affiliate, disclose to a nonaffiliated third party any nonpublic
+
::(a) Privacy Obligation Policy.--It is the policy of the Congress
personal information, unless such financial institution provides or
+
that each financial institution has an affirmative and continuing
has provided to the consumer a notice that complies with section
+
obligation to respect the privacy of its customers and to protect the
503.
+
security and confidentiality of those customers' nonpublic personal
 
+
information.
(b) OPT OUT.—
+
::(b) Financial Institutions Safeguards.--In furtherance of the policy
 
+
in subsection (a), each agency or authority described in section 505(a) shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards--
(1) IN GENERAL.—A financial institution may not disclose
+
:::{{SectionPersonalInformation|Section=(1) to insure the security and confidentiality of customer records and information;|Personal=Account, Identifying}}
nonpublic personal information to a nonaffiliated third party
+
:::(2) to protect against any anticipated threats or hazards to the security or integrity of such records; and
unless—
+
:::(3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.
 
+
:SEC. 502. OBLIGATIONS WITH RESPECT TO DISCLOSURES OF PERSONAL INFORMATION.  
(A) such financial institution clearly and conspicuously
+
::{{SectionHarm|Section=(a) NOTICE REQUIREMENTS.—Except as otherwise provided in this subtitle, a financial institution may not, directly or through any affiliate, disclose to a nonaffiliated third party any nonpublic personal information, unless such financial institution provides or has provided to the consumer a notice that complies with section 503.|Harms=Exclusion, Disclosure}}
discloses to the consumer, in writing or in electronic form
+
::{{SectionHarm|Section=(b) OPT OUT.—|Harms=Exclusion, Disclosure}}
or other form permitted by the regulations prescribed under
+
:::(1) IN GENERAL.—A financial institution may not disclose nonpublic personal information to a nonaffiliated third party unless—
section 504, that such information may be disclosed to
+
::::(A) such financial institution clearly and conspicuously discloses to the consumer, in writing or in electronic form or other form permitted by the regulations prescribed under section 504, that such information may be disclosed to such third party;
such third party;
+
::::(B) the consumer is given the opportunity, before the time that such information is initially disclosed, to direct that such information not be disclosed to such third party; and
 
+
::::{{SectionHarm|Section=(C) the consumer is given an explanation of how the consumer can exercise that nondisclosure option.|Harms=Exclusion}}
(B) the consumer is given the opportunity, before the
+
:SEC. 508. STUDY OF INFORMATION SHARING AMONG FINANCIAL AFFILIATES.
time that such information is initially disclosed, to direct
+
::{{SectionHarm|Section=(a) IN GENERAL.—The Secretary of the Treasury, in conjunction with the Federal functional regulators and the Federal Trade Commission, shall conduct a study of information sharing practices among financial institutions and their affiliates. Such study shall include—|Harms=Insecurity}}
that such information not be disclosed to such third party;
+
:::(1) the purposes for the sharing of confidential customer information with affiliates or with nonaffiliated third parties;
and
+
:::(2) the extent and adequacy of security protections for such information;
 
+
:::(3) the potential risks for customer privacy of such sharing of information;
(C) the consumer is given an explanation of how the
+
:::(4) the potential benefits for financial institutions and affiliates of such sharing of information;
consumer can exercise that nondisclosure option.
+
:::(5) the potential benefits for customers of such sharing of information;
 
+
:::(6) the adequacy of existing laws to protect customer privacy;
(2) EXCEPTION.—This subsection shall not prevent a financial institution from providing nonpublic personal information
+
:::(7) the adequacy of financial institution privacy policy and privacy rights disclosure under existing law;
to a nonaffiliated third party to perform services for or functions
+
:::(8) the feasibility of different approaches, including optout and opt-in, to permit customers to direct that confidential information not be shared with affiliates and nonaffiliated third parties; and
on behalf of the financial institution, including marketing of
+
:::(9) the feasibility of restricting sharing of information for specific uses or of permitting customers to direct the uses for which information may be shared.
the financial institution’s own products or services, or financial
+
:{{SectionHarm|Section=SEC. 521. PRIVACY PROTECTION FOR CUSTOMER INFORMATION OF FINANCIAL INSTITUTIONS.|Harms=Disclosure, Distortion}}
products or services offered pursuant to joint agreements
+
::(a) PROHIBITION ON OBTAINING CUSTOMER INFORMATION BY FALSE PRETENSES.—It shall be a violation of this subtitle for any person to obtain or attempt to obtain, or cause to be disclosed or attempt to cause to be disclosed to any person, customer information of a financial institution relating to another person—
between two or more financial institutions that comply with
+
:::(1) by making a false, fictitious, or fraudulent statement or representation to an officer, employee, or agent of a financial institution;
the requirements imposed by the regulations prescribed under
+
:::(2) by making a false, fictitious, or fraudulent statement or representation to a customer of a financial institution; or
section 504, if the financial institution fully discloses the providing of such information and enters into a contractual agreement with the third party that requires the third party to
+
:::(3) by providing any document to an officer, employee, or agent of a financial institution, knowing that the document is forged, counterfeit, lost, or stolen, was fraudulently obtained, or contains a false, fictitious, or fraudulent statement or representation.
maintain the confidentiality of such information.
+
::{{SectionPersonalInformation|Section=(b) PROHIBITION ON SOLICITATION OF A PERSON TO OBTAIN CUSTOMER INFORMATION FROM FINANCIAL INSTITUTION UNDER FALSE PRETENSES.—It shall be a violation of this subtitle to request a person to obtain customer information of a financial institution, knowing that the person will obtain, or attempt to obtain, the information from the institution in any manner described in subsection (a).|Personal=Account, Transactional}}
 
+
::(c) NONAPPLICABILITY TO LAW ENFORCEMENT AGENCIES.—No provision of this section shall be construed so as to prevent any action by a law enforcement agency, or any officer, employee, or agent of such agency, to obtain customer information of a financial institution in connection with the performance of the official duties of the agency.
(c) LIMITS ON REUSE OF INFORMATION.—Except as otherwise
+
::{{SectionHarm|Section=(d) NONAPPLICABILITY TO FINANCIAL INSTITUTIONS IN CERTAIN CASES.—No provision of this section shall be construed so as to prevent any financial institution, or any officer, employee, or agent of a financial institution, from obtaining customer information of such financial institution in the course of—|Harms=Insecurity}}
provided in this subtitle, a nonaffiliated third party that receives
+
:::(1) testing the security procedures or systems of such institution for maintaining the confidentiality of customer information;
from a financial institution nonpublic personal information under
+
:::(2) investigating allegations of misconduct or negligence on the part of any officer, employee, or agent of the financial institution; or
this section shall not, directly or through an affiliate of such
+
:::(3) recovering customer information of the financial institution which was obtained or received by another person in any manner described in subsection (a) or (b).
receiving third party, disclose such information to any other person
+
::(e) NONAPPLICABILITY TO INSURANCE INSTITUTIONS FOR INVESTIGATION OF INSURANCE FRAUD.—No provision of this section shall be construed so as to prevent any insurance institution, or any officer, employee, or agency of an insurance institution, from obtaining information as part of an insurance investigation into criminal activity, fraud, material misrepresentation, or material nondisclosure that is authorized for such institution under State law, regulation, interpretation, or order.
that is a nonaffiliated third party of both the financial institution
+
::(f) NONAPPLICABILITY TO CERTAIN TYPES OF CUSTOMER INFORMATION OF FINANCIAL INSTITUTIONS.—No provision of this section shall be construed so as to prevent any person from obtaining customer information of a financial institution that otherwise is available as a public record filed pursuant to the securities laws (as defined in section 3(a)(47) of the Securities Exchange Act of 1934).
and such receiving third party, unless such disclosure would be
+
::(g) NONAPPLICABILITY TO COLLECTION OF CHILD SUPPORT JUDGMENTS.—No provision of this section shall be construed to prevent any State-licensed private investigator, or any officer, employee, or agent of such private investigator, from obtaining customer information of a financial institution, to the extent reasonably necessary to collect child support from a person adjudged to have been delinquent in his or her obligations by a Federal or State court, and to the extent that such action by a State-licensed private investigator is not unlawful under any other Federal or State law or regulation, and has been authorized by an order or judgment of a court of competent jurisdiction.
lawful if made directly to such other person by the financial institution.
+
:{{SectionHarm|Section=SEC. 503. DISCLOSURE OF INSTITUTION PRIVACY POLICY.|Harms=Exclusion, Insecurity}}
 
