Jump to Navigation | Jump to Content
American Bar Association - Defending Liberty, Pursuing Justice ABA Logo

ABA Section of Business Law


Business Law Today
May/June 2001 (Volume 10, Number 5)

Is it always better to share?
Careful what you do with that customer information
By Cynthia A. Glassman

Excuse me: You're doing what with my bank-account information?

Companies collect customer information and share it with affiliates and third parties for a number of strategic and tactical reasons. These reasons include improving services to customers, more effective marketing, containing costs and reducing fraud. In recent years, the sharing of such information, especially when it is not publicly available and includes personal financial or medical information, has raised concerns about privacy.

The Gramm-Leach-Bliley Act of 1999 has taken these consumer concerns and turned them into legal requirements for institutions that collect nonpublic personal financial information, as defined by the law. Now, financial institutions must disclose, and in some cases limit, how they share such customer information. The financial institutions covered by the act are broadly defined and include many retailers, health-care companies, travel agents as well as other firms not traditionally considered financial institutions as well as banks, thrifts, insurance companies and securities firms.

Compliance with this new law is very burdensome both in terms of time and money. Compliance costs could total hundreds of millions or even on the order of a billion dollars for all covered institutions.

Privacy is about customer trust. The privacy provisions of the act require an explicit commitment by financial institutions regarding how those institutions protect the nonpublic personal information of individuals who conduct business with them. The explicit commitment to individuals must be made in the initial and required annual notices. The notices tell individuals what nonpublic, personal financial information the institutions collect, how they share it with affiliates and nonaffiliated third parties, with what types of organizations they share the information, and how they protect the security and integrity of the information.

Customers must also be provided with the ability to opt out of certain sharing with third parties. Companies that share information only with affiliates or whose third-party sharing falls within the exemptions in the law, must send disclosure notices by July 1, 2001. Institutions that share information with third parties that requires an opt-out offer must send notices by June 1, 2001.

While there may be a wide range of concerns raised in interpreting the letter of the law, the spirit of the law is clear: Tell people what you do with their information so that they can make an informed decision about whether they want to do business with your organization. As a result, when establishing policies regarding the privacy of customer data, companies must take into account the effect of those policies on their own image, reputation and legal and regulatory compliance.

Compliance with the new legislation is required by rules promulgated by various regulatory agencies - the Comptroller of the Currency, Federal Deposit Insurance Corporation, Federal Reserve, Office of Thrift Supervision, National Credit Union Administration, Securities and Exchange Commission, and the Federal Trade Commission. These agencies are incorporating compliance with the act into their existing oversight functions. Complying raises four key questions for affected institutions, which are:

- What are the requirements?
- What are our existing information-sharing practices in the context of the law?
- What privacy policy and practices fit with our business needs, customer expectations and ability to comply?
- How will we ensure compliance?

Noncompliance will risk regulatory sanctions. However, the bigger challenge for the institutions is the reputation and legal risk from making commitments that they cannot, or do not, keep. Meeting that challenge requires that a number of critical success factors be met.

First, institutions must ensure that they are willing to keep the commitments that they make to their customers about privacy. That, in turn, entails the following:

- Senior management support for privacy commitments: Effective privacy management requires sponsorship and communication from the top.
- Understanding the requirements of the law and all implementing rules, and
- Understanding the spirit of the law and the concerns behind it.

Second, the company must understand its own current practices regarding what nonpublic personal financial information is collected, how it is shared with affiliates and third parties, and why it is shared.

Especially with regard to sharing with affiliates, keeping track of information-sharing practices was not a focus for most companies, because all affiliates are part of one corporate family. Now, it is critical to understand those practices, so that the disclosed policies and the actual practices are consistent. Conducting the inventory of information collected and shared has been one of the most time consuming and burdensome aspects of compliance with the Gramm-Leach-Bliley Act.

Third, the policy must balance business-practice needs against customer concerns. Many companies take for granted that their information sharing provides benefits to their customers, but have difficulty in articulating, either quantitatively or qualitatively, the specific benefits to the customers. For customers, information sharing is not obvious; therefore they are not aware of the benefits they receive from information sharing. Not surprisingly, they focus on the scary or annoying effects of information sharing - that is, identity theft and telemarketing. What that means in practice is that privacy concerns are not well addressed in consumer interactions.

Third, institutions must be sure they are able to live up to their commitment. That, in turn, entails the following:

- Flexibility of the policy to respond to business, environment or law changes. One issue that many institutions have confronted is how broad to make the disclosures. The broader the disclosures, the more flexibility a company has in dealing with changes in corporate structure, products and services, business practices, and law changes, without having to provide new notices. However, narrower and more specific disclosed policies may better counter customer concerns. For both business and regulatory reasons, compliance with the act must be dynamic, with an eye to the future as well as on the present.

- Alignment of systems and processes with policy requirements - ensuring that the company's systems and infrastructure can handle its procedures - is particularly important for monitoring customer "opt-outs" and "opt-ins" to information sharing. If customers are given a choice, the company must be able to honor the choice. While "opt-ins" are not currently a requirement, some companies may choose to offer an opt-in for business reasons, and some states are considering tighter legislation that could include opt-in requirements.

- Communication and training to ensure that employees at all levels understand the privacy issue, the privacy policy, as well as their own responsibilities regarding the procedures. Information touches everyone in the company, and all employees must know their own role in keeping the company's commitment to its information-sharing policies.

- Monitoring compliance with the company's own policy and with evolving regulations. As with any policy, monitoring compliance is necessary to ensure effective implementation. With respect to information sharing, monitoring includes internal monitoring of the company's compliance with its own policies and external monitoring of the environment to determine if existing policies remain appropriate.

Companies cannot afford to ignore the risks associated with customer dissatisfaction in the way their information is handled. Those risks are growing. The most immediate risk revolves around compliance with the new requirements. On a continuing basis, companies must be sure that they live up to the commitments in their disclosed privacy policy, both in the spirit and the letter of the law, or they will face regulatory concerns, customer anger, damaged reputation and costly litigation.

However, the rewards of an effective privacy policy are maintaining customers and their trust while using information as needed for business purposes.

Glassman is a principal at Ernst & Young LLP in Washington. Her e-mail is cynthia.glassman@ey.com.

Back to Top

Copyright American Bar Association. http://www.abanet.org