In November 1999, Congress enacted the Gramm-Leach-Bliley Act (the "Act"), which, for the first time since the Great Depression, allows companies to engage in banking, insurance, and securities businesses simultaneously. In taking this step, Congress worried that financial services companies would share their customers’ personal information with affiliates or third parties. As a result, Title V of the Act requires a "financial institution" to send notices to its customers who are individuals describing its privacy policy, any nonpublic personal information that the company intends to disclose to affiliates or third parties, and a method for the customer to "opt out" of the disclosure of personal information.

In May 2000, the FTC issued regulations regarding disclosure policies under the Act for certain types of financial institutions. Those regulations can be found at 16 C.F.R. § 313. The Act and the FTC regulations define a "financial institution" as a company the business of which is engaging in financial activities described in section 4(k) of the Bank Holding Company Act of 1956. Included in the list of covered financial activities are tax return preparation and tax planning. Under the regulations, a firm that engages in one or more of the listed financial activities is treated as a "financial institution" only if it is significantly engaged in those activities.

There is not an exception in the Act or the FTC regulations for law firms. Consequently, a law firm that is significantly engaged in one or more of the financial activities listed in the regulations, including tax return preparation and tax planning, would be subject to the Act’s privacy notice requirements. There is no guidance in the Act or the regulations as to what "significantly engaged" means. Interpreted broadly, it covers any law firm with a separate tax or trusts and estates department or that derives more than a de minimis percentage of its income from tax return preparation or tax planning. In addition, although the privacy provisions of the Act are intended to protect consumers, there is no indication in either the Act or the FTC regulations that the activities to be considered in making the "significantly engaged" determination are limited to financial services provided to consumers and that services provided to businesses are to be excluded. In light of the uncertainty surrounding the definition of "financial institution," law firms should carefully assess whether they are subject to the privacy notice provisions of the Act.

Under the FTC regulations, covered financial institutions must send initial privacy notices to all "customers" by July 1, 2001. A "customer" is defined as an individual who obtains or has obtained from the financial institution a financial service primarily for personal, family, or household purposes and with whom the institution has an established relationship. Under the regulations, a customer does not include a trust, an estate, or an entity or business of any sort. Once an initial notice is sent to a customer, additional privacy notices must be sent annually thereafter.

If a law firm determines that it is a covered financial institution, it must send initial privacy notices to its existing "customers" by the July 1 deadline. The only required notice recipients would be individual clients of the firm who have received or are receiving tax preparation, tax planning, or other financial services for personal purposes. The notice requirement does not apply to entities or to individuals who use the financial services for business or commercial purposes.

A firm’s privacy notice must provide a clear and conspicuous statement of its privacy policy. In particular, it should inform the recipient of the categories of nonpublic personal information that the firm collects, any categories of nonpublic information that will be disclosed and to whom it will be disclosed, the recipient’s right to "opt out" of disclosure, and the firm’s policies regarding protecting the confidentiality of such information.

Because law firms generally cannot disclose nonpublic information about their clients under applicable ethical rules, law firm privacy notices typically would be limited to providing the categories of nonpublic personal information that the firm collects, a statement that the information is not disclosed, and a statement of the firm’s policies and procedures with respect to protecting the confidentiality of such information. In most cases, there will be no need to provide an "opt out" right. The notices must be designed to call attention to the information contained therein. For example, if the notice is contained in an engagement letter, the notice should be set apart either physically or through a different font.

Although the regulations do not provide for any monetary penalties or enforcement procedures, the FTC has the power to bring administrative enforcement proceedings. Accordingly, law firms should carefully consider whether the privacy notice provisions of the Act apply and, if so, what compliance measures are appropriate.