+
::(a) Disclosure Required.--At the time of establishing a customer  
(d) LIMITATIONS ON THE SHARING OF ACCOUNT NUMBER
+
relationship with a consumer and not less than annually during the  
INFORMATION FOR MARKETING PURPOSES.—A financial institution shall not disclose, other than to a consumer reporting agency,
+
continuation of such relationship, a financial institution shall provide  
an account number or similar form of access number or access
+
a clear and conspicuous disclosure to such consumer, in writing or in  
code for a credit card account, deposit account, or transaction
+
electronic form or other form permitted by the regulations prescribed  
account of a consumer to any nonaffiliated third party for use
+
under section 504, of such financial institution's policies and  
in telemarketing, direct mail marketing, or other marketing through
+
practices with respect to--
electronic mail to the consumer.
+
:::(1) disclosing nonpublic personal information to affiliates and nonaffiliated third parties, consistent with section 502, including the categories of information that may be disclosed;
 
+
:::(2) disclosing nonpublic personal information of persons who have ceased to be customers of the financial institution; and
(e) GENERAL EXCEPTIONS.—Subsections (a) and (b) shall not
+
:::(3) protecting the nonpublic personal information of consumers.
prohibit the disclosure of nonpublic personal information—
+
::Such disclosures shall be made in accordance with the regulations  
 
 
(1) as necessary to effect, administer, or enforce a transaction requested or authorized by the consumer, or in connection with—
 
 
 
(A) servicing or processing a financial product or
 
service requested or authorized by the consumer;
 
 
 
(B) maintaining or servicing the consumer’s account
 
with the financial institution, or with another entity as part of a private label credit card program or other extension of credit on behalf of such entity; or
 
 
 
(C) a proposed or actual securitization, secondary
 
market sale (including sales of servicing rights), or similar
 
transaction related to a transaction of the consumer;
 
(2) with the consent or at the direction of the consumer;
 
 
 
(3)(A) to protect the confidentiality or security of the financial institution’s records pertaining to the consumer, the service
 
or product, or the transaction therein; (B) to protect against
 
or prevent actual or potential fraud, unauthorized transactions,
 
claims, or other liability; (C) for required institutional risk
 
control, or for resolving customer disputes or inquiries; (D)
 
to persons holding a legal or beneficial interest relating to
 
the consumer; or (E) to persons acting in a fiduciary or representative capacity on behalf of the consumer;
 
 
 
(4) to provide information to insurance rate advisory
 
organizations, guaranty funds or agencies, applicable rating
 
agencies of the financial institution, persons assessing the
 
institution’s compliance with industry standards, and the
 
institution’s attorneys, accountants, and auditors;
 
(5) to the extent specifically permitted or required under
 
other provisions of law and in accordance with the Right to
 
Financial Privacy Act of 1978, to law enforcement agencies
 
(including a Federal functional regulator, the Secretary of the
 
Treasury with respect to subchapter II of chapter 53 of title
 
31, United States Code, and chapter 2 of title I of Public
 
Law 91–508 (12 U.S.C. 1951–1959), a State insurance authority,
 
or the Federal Trade Commission), self-regulatory organizations, or for an investigation on a matter related to public
 
safety;
 
 
 
(6)(A) to a consumer reporting agency in accordance with
 
the Fair Credit Reporting Act, or (B) from a consumer report
 
reported by a consumer reporting agency;
 
 
 
(7) in connection with a proposed or actual sale, merger,
 
transfer, or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal information
 
concerns solely consumers of such business or unit; or
 
 
 
(8) to comply with Federal, State, or local laws, rules,
 
and other applicable legal requirements; to comply with a properly authorized civil, criminal, or regulatory investigation or
 
subpoena or summons by Federal, State, or local authorities;
 
or to respond to judicial process or government regulatory authorities having jurisdiction over the financial institution
 
for examination, compliance, or other purposes as authorized
 
by law.
 
 
 
SEC. 503. DISCLOSURE OF INSTITUTION PRIVACY POLICY.
 
(a) DISCLOSURE REQUIRED.—At the time of establishing a customer relationship with a consumer and not less than annually
 
during the continuation of such relationship, a financial institution
 
shall provide a clear and conspicuous disclosure to such consumer,
 
in writing or in electronic form or other form permitted by the
 
regulations prescribed under section 504, of such financial institution’s policies and practices with respect to—
 
 
 
(1) disclosing nonpublic personal information to affiliates
 
and nonaffiliated third parties, consistent with section 502,
 
including the categories of information that may be disclosed;
 
 
 
(2) disclosing nonpublic personal information of persons
 
who have ceased to be customers of the financial institution;
 
and
 
 
 
(3) protecting the nonpublic personal information of consumers.
 
Such disclosures shall be made in accordance with the regulations
 
 
prescribed under section 504.
 
prescribed under section 504.
 
+
::(b) Information To Be Included.--The disclosure required by
(b) INFORMATION TO BE INCLUDED.—The disclosure required
+
subsection (a) shall include--
by subsection (a) shall include—
+
:::(1) the policies and practices of the institution with respect to disclosing nonpublic personal information to nonaffiliated third parties, other than agents of the institution, consistent with section 502 of this subtitle, and including--
 
+
::::(A) the categories of persons to whom the information is or may be disclosed, other than the persons to whom the information may be provided pursuant to section 502(e); and
(1) the policies and practices of the institution with respect
+
::::(B) the policies and practices of the institution with respect to disclosing of nonpublic personal information of persons who have ceased to be customers of the financial institution;
to disclosing nonpublic personal information to nonaffiliated
+
:::(2) the categories of nonpublic personal information that are collected by the financial institution;
third parties, other than agents of the institution, consistent
+
:::(3) the policies that the institution maintains to protect the confidentiality and security of nonpublic personal information in accordance with section 501; and
with section 502 of this subtitle, and including—
+
:::(4) the disclosures required, if any, under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act.
 
+
:SEC. 504. RULEMAKING.
(A) the categories of persons to whom the information
+
::(a) Regulatory Authority.--
is or may be disclosed, other than the persons to whom
+
:::(1) Rulemaking.--The Federal banking agencies, the National Credit Union Administration, the Secretary of the Treasury, the Securities and Exchange Commission, and the Federal Trade Commission shall each prescribe, after consultation as appropriate with representatives of State insurance authorities designated by the National Association of Insurance Commissioners, such regulations as may be necessary to carry out the purposes of this subtitle with respect to the financial institutions subject to their jurisdiction under section 505.
the information may be provided pursuant to section 502(e);
+
:::(2) Coordination, consistency, and comparability.--Each of the agencies and authorities required under paragraph (1) to prescribe regulations shall consult and coordinate with the other such agencies and authorities for the purposes of assuring, to the extent possible, that the regulations prescribed by each such agency and authority are consistent and comparable with the regulations prescribed by the other such agencies and authorities.
and
+
:::(3) Procedures and deadline.--Such regulations shall be prescribed in accordance with applicable requirements of title 5, United States Code, and shall be issued in final form not later than 6 months after the date of the enactment of this Act.
 
+
::(b) Authority To Grant Exceptions.--The regulations prescribed under
(B) the policies and practices of the institution with
+
subsection (a) may include such additional exceptions to subsections (a)  
respect to disclosing of nonpublic personal information of
+
through (d) of section 502 as are deemed consistent with the purposes of  
persons who have ceased to be customers of the financial
+
this subtitle.
institution;
+
:SEC. 505. ENFORCEMENT.
 
+
::(a) In General.--This subtitle and the regulations prescribed
(2) the categories of nonpublic personal information that
+
thereunder shall be enforced by the Federal functional regulators, the
are collected by the financial institution;
+
State insurance authorities, and the Federal Trade Commission with  
 
+
respect to financial institutions and other persons subject to their
(3) the policies that the institution maintains to protect
+
jurisdiction under applicable law, as follows:
the confidentiality and security of nonpublic personal information in accordance with section 501; and
+
:::(1) Under section 8 of the Federal Deposit Insurance Act, in the case of--
(4) the disclosures required, if any, under section
+
::::(A) national banks, Federal branches and Federal agencies of foreign banks, and any subsidiaries of such entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisers), by the Office of the Comptroller of the Currency;
 
+
::::(B) member banks of the Federal Reserve System (other than national banks), branches and agencies of foreign banks (other than Federal branches, Federal agencies, and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks, organizations operating under section 25 or 25A of the Federal Reserve Act, and bank holding companies and their nonbank subsidiaries or affiliates (except brokers, dealers, persons providing insurance, investment companies, and investment advisers), by the Board of Governors of the Federal Reserve System;
603(d)(2)(A)(iii) of the Fair Credit Reporting Act.
+
::::(C) banks insured by the Federal Deposit Insurance Corporation (other than members of the Federal Reserve System), insured State branches of foreign banks, and any subsidiaries of such entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisers), by the Board of Directors of the Federal Deposit Insurance Corporation; and
 
+
::::(D) savings associations the deposits of which are insured by the Federal Deposit Insurance Corporation, and any subsidiaries of such savings associations (except brokers, dealers, persons providing insurance, investment companies, and investment advisers), by the Director of the Office of Thrift Supervision.
SEC. 506. PROTECTION OF FAIR CREDIT REPORTING ACT.
+
:::(2) Under the Federal Credit Union Act, by the Board of the National Credit Union Administration with respect to any federally insured credit union, and any subsidiaries of such an entity.
 
+
:::(3) Under the Securities Exchange Act of 1934, by the Securities and Exchange Commission with respect to any broker or dealer.
(a) AMENDMENT.—Section 621 of the Fair Credit Reporting
+
:::(4) Under the Investment Company Act of 1940, by the Securities and Exchange Commission with respect to investment companies.
Act (15 U.S.C. 1681s) is amended—
+
:::(5) Under the Investment Advisers Act of 1940, by the Securities and Exchange Commission with respect to investment advisers registered with the Commission under such Act.
 
+
:::(6) Under State insurance law, in the case of any person engaged in providing insurance, by the applicable State insurance authority of the State in which the person is domiciled, subject to section 104 of this Act.
(1) in subsection (d), by striking everything following the
+
:::(7) Under the Federal Trade Commission Act, by the Federal Trade Commission for any other financial institution or other person that is not subject to the jurisdiction of any agency or authority under paragraphs (1) through (6) of this subsection.
end of the second sentence; and
+
::(b) Enforcement of Section 501.--
 
+
:::(1) In general.--Except as provided in paragraph (2), the agencies and authorities described in subsection (a) shall implement the standards prescribed under section 501(b) in the same manner, to the extent practicable, as standards prescribed  pursuant to section 39(a) of the Federal Deposit Insurance Act are implemented pursuant to such section.
(2) by striking subsection (e) and inserting the following:
+
:::(2) Exception.--The agencies and authorities described in paragraphs (3), (4), (5), (6), and (7) of subsection (a) shall implement the standards prescribed under section 501(b) by rule with respect to the financial institutions and other persons subject to their respective jurisdictions under subsection (a).
‘‘(e) REGULATORY AUTHORITY.
+
::(c) Absence of State Action.--If a State insurance authority fails
 
+
to adopt regulations to carry out this subtitle, such State shall not be
‘‘(1) The Federal banking agencies referred to in paragraphs
+
eligible to override, pursuant to section 47(g)(2)(B)(iii) of the  
(1) and (2) of subsection (b) shall jointly prescribe such regulations as necessary to carry out the purposes of this Act with
+
Federal Deposit Insurance Act, the insurance customer protection
respect to any persons identified under paragraphs (1) and
+
regulations prescribed by a Federal banking agency under section 47(a)
 
 
(2) of subsection (b), and the Board of Governors of the Federal
 
Reserve System shall have authority to prescribe regulations
 
consistent with such joint regulations with respect to bank holding companies and affiliates (other than depository institutions and consumer reporting agencies) of such holding companies.
 
 
 
‘‘(2) The Board of the National Credit Union Administration
 
shall prescribe such regulations as necessary to carry out the
 
purposes of this Act with respect to any persons identified
 
under paragraph (3) of subsection (b).’’.
 
 
 
(b) CONFORMING AMENDMENT.—Section 621(a) of the Fair
 
Credit Reporting Act (15 U.S.C. 1681s(a)) is amended by striking
 
paragraph (4).
 
 
 
(c) RELATION TO OTHER PROVISIONS.—Except for the amendments made by subsections (a) and (b), nothing in this title shall
 
be construed to modify, limit, or supersede the operation of the
 
Fair Credit Reporting Act, and no inference shall be drawn on
 
the basis of the provisions of this title regarding whether information is transaction or experience information under section 603
 
 
of such Act.
 
of such Act.
 
+
::(d) Definitions.--The terms used in subsection (a)(1) that are not
SEC. 507. RELATION TO STATE LAWS.
+
defined in this subtitle or otherwise defined in section 3(s) of the
 
+
Federal Deposit Insurance Act shall have the same meaning as given in
(a) IN GENERAL.—This subtitle and the amendments made by
+
section 1(b) of the International Banking Act of 1978.
this subtitle shall not be construed as superseding, altering, or
+
:SEC. 506. PROTECTION OF FAIR CREDIT REPORTING ACT.
affecting any statute, regulation, order, or interpretation in effect
+
::(a) Amendment.--Section 621 of the Fair Credit Reporting Act (15 U.S.C. 1681s) is amended--
in any State, except to the extent that such statute, regulation,
+
:::(1) in subsection (d), by striking everything following the end of the second sentence; and
order, or interpretation is inconsistent with the provisions of this
+
:::(2) by striking subsection (e) and inserting the following:
subtitle, and then only to the extent of the inconsistency.
+
:::: ``(e) Regulatory Authority.--
 
+
::::: ``(1) The Federal banking agencies referred to in paragraphs (1) and (2) of subsection (b) shall jointly prescribe such regulations as necessary to carry out the purposes of this Act with respect to any persons identified under paragraphs (1) and (2) of subsection (b), and the Board of Governors of the Federal Reserve System shall have authority to prescribe regulations consistent with such joint regulations with respect to bank holding companies and affiliates (other than depository institutions and consumer reporting agencies) of such holding companies.
(b) GREATER PROTECTION UNDER STATE LAW.
+
::::::``(2) The Board of the National Credit Union Administration shall prescribe such regulations as necessary to carry out the purposes of this Act with respect to any persons identified under paragraph (3) of subsection (b).''.
—For purposes of this section, a State statute, regulation, order, or interpretation
+
::(b) Conforming Amendment.--Section 621(a) of the Fair Credit
is not inconsistent with the provisions of this subtitle if the protection such statute, regulation, order, or interpretation affords any
+
Reporting Act (15 U.S.C. 1681s(a)) is amended by striking paragraph (4).
person is greater than the protection provided under this subtitle
+
::(c) Relation <<NOTE: 15 USC 6806.>> to Other Provisions.--Except for
and the amendments made by this subtitle, as determined by the
+
the amendments made by subsections (a) and (b), nothing in this title
Federal Trade Commission, after consultation with the agency or
+
shall be construed to modify, limit, or supersede the operation of the
authority with jurisdiction under section 505(a) of either the person
+
Fair Credit Reporting Act, and no inference shall be drawn on the basis
that initiated the complaint or that is the subject of the complaint,
+
of the provisions of this title regarding whether information is
on its own motion or upon the petition of any interested party.
+
transaction or experience information under section 603 of such Act.
 
+
:SEC. 507. RELATION TO STATE LAWS.
SEC. 508. STUDY OF INFORMATION SHARING AMONG FINANCIAL
+
::(a) In General.--This subtitle and the amendments made by this
AFFILIATES.
+
subtitle shall not be construed as superseding, altering, or affecting
 
+
any statute, regulation, order, or interpretation in effect in any  
(a) IN GENERAL.—The Secretary of the Treasury, in conjunction
+
State, except to the extent that such statute, regulation, order, or  
with the Federal functional regulators and the Federal Trade
+
interpretation is inconsistent with the provisions of this subtitle, and  
Commission, shall conduct a study of information sharing practices
+
then only to the extent of the inconsistency.
among financial institutions and their affiliates. Such study shall
+
::(b) Greater Protection Under State Law.--For purposes of this  
include—
+
section, a State statute, regulation, order, or interpretation is not  
 
+
inconsistent with the provisions of this subtitle if the protection such  
(1) the purposes for the sharing of confidential customer
+
statute, regulation, order, or interpretation affords any person is  
information with affiliates or with nonaffiliated third parties;
+
greater than the protection provided under this subtitle and the  
 
+
amendments made by this subtitle, as determined by the Federal Trade  
(2) the extent and adequacy of security protections for
+
Commission, after consultation with the agency or authority with  
such information;
+
jurisdiction under section 505(a) of either the person that initiated  
 
+
the complaint or that is the subject of the complaint, on its own motion  
(3) the potential risks for customer privacy of such sharing
+
or upon the petition of any interested party.
of information;
+
:SEC. 508. STUDY OF INFORMATION SHARING AMONG FINANCIAL AFFILIATES.
 
+
::(a) In General.--The Secretary of the Treasury, in conjunction with
(4) the potential benefits for financial institutions and affiliates of such sharing of information;
+
the Federal functional regulators and the Federal Trade Commission,  
 
+
shall conduct a study of information sharing practices among financial  
(5) the potential benefits for customers of such sharing
+
institutions and their affiliates. Such study shall include--
of information;
+
:::(1) the purposes for the sharing of confidential customer information with affiliates or with nonaffiliated third parties;
 
+
:::(2) the extent and adequacy of security protections for such information;
(6) the adequacy of existing laws to protect customer privacy;
+
:::(3) the potential risks for customer privacy of such sharing of information;
 
+
:::(4) the potential benefits for financial institutions and affiliates of such sharing of information;
(7) the adequacy of financial institution privacy policy and
+
:::(5) the potential benefits for customers of such sharing of information;
privacy rights disclosure under existing law;
+
:::(6) the adequacy of existing laws to protect customer privacy;
 
+
:::(7) the adequacy of financial institution privacy policy and privacy rights disclosure under existing law;
(8) the feasibility of different approaches, including optout and opt-in, to permit customers to direct that confidential information not be shared with affiliates and nonaffiliated third parties; and
+
:::(8) the feasibility of different approaches, including opt-out and opt-in, to permit customers to direct that confidential information not be shared with affiliates and nonaffiliated third parties; and
 
+
:::(9) the feasibility of restricting sharing of information for specific uses or of permitting customers to direct the uses for which information may be shared.
(9) the feasibility of restricting sharing of information for
+
::(b) Consultation.--The Secretary shall consult with representatives  
specific uses or of permitting customers to direct the uses
+
of State insurance authorities designated by the National Association of  
for which information may be shared.
+
Insurance Commissioners, and also with financial services industry,  
 
+
consumer organizations and privacy groups, and other representatives of  
(b) CONSULTATION.—The Secretary shall consult with representatives of State insurance authorities designated by the National
+
the general public, in formulating and conducting the study required by  
Association of Insurance Commissioners, and also with financial
+
subsection (a).
services industry, consumer organizations and privacy groups, and
+
::(c) Report.--On <<NOTE: Deadline.>> or before January 1, 2002, the  
other representatives of the general public, in formulating and
+
Secretary shall submit a report to the Congress containing the findings  
conducting the study required by subsection (a).
+
and conclusions of the study required under subsection (a), together  
 
+
with such recommendations for legislative or administrative action as  
(c) REPORT.—On or before January 1, 2002, the Secretary shall
 
submit a report to the Congress containing the findings and conclusions of the study required under subsection (a), together with
 
such recommendations for legislative or administrative action as
 
 
may be appropriate.
 
may be appropriate.
 
+
:SEC. 509. DEFINITIONS.
Subtitle B-
+
:As used in this subtitle:
 
+
:::(1) Federal banking agency.--The term ``Federal banking agency'' has the same meaning as given in section 3 of the Federal Deposit Insurance Act.
SEC. 521. PRIVACY PROTECTION FOR CUSTOMER INFORMATION OF
+
:::(2) Federal functional regulator.--The term ``Federal functional regulator'' means--
FINANCIAL INSTITUTIONS.
+
::::(A) the Board of Governors of the Federal Reserve System;
 
+
::::(B) the Office of the Comptroller of the Currency;
(a) PROHIBITION ON OBTAINING CUSTOMER INFORMATION BY
+
::::(C) the Board of Directors of the Federal Deposit Insurance Corporation;
FALSE PRETENSES.—It shall be a violation of this subtitle for any
+
::::(D) the Director of the Office of Thrift Supervision;
person to obtain or attempt to obtain, or cause to be disclosed
+
::::(E) the National Credit Union Administration Board; and
or attempt to cause to be disclosed to any person, customer information of a financial institution relating to another person—
+
::::(F) the Securities and Exchange Commission.
 
+
:::(3) Financial institution.--
(1) by making a false, fictitious, or fraudulent statement
+
::::(A) In general.--The term ``financial institution'' means any institution the business of which is engaging in financial activities as described in section 4(k) of the Bank Holding Company Act of 1956.
or representation to an officer, employee, or agent of a financial
+
::::(B) Persons subject to cftc regulation.-- Notwithstanding subparagraph (A), the term ``financial institution'' does not include any person or entity with respect to any financial activity that is subject to the jurisdiction of the Commodity Futures Trading Commission under the Commodity Exchange Act.
institution;
+
::::(C) Farm credit institutions.--Notwithstanding subparagraph (A), the term ``financial institution'' does not include the Federal Agricultural Mortgage Corporation or any entity chartered and operating under the Farm Credit Act of 1971.
 
+
::::(D) Other secondary market institutions.--Notwithstanding subparagraph (A), the term ``financial institution'' does not include institutions chartered by Congress specifically to engage in transactions described in section 502(e)(1)(C), as long as such institutions do not sell or transfer nonpublic personal information to a nonaffiliated third party.
(2) by making a false, fictitious, or fraudulent statement
+
:::(4) Nonpublic personal information.--
or representation to a customer of a financial institution; or
+
::::(A) The term ``nonpublic personal information'' means personally identifiable financial information--
 
+
:::::(i) provided by a consumer to a financial institution;
(3) by providing any document to an officer, employee,
+
:::::(ii) resulting from any transaction with the consumer or any service performed for the consumer; or
or agent of a financial institution, knowing that the document
+
:::::(iii) otherwise obtained by the financial institution.
is forged, counterfeit, lost, or stolen, was fraudulently obtained,
+
:::(B) Such term does not include publicly available information, as such term is defined by the regulations prescribed under section 504.
or contains a false, fictitious, or fraudulent statement or representation.
+
:::(C) Notwithstanding subparagraph (B), such term--
 
+
:::::(i) shall include any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any nonpublic personal information other than publicly available information; but
(b) PROHIBITION ON SOLICITATION OF A PERSON TO OBTAIN
+
:::::(ii) shall not include any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any nonpublic personal information.
CUSTOMER INFORMATION FROM FINANCIAL INSTITUTION UNDER
+
:::(5) Nonaffiliated third party.--The term ``nonaffiliated third party'' means any entity that is not an affiliate of, or related by common ownership or affiliated by corporate control with, the financial institution, but does not include a joint employee of such institution.
FALSE PRETENSES.—It shall be a violation of this subtitle to request
+
:::(6) Affiliate.--The term ``affiliate'' means any company that controls, is controlled by, or is under common control with another company.
a person to obtain customer information of a financial institution,
+
:::(7) Necessary to effect, administer, or enforce.--The term ``as necessary to effect, administer, or enforce the transaction'' means--
knowing that the person will obtain, or attempt to obtain, the
+
::::(A) the disclosure is required, or is a usual, appropriate, or acceptable method, to carry out the transaction or the product or service business of which the transaction is a part, and record or service or maintain the consumer's account in the ordinary course of providing the financial service or financial product, or to administer or service benefits or claims relating to the transaction or the product or service business of which it is a part, and includes--
information from the institution in any manner described in subsection (a).
+
:::::(i) providing the consumer or the consumer's agent or broker with a confirmation, statement, or other record of the transaction, or information on the status or value of the financial service or financial product; and
 
+
:::::(ii) the accrual or recognition of incentives or bonuses associated with the transaction that are provided by the financial institution or any other party;
(c) NONAPPLICABILITY TO LAW ENFORCEMENT AGENCIES.—No
+
::::(B) the disclosure is required, or is one of the lawful or appropriate methods, to enforce the rights of the financial institution or of other persons engaged in carrying out the financial transaction, or providing the product or service;
provision of this section shall be construed so as to prevent any
+
::::(C) the disclosure is required, or is a usual, appropriate, or acceptable method, for insurance underwriting at the consumer's request or for reinsurance purposes, or for any of the following purposes as they relate to a consumer's insurance: Account administration, reporting, investigating, or preventing fraud or material misrepresentation, processing premium payments, processing insurance claims, administering insurance benefits (including utilization review activities), participating in research projects, or as otherwise required or specifically permitted by Federal or State law; or
action by a law enforcement agency, or any officer, employee, or
+
::::(D) the disclosure is required, or is a usual, appropriate or acceptable method, in connection with--
agent of such agency, to obtain customer information of a financial
+
:::::(i) the authorization, settlement, billing, processing, clearing, transferring, reconciling, or collection of amounts charged, debited, or otherwise paid using a debit, credit or other payment card, check, or account number, or by other payment means;
institution in connection with the performance of the official duties
+
:::::(ii) the transfer of receivables, accounts or interests therein; or
of the agency.
+
:::::(iii) the audit of debit, credit or other payment information.
 
+
:::(8) State insurance authority.--The term ``State insurance authority'' means, in the case of any person engaged in providing insurance, the State insurance authority of the State in which the person is domiciled.
(d) NONAPPLICABILITY TO FINANCIAL INSTITUTIONS IN CERTAIN
+
:::(9) Consumer.--The term ``consumer'' means an individual who obtains, from a financial institution, financial products or services which are to be used primarily for personal, family, or household purposes, and also means the legal representative of such an individual.
CASES.—No provision of this section shall be construed so as to
+
:::(10) Joint agreement.--The term ``joint agreement'' means a formal written contract pursuant to which two or more financial institutions jointly offer, endorse, or sponsor a financial product or service, and as may be further defined in the regulations prescribed under section 504.
prevent any financial institution, or any officer, employee, or agent
+
:::(11) Customer <<NOTE: Regulations.>> relationship.--The term ``time of establishing a customer relationship'' shall be defined by the regulations prescribed under section 504, and shall, in the case of a financial institution engaged in extending credit directly to consumers to finance purchases of goods or services, mean the time of establishing the credit relationship with the consumer.
of a financial institution, from obtaining customer information of
+
:SEC. 510. EFFECTIVE DATE.
such financial institution in the course of—
+
::This subtitle shall take effect 6 months after the date on which
 
+
rules are required to be prescribed under section 504(a)(3), except--
(1) testing the security procedures or systems of such
+
:::(1) to the extent that a later date is specified in the rules prescribed under section 504; and
institution for maintaining the confidentiality of customer
+
:::(2) that sections 504 and 506 shall be effective upon
information;
+
enactment.
 
+
:SEC. 521. PRIVACY PROTECTION FOR CUSTOMER INFORMATION OF FINANCIAL INSTITUTIONS.
(2) investigating allegations of misconduct or negligence
+
::(a) Prohibition on Obtaining Customer Information by False
on the part of any officer, employee, or agent of the financial
+
Pretenses.--It shall be a violation of this subtitle for any person to
institution; or
+
obtain or attempt to obtain, or cause to be disclosed or attempt to
 
+
cause to be disclosed to any person, customer information of a financial
(3) recovering customer information of the financial institution which was obtained or received by another person in any
+
institution relating to another person--
manner described in subsection (a) or (b).
+
:::(1) by making a false, fictitious, or fraudulent statement or representation to an officer, employee, or agent of a financial institution;
 
+
:::(2) by making a false, fictitious, or fraudulent statement or representation to a customer of a financial institution; or
(e) NONAPPLICABILITY TO INSURANCE INSTITUTIONS FOR INVESTIGATION OF INSURANCE FRAUD.—No provision of this section shall
+
:::(3) by providing any document to an officer, employee, or agent of a financial institution, knowing that the document is forged, counterfeit, lost, or stolen, was fraudulently obtained, or contains a false, fictitious, or fraudulent statement or representation.
be construed so as to prevent any insurance institution, or any
+
::(b) Prohibition on Solicitation of a Person To Obtain Customer
officer, employee, or agency of an insurance institution, from
+
Information From Financial Institution Under False Pretenses.--It shall
obtaining information as part of an insurance investigation into
+
be a violation of this subtitle to request a person to obtain customer
criminal activity, fraud, material misrepresentation, or material
+
information of a financial institution, knowing that the person will
nondisclosure that is authorized for such institution under State
+
obtain, or attempt to obtain, the information from the institution in
law, regulation, interpretation, or order.
+
any manner described in subsection (a).
 
+
::(c) Nonapplicability to Law Enforcement Agencies.--No provision of
(f) NONAPPLICABILITY TO CERTAIN TYPES OF CUSTOMER
+
this section shall be construed so as to prevent any action by a law
INFORMATION OF FINANCIAL INSTITUTIONS.—No provision of this
+
enforcement agency, or any officer, employee, or agent of such agency,  
section shall be construed so as to prevent any person from
+
to obtain customer information of a financial institution in connection
obtaining customer information of a financial institution that otherwise is available as a public record filed pursuant to the securities
+
with the performance of the official duties of the agency.
laws (as defined in section 3(a)(47) of the Securities Exchange
+
::(d) Nonapplicability to Financial Institutions in Certain Cases.--No
Act of 1934).
+
provision of this section shall be construed so as to prevent any
 
+
financial institution, or any officer, employee, or agent of a financial
(g) NONAPPLICABILITY TO COLLECTION OF CHILD SUPPORT JUDGMENTS.—No provision of this section shall be construed to prevent
+
institution, from obtaining customer information of such financial
any State-licensed private investigator, or any officer, employee,
+
institution in the course of--
or agent of such private investigator, from obtaining customer
+
:::(1) testing the security procedures or systems of such institution for maintaining the confidentiality of customer information;
information of a financial institution, to the extent reasonably necessary to collect child support from a person adjudged to have
+
:::(2) investigating allegations of misconduct or negligence on the part of any officer, employee, or agent of the financial institution; or
been delinquent in his or her obligations by a Federal or State
+
:::(3) recovering customer information of the financial institution which was obtained or received by another person in any manner described in subsection (a) or (b).
court, and to the extent that such action by a State-licensed private
+
::(e) Nonapplicability to Insurance Institutions for Investigation of
investigator is not unlawful under any other Federal or State law
+
Insurance Fraud.--No provision of this section shall be construed so as
or regulation, and has been authorized by an order or judgment
+
to prevent any insurance institution, or any officer, employee, or
of a court of competent jurisdiction.SEC. 522. ADMINISTRATIVE ENFORCEMENT.
+
agency of an insurance institution, from obtaining information as part
(a) ENFORCEMENT BY FEDERAL TRADE COMMISSION.—Except
+
of an insurance investigation into criminal activity, fraud, material
as provided in subsection (b), compliance with this subtitle shall
+
misrepresentation, or material nondisclosure that is authorized for such
be enforced by the Federal Trade Commission in the same manner
+
institution under State law, regulation, interpretation, or order.
and with the same power and authority as the Commission has
+
::(f) Nonapplicability to Certain Types of Customer Information of
under the Fair Debt Collection Practices Act to enforce compliance
+
Financial Institutions.--No provision of this section shall be construed
with such Act.
+
so as to prevent any person from obtaining customer information of a
 
+
financial institution that otherwise is available as a public record
(b) ENFORCEMENT BY OTHER AGENCIES IN CERTAIN CASES.—
+
filed pursuant to the securities laws (as defined in section 3(a)(47) of
 
+
the Securities Exchange Act of 1934).
(1) IN GENERAL.—Compliance with this subtitle shall be
+
::(g) Nonapplicability to Collection of Child Support Judgments.--No
enforced under—
+
provision of this section shall be construed to prevent any State-
 
+
licensed private investigator, or any officer, employee, or agent of
(A) section 8 of the Federal Deposit Insurance Act,
+
such private investigator, from obtaining customer information of a
in the case of—
+
financial institution, to the extent reasonably necessary to collect
 
+
child support from a person adjudged to have been delinquent in his or
(i) national banks, and Federal branches and Federal agencies of foreign banks, by the Office of the
+
her obligations by a Federal or State court, and to the extent that such
Comptroller of the Currency;
+
action by a State-licensed private investigator is not unlawful under
 
+
any other Federal or State law or regulation, and has been authorized by
(ii) member banks of the Federal Reserve System
+
an order or judgment of a court of competent jurisdiction.
(other than national banks), branches and agencies
+
|Categories of personal information covered=Account, Transactional, Authenticating
of foreign banks (other than Federal branches, Federal
+
}}
agencies, and insured State branches of foreign banks),
 
commercial lending companies owned or controlled by
 
foreign banks, and organizations operating under section 25 or 25A of the Federal Reserve Act, by the
 
Board;
 
 
 
(iii) banks insured by the Federal Deposit Insurance Corporation (other than members of the Federal
 
Reserve System and national nonmember banks) and
 
insured State branches of foreign banks, by the Board
 
of Directors of the Federal Deposit Insurance Corporation; and
 
 
 
(iv) savings associations the deposits of which are
 
insured by the Federal Deposit Insurance Corporation,
 
by the Director of the Office of Thrift Supervision;
 
and
 
 
 
(B) the Federal Credit Union Act, by the Administrator
 
of the National Credit Union Administration with respect
 
to any Federal credit union.
 
 
 
(2) VIOLATIONS OF THIS SUBTITLE TREATED AS VIOLATIONS
 
OF OTHER LAWS.—For the purpose of the exercise by any agency referred to in paragraph (1) of its powers under any Act referred
 
to in that paragraph, a violation of this subtitle shall be deemed
 
to be a violation of a requirement imposed under that Act.
 
In addition to its powers under any provision of law specifically
 
referred to in paragraph (1), each of the agencies referred
 
to in that paragraph may exercise, for the purpose of enforcing
 
compliance with this subtitle, any other authority conferred
 
on such agency by law.SEC. 524. RELATION TO STATE LAWS.
 
 
 
(a) IN GENERAL.—This subtitle shall not be construed as superseding, altering, or affecting the statutes, regulations, orders, or
 
interpretations in effect in any State, except to the extent that
 
such statutes, regulations, orders, or interpretations are inconsistent with the provisions of this subtitle, and then only to the
 
extent of the inconsistency.
 
 
 
(b) GREATER PROTECTION UNDER STATE LAW.—For purposes
 
of this section, a State statute, regulation, order, or interpretation
 
is not inconsistent with the provisions of this subtitle if the protection such statute, regulation, order, or interpretation affords any
 
person is greater than the protection provided under this subtitle
 
as determined by the Federal Trade Commission, after consultation
 
with the agency or authority with jurisdiction under section 522
 
of either the person that initiated the complaint or that is the
 
subject of the complaint, on its own motion or upon the petition
 
of any interested party.
 
 
 
SEC. 525. AGENCY GUIDANCE.
 
 
 
In furtherance of the objectives of this subtitle, each Federal
 
banking agency (as defined in section 3(z) of the Federal Deposit
 
Insurance Act), the National Credit Union Administration, and
 
the Securities and Exchange Commission or self-regulatory
 
organizations, as appropriate, shall review regulations and guidelines applicable to financial institutions under their respective jurisdictions and shall prescribe such revisions to such regulations and
 
guidelines as may be necessary to ensure that such financial institutions have policies, procedures, and controls in place to prevent
 
the unauthorized disclosure of customer financial information and
 
to deter and detect activities proscribed under section 521.
 
 
 
'''Related harms under the Solove Taxonomy:''' §502-(a)-Disclosure, Execution, (b)-Disclosure, (2)-Disclosure, (c)-Disclosure, (d)-Disclosure, Secondary Use, (e)-Disclosure, (e)(1)(C)-Decisional Interference, (3)(A) & (B) & (C) & (D) & (E)-Insecurity, §503-(a)-Disclosure, (b)-Disclosure, §521- (a)-Disclosure, (b)-Appropriation, (g)-Surveillance
 
 
 
'''Scope of the Law''' ''Financial Institution''
 

Latest revision as of 00:44, 27 October 2020

Gramm Leach Bliley Act
Short Title Gramm–Leach–Bliley Act (GLBA)
Official Text Gramm Leach Bliley Act
Country/Jurisdiction United States
State or Province
Regulatory Bodies FTC
Date Enacted 1999/11/12
Scope of the Law Financial Institutions
Information
Taxonomy Breach of Confidentiality, Disclosure, Distortion, Exclusion, Insecurity
Strategies
Template:Ad
Template:United StatesAd

The Gramm–Leach–Bliley Act (GLBA) provides customers to have secured information by financial institutions. The Act also prevents financial institutions from disclosing individuals' nonpublic personal information which is confidential. However, individuals have the right to choose whether the information is disclosed under the Act.

Text of the law

SEC. 501. PROTECTION OF NONPUBLIC PERSONAL INFORMATION. Insecurity, Breach of Confidentiality
(a) Privacy Obligation Policy.--It is the policy of the Congress

that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information.

(b) Financial Institutions Safeguards.--In furtherance of the policy

in subsection (a), each agency or authority described in section 505(a) shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards--

(1) to insure the security and confidentiality of customer records and information; Account, Identifying

"Personal#list" contains a listed "#" character as part of the property label and has therefore been classified as invalid.

(2) to protect against any anticipated threats or hazards to the security or integrity of such records; and
(3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.
SEC. 502. OBLIGATIONS WITH RESPECT TO DISCLOSURES OF PERSONAL INFORMATION.
(a) NOTICE REQUIREMENTS.—Except as otherwise provided in this subtitle, a financial institution may not, directly or through any affiliate, disclose to a nonaffiliated third party any nonpublic personal information, unless such financial institution provides or has provided to the consumer a notice that complies with section 503. Exclusion, Disclosure
(b) OPT OUT.— Exclusion, Disclosure
(1) IN GENERAL.—A financial institution may not disclose nonpublic personal information to a nonaffiliated third party unless—
(A) such financial institution clearly and conspicuously discloses to the consumer, in writing or in electronic form or other form permitted by the regulations prescribed under section 504, that such information may be disclosed to such third party;
(B) the consumer is given the opportunity, before the time that such information is initially disclosed, to direct that such information not be disclosed to such third party; and
(C) the consumer is given an explanation of how the consumer can exercise that nondisclosure option. Exclusion
SEC. 508. STUDY OF INFORMATION SHARING AMONG FINANCIAL AFFILIATES.
(a) IN GENERAL.—The Secretary of the Treasury, in conjunction with the Federal functional regulators and the Federal Trade Commission, shall conduct a study of information sharing practices among financial institutions and their affiliates. Such study shall include— Insecurity
(1) the purposes for the sharing of confidential customer information with affiliates or with nonaffiliated third parties;
(2) the extent and adequacy of security protections for such information;
(3) the potential risks for customer privacy of such sharing of information;
(4) the potential benefits for financial institutions and affiliates of such sharing of information;
(5) the potential benefits for customers of such sharing of information;
(6) the adequacy of existing laws to protect customer privacy;
(7) the adequacy of financial institution privacy policy and privacy rights disclosure under existing law;
(8) the feasibility of different approaches, including optout and opt-in, to permit customers to direct that confidential information not be shared with affiliates and nonaffiliated third parties; and
(9) the feasibility of restricting sharing of information for specific uses or of permitting customers to direct the uses for which information may be shared.
SEC. 521. PRIVACY PROTECTION FOR CUSTOMER INFORMATION OF FINANCIAL INSTITUTIONS. Disclosure, Distortion
(a) PROHIBITION ON OBTAINING CUSTOMER INFORMATION BY FALSE PRETENSES.—It shall be a violation of this subtitle for any person to obtain or attempt to obtain, or cause to be disclosed or attempt to cause to be disclosed to any person, customer information of a financial institution relating to another person—
(1) by making a false, fictitious, or fraudulent statement or representation to an officer, employee, or agent of a financial institution;
(2) by making a false, fictitious, or fraudulent statement or representation to a customer of a financial institution; or
(3) by providing any document to an officer, employee, or agent of a financial institution, knowing that the document is forged, counterfeit, lost, or stolen, was fraudulently obtained, or contains a false, fictitious, or fraudulent statement or representation.
(b) PROHIBITION ON SOLICITATION OF A PERSON TO OBTAIN CUSTOMER INFORMATION FROM FINANCIAL INSTITUTION UNDER FALSE PRETENSES.—It shall be a violation of this subtitle to request a person to obtain customer information of a financial institution, knowing that the person will obtain, or attempt to obtain, the information from the institution in any manner described in subsection (a). Account, Transactional

"Personal#list" contains a listed "#" character as part of the property label and has therefore been classified as invalid.

(c) NONAPPLICABILITY TO LAW ENFORCEMENT AGENCIES.—No provision of this section shall be construed so as to prevent any action by a law enforcement agency, or any officer, employee, or agent of such agency, to obtain customer information of a financial institution in connection with the performance of the official duties of the agency.
(d) NONAPPLICABILITY TO FINANCIAL INSTITUTIONS IN CERTAIN CASES.—No provision of this section shall be construed so as to prevent any financial institution, or any officer, employee, or agent of a financial institution, from obtaining customer information of such financial institution in the course of— Insecurity
(1) testing the security procedures or systems of such institution for maintaining the confidentiality of customer information;
(2) investigating allegations of misconduct or negligence on the part of any officer, employee, or agent of the financial institution; or
(3) recovering customer information of the financial institution which was obtained or received by another person in any manner described in subsection (a) or (b).
(e) NONAPPLICABILITY TO INSURANCE INSTITUTIONS FOR INVESTIGATION OF INSURANCE FRAUD.—No provision of this section shall be construed so as to prevent any insurance institution, or any officer, employee, or agency of an insurance institution, from obtaining information as part of an insurance investigation into criminal activity, fraud, material misrepresentation, or material nondisclosure that is authorized for such institution under State law, regulation, interpretation, or order.
(f) NONAPPLICABILITY TO CERTAIN TYPES OF CUSTOMER INFORMATION OF FINANCIAL INSTITUTIONS.—No provision of this section shall be construed so as to prevent any person from obtaining customer information of a financial institution that otherwise is available as a public record filed pursuant to the securities laws (as defined in section 3(a)(47) of the Securities Exchange Act of 1934).
(g) NONAPPLICABILITY TO COLLECTION OF CHILD SUPPORT JUDGMENTS.—No provision of this section shall be construed to prevent any State-licensed private investigator, or any officer, employee, or agent of such private investigator, from obtaining customer information of a financial institution, to the extent reasonably necessary to collect child support from a person adjudged to have been delinquent in his or her obligations by a Federal or State court, and to the extent that such action by a State-licensed private investigator is not unlawful under any other Federal or State law or regulation, and has been authorized by an order or judgment of a court of competent jurisdiction.
SEC. 503. DISCLOSURE OF INSTITUTION PRIVACY POLICY. Exclusion, Insecurity
(a) Disclosure Required.--At the time of establishing a customer

relationship with a consumer and not less than annually during the continuation of such relationship, a financial institution shall provide a clear and conspicuous disclosure to such consumer, in writing or in electronic form or other form permitted by the regulations prescribed under section 504, of such financial institution's policies and practices with respect to--

(1) disclosing nonpublic personal information to affiliates and nonaffiliated third parties, consistent with section 502, including the categories of information that may be disclosed;
(2) disclosing nonpublic personal information of persons who have ceased to be customers of the financial institution; and
(3) protecting the nonpublic personal information of consumers.
Such disclosures shall be made in accordance with the regulations

prescribed under section 504.

(b) Information To Be Included.--The disclosure required by

subsection (a) shall include--

(1) the policies and practices of the institution with respect to disclosing nonpublic personal information to nonaffiliated third parties, other than agents of the institution, consistent with section 502 of this subtitle, and including--
(A) the categories of persons to whom the information is or may be disclosed, other than the persons to whom the information may be provided pursuant to section 502(e); and
(B) the policies and practices of the institution with respect to disclosing of nonpublic personal information of persons who have ceased to be customers of the financial institution;
(2) the categories of nonpublic personal information that are collected by the financial institution;
(3) the policies that the institution maintains to protect the confidentiality and security of nonpublic personal information in accordance with section 501; and
(4) the disclosures required, if any, under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act.
SEC. 504. RULEMAKING.
(a) Regulatory Authority.--
(1) Rulemaking.--The Federal banking agencies, the National Credit Union Administration, the Secretary of the Treasury, the Securities and Exchange Commission, and the Federal Trade Commission shall each prescribe, after consultation as appropriate with representatives of State insurance authorities designated by the National Association of Insurance Commissioners, such regulations as may be necessary to carry out the purposes of this subtitle with respect to the financial institutions subject to their jurisdiction under section 505.
(2) Coordination, consistency, and comparability.--Each of the agencies and authorities required under paragraph (1) to prescribe regulations shall consult and coordinate with the other such agencies and authorities for the purposes of assuring, to the extent possible, that the regulations prescribed by each such agency and authority are consistent and comparable with the regulations prescribed by the other such agencies and authorities.
(3) Procedures and deadline.--Such regulations shall be prescribed in accordance with applicable requirements of title 5, United States Code, and shall be issued in final form not later than 6 months after the date of the enactment of this Act.
(b) Authority To Grant Exceptions.--The regulations prescribed under

subsection (a) may include such additional exceptions to subsections (a) through (d) of section 502 as are deemed consistent with the purposes of this subtitle.

SEC. 505. ENFORCEMENT.
(a) In General.--This subtitle and the regulations prescribed

thereunder shall be enforced by the Federal functional regulators, the State insurance authorities, and the Federal Trade Commission with respect to financial institutions and other persons subject to their jurisdiction under applicable law, as follows:

(1) Under section 8 of the Federal Deposit Insurance Act, in the case of--
(A) national banks, Federal branches and Federal agencies of foreign banks, and any subsidiaries of such entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisers), by the Office of the Comptroller of the Currency;
(B) member banks of the Federal Reserve System (other than national banks), branches and agencies of foreign banks (other than Federal branches, Federal agencies, and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks, organizations operating under section 25 or 25A of the Federal Reserve Act, and bank holding companies and their nonbank subsidiaries or affiliates (except brokers, dealers, persons providing insurance, investment companies, and investment advisers), by the Board of Governors of the Federal Reserve System;
(C) banks insured by the Federal Deposit Insurance Corporation (other than members of the Federal Reserve System), insured State branches of foreign banks, and any subsidiaries of such entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisers), by the Board of Directors of the Federal Deposit Insurance Corporation; and
(D) savings associations the deposits of which are insured by the Federal Deposit Insurance Corporation, and any subsidiaries of such savings associations (except brokers, dealers, persons providing insurance, investment companies, and investment advisers), by the Director of the Office of Thrift Supervision.
(2) Under the Federal Credit Union Act, by the Board of the National Credit Union Administration with respect to any federally insured credit union, and any subsidiaries of such an entity.
(3) Under the Securities Exchange Act of 1934, by the Securities and Exchange Commission with respect to any broker or dealer.
(4) Under the Investment Company Act of 1940, by the Securities and Exchange Commission with respect to investment companies.
(5) Under the Investment Advisers Act of 1940, by the Securities and Exchange Commission with respect to investment advisers registered with the Commission under such Act.
(6) Under State insurance law, in the case of any person engaged in providing insurance, by the applicable State insurance authority of the State in which the person is domiciled, subject to section 104 of this Act.
(7) Under the Federal Trade Commission Act, by the Federal Trade Commission for any other financial institution or other person that is not subject to the jurisdiction of any agency or authority under paragraphs (1) through (6) of this subsection.
(b) Enforcement of Section 501.--
(1) In general.--Except as provided in paragraph (2), the agencies and authorities described in subsection (a) shall implement the standards prescribed under section 501(b) in the same manner, to the extent practicable, as standards prescribed pursuant to section 39(a) of the Federal Deposit Insurance Act are implemented pursuant to such section.
(2) Exception.--The agencies and authorities described in paragraphs (3), (4), (5), (6), and (7) of subsection (a) shall implement the standards prescribed under section 501(b) by rule with respect to the financial institutions and other persons subject to their respective jurisdictions under subsection (a).
(c) Absence of State Action.--If a State insurance authority fails

to adopt regulations to carry out this subtitle, such State shall not be eligible to override, pursuant to section 47(g)(2)(B)(iii) of the Federal Deposit Insurance Act, the insurance customer protection regulations prescribed by a Federal banking agency under section 47(a) of such Act.

(d) Definitions.--The terms used in subsection (a)(1) that are not

defined in this subtitle or otherwise defined in section 3(s) of the Federal Deposit Insurance Act shall have the same meaning as given in section 1(b) of the International Banking Act of 1978.

SEC. 506. PROTECTION OF FAIR CREDIT REPORTING ACT.
(a) Amendment.--Section 621 of the Fair Credit Reporting Act (15 U.S.C. 1681s) is amended--
(1) in subsection (d), by striking everything following the end of the second sentence; and
(2) by striking subsection (e) and inserting the following:
``(e) Regulatory Authority.--
``(1) The Federal banking agencies referred to in paragraphs (1) and (2) of subsection (b) shall jointly prescribe such regulations as necessary to carry out the purposes of this Act with respect to any persons identified under paragraphs (1) and (2) of subsection (b), and the Board of Governors of the Federal Reserve System shall have authority to prescribe regulations consistent with such joint regulations with respect to bank holding companies and affiliates (other than depository institutions and consumer reporting agencies) of such holding companies.
``(2) The Board of the National Credit Union Administration shall prescribe such regulations as necessary to carry out the purposes of this Act with respect to any persons identified under paragraph (3) of subsection (b)..
(b) Conforming Amendment.--Section 621(a) of the Fair Credit

Reporting Act (15 U.S.C. 1681s(a)) is amended by striking paragraph (4).

(c) Relation <<NOTE: 15 USC 6806.>> to Other Provisions.--Except for

the amendments made by subsections (a) and (b), nothing in this title shall be construed to modify, limit, or supersede the operation of the Fair Credit Reporting Act, and no inference shall be drawn on the basis of the provisions of this title regarding whether information is transaction or experience information under section 603 of such Act.

SEC. 507. RELATION TO STATE LAWS.
(a) In General.--This subtitle and the amendments made by this

subtitle shall not be construed as superseding, altering, or affecting any statute, regulation, order, or interpretation in effect in any State, except to the extent that such statute, regulation, order, or interpretation is inconsistent with the provisions of this subtitle, and then only to the extent of the inconsistency.

(b) Greater Protection Under State Law.--For purposes of this

section, a State statute, regulation, order, or interpretation is not inconsistent with the provisions of this subtitle if the protection such statute, regulation, order, or interpretation affords any person is greater than the protection provided under this subtitle and the amendments made by this subtitle, as determined by the Federal Trade Commission, after consultation with the agency or authority with jurisdiction under section 505(a) of either the person that initiated the complaint or that is the subject of the complaint, on its own motion or upon the petition of any interested party.

SEC. 508. STUDY OF INFORMATION SHARING AMONG FINANCIAL AFFILIATES.
(a) In General.--The Secretary of the Treasury, in conjunction with

the Federal functional regulators and the Federal Trade Commission, shall conduct a study of information sharing practices among financial institutions and their affiliates. Such study shall include--

(1) the purposes for the sharing of confidential customer information with affiliates or with nonaffiliated third parties;
(2) the extent and adequacy of security protections for such information;
(3) the potential risks for customer privacy of such sharing of information;
(4) the potential benefits for financial institutions and affiliates of such sharing of information;
(5) the potential benefits for customers of such sharing of information;
(6) the adequacy of existing laws to protect customer privacy;
(7) the adequacy of financial institution privacy policy and privacy rights disclosure under existing law;
(8) the feasibility of different approaches, including opt-out and opt-in, to permit customers to direct that confidential information not be shared with affiliates and nonaffiliated third parties; and
(9) the feasibility of restricting sharing of information for specific uses or of permitting customers to direct the uses for which information may be shared.
(b) Consultation.--The Secretary shall consult with representatives

of State insurance authorities designated by the National Association of Insurance Commissioners, and also with financial services industry, consumer organizations and privacy groups, and other representatives of the general public, in formulating and conducting the study required by subsection (a).

(c) Report.--On <<NOTE: Deadline.>> or before January 1, 2002, the

Secretary shall submit a report to the Congress containing the findings and conclusions of the study required under subsection (a), together with such recommendations for legislative or administrative action as may be appropriate.

SEC. 509. DEFINITIONS.
As used in this subtitle:
(1) Federal banking agency.--The term ``Federal banking agency has the same meaning as given in section 3 of the Federal Deposit Insurance Act.
(2) Federal functional regulator.--The term ``Federal functional regulator means--
(A) the Board of Governors of the Federal Reserve System;
(B) the Office of the Comptroller of the Currency;
(C) the Board of Directors of the Federal Deposit Insurance Corporation;
(D) the Director of the Office of Thrift Supervision;
(E) the National Credit Union Administration Board; and
(F) the Securities and Exchange Commission.
(3) Financial institution.--
(A) In general.--The term ``financial institution means any institution the business of which is engaging in financial activities as described in section 4(k) of the Bank Holding Company Act of 1956.
(B) Persons subject to cftc regulation.-- Notwithstanding subparagraph (A), the term ``financial institution does not include any person or entity with respect to any financial activity that is subject to the jurisdiction of the Commodity Futures Trading Commission under the Commodity Exchange Act.
(C) Farm credit institutions.--Notwithstanding subparagraph (A), the term ``financial institution does not include the Federal Agricultural Mortgage Corporation or any entity chartered and operating under the Farm Credit Act of 1971.
(D) Other secondary market institutions.--Notwithstanding subparagraph (A), the term ``financial institution does not include institutions chartered by Congress specifically to engage in transactions described in section 502(e)(1)(C), as long as such institutions do not sell or transfer nonpublic personal information to a nonaffiliated third party.
(4) Nonpublic personal information.--
(A) The term ``nonpublic personal information means personally identifiable financial information--
(i) provided by a consumer to a financial institution;
(ii) resulting from any transaction with the consumer or any service performed for the consumer; or
(iii) otherwise obtained by the financial institution.
(B) Such term does not include publicly available information, as such term is defined by the regulations prescribed under section 504.
(C) Notwithstanding subparagraph (B), such term--
(i) shall include any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any nonpublic personal information other than publicly available information; but
(ii) shall not include any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any nonpublic personal information.
(5) Nonaffiliated third party.--The term ``nonaffiliated third party means any entity that is not an affiliate of, or related by common ownership or affiliated by corporate control with, the financial institution, but does not include a joint employee of such institution.
(6) Affiliate.--The term ``affiliate means any company that controls, is controlled by, or is under common control with another company.
(7) Necessary to effect, administer, or enforce.--The term ``as necessary to effect, administer, or enforce the transaction means--
(A) the disclosure is required, or is a usual, appropriate, or acceptable method, to carry out the transaction or the product or service business of which the transaction is a part, and record or service or maintain the consumer's account in the ordinary course of providing the financial service or financial product, or to administer or service benefits or claims relating to the transaction or the product or service business of which it is a part, and includes--
(i) providing the consumer or the consumer's agent or broker with a confirmation, statement, or other record of the transaction, or information on the status or value of the financial service or financial product; and
(ii) the accrual or recognition of incentives or bonuses associated with the transaction that are provided by the financial institution or any other party;
(B) the disclosure is required, or is one of the lawful or appropriate methods, to enforce the rights of the financial institution or of other persons engaged in carrying out the financial transaction, or providing the product or service;
(C) the disclosure is required, or is a usual, appropriate, or acceptable method, for insurance underwriting at the consumer's request or for reinsurance purposes, or for any of the following purposes as they relate to a consumer's insurance: Account administration, reporting, investigating, or preventing fraud or material misrepresentation, processing premium payments, processing insurance claims, administering insurance benefits (including utilization review activities), participating in research projects, or as otherwise required or specifically permitted by Federal or State law; or
(D) the disclosure is required, or is a usual, appropriate or acceptable method, in connection with--
(i) the authorization, settlement, billing, processing, clearing, transferring, reconciling, or collection of amounts charged, debited, or otherwise paid using a debit, credit or other payment card, check, or account number, or by other payment means;
(ii) the transfer of receivables, accounts or interests therein; or
(iii) the audit of debit, credit or other payment information.
(8) State insurance authority.--The term ``State insurance authority means, in the case of any person engaged in providing insurance, the State insurance authority of the State in which the person is domiciled.
(9) Consumer.--The term ``consumer means an individual who obtains, from a financial institution, financial products or services which are to be used primarily for personal, family, or household purposes, and also means the legal representative of such an individual.
(10) Joint agreement.--The term ``joint agreement means a formal written contract pursuant to which two or more financial institutions jointly offer, endorse, or sponsor a financial product or service, and as may be further defined in the regulations prescribed under section 504.
(11) Customer <<NOTE: Regulations.>> relationship.--The term ``time of establishing a customer relationship shall be defined by the regulations prescribed under section 504, and shall, in the case of a financial institution engaged in extending credit directly to consumers to finance purchases of goods or services, mean the time of establishing the credit relationship with the consumer.
SEC. 510. EFFECTIVE DATE.
This subtitle shall take effect 6 months after the date on which

rules are required to be prescribed under section 504(a)(3), except--

(1) to the extent that a later date is specified in the rules prescribed under section 504; and
(2) that sections 504 and 506 shall be effective upon

enactment.

SEC. 521. PRIVACY PROTECTION FOR CUSTOMER INFORMATION OF FINANCIAL INSTITUTIONS.
(a) Prohibition on Obtaining Customer Information by False

Pretenses.--It shall be a violation of this subtitle for any person to obtain or attempt to obtain, or cause to be disclosed or attempt to cause to be disclosed to any person, customer information of a financial institution relating to another person--

(1) by making a false, fictitious, or fraudulent statement or representation to an officer, employee, or agent of a financial institution;
(2) by making a false, fictitious, or fraudulent statement or representation to a customer of a financial institution; or
(3) by providing any document to an officer, employee, or agent of a financial institution, knowing that the document is forged, counterfeit, lost, or stolen, was fraudulently obtained, or contains a false, fictitious, or fraudulent statement or representation.
(b) Prohibition on Solicitation of a Person To Obtain Customer

Information From Financial Institution Under False Pretenses.--It shall be a violation of this subtitle to request a person to obtain customer information of a financial institution, knowing that the person will obtain, or attempt to obtain, the information from the institution in any manner described in subsection (a).

(c) Nonapplicability to Law Enforcement Agencies.--No provision of

this section shall be construed so as to prevent any action by a law enforcement agency, or any officer, employee, or agent of such agency, to obtain customer information of a financial institution in connection with the performance of the official duties of the agency.

(d) Nonapplicability to Financial Institutions in Certain Cases.--No

provision of this section shall be construed so as to prevent any financial institution, or any officer, employee, or agent of a financial institution, from obtaining customer information of such financial institution in the course of--

(1) testing the security procedures or systems of such institution for maintaining the confidentiality of customer information;
(2) investigating allegations of misconduct or negligence on the part of any officer, employee, or agent of the financial institution; or
(3) recovering customer information of the financial institution which was obtained or received by another person in any manner described in subsection (a) or (b).
(e) Nonapplicability to Insurance Institutions for Investigation of

Insurance Fraud.--No provision of this section shall be construed so as to prevent any insurance institution, or any officer, employee, or agency of an insurance institution, from obtaining information as part of an insurance investigation into criminal activity, fraud, material misrepresentation, or material nondisclosure that is authorized for such institution under State law, regulation, interpretation, or order.

(f) Nonapplicability to Certain Types of Customer Information of

Financial Institutions.--No provision of this section shall be construed so as to prevent any person from obtaining customer information of a financial institution that otherwise is available as a public record filed pursuant to the securities laws (as defined in section 3(a)(47) of the Securities Exchange Act of 1934).

(g) Nonapplicability to Collection of Child Support Judgments.--No

provision of this section shall be construed to prevent any State- licensed private investigator, or any officer, employee, or agent of such private investigator, from obtaining customer information of a financial institution, to the extent reasonably necessary to collect child support from a person adjudged to have been delinquent in his or her obligations by a Federal or State court, and to the extent that such action by a State-licensed private investigator is not unlawful under any other Federal or State law or regulation, and has been authorized by an order or judgment of a court of competent jurisdiction.



Disclaimer: The text of this law may not be the most recent version. We make no warranties or representations about the accuracy, completeness, or adequacy of the information contained on this site. Please check official sources.

Retrieved from "https://privacy.wiki/index.php?title=Gramm_Leach_Bliley_Act&oldid=8774"