Link Search Menu Expand Document
Cybersecurity Research
  1. III. DATA PROTECTION LAWS REGULATING CONSUMER FINANCIAL INFORMATION
    1. A. Federal Law
    2. B. State Law

III. DATA PROTECTION LAWS REGULATING CONSUMER FINANCIAL INFORMATION

A. Federal Law

There is no single, uniform federal law regulating personal data collection in the United States.120 The Financial Services Modernization Act, included in the Gramm-Leach-Bliley Act of 1999 (“GLBA”), is the most relevant data protection law pertaining to financial institutions.121 Specifically, Title V of the GLBA restricts financial institutions’ disclosure of private consumer financial information.122 Under Title V of the GLBA, financial institutions must (1) respect the privacy of their customers,123 and (2) protect the security and confidentiality of their customers’ nonpublic personal information.124 These two provisions provide consumer bankers an absolute right to know how their personal

117. See id. (“A year down the line, however, public sentiment toward Equifax is slowly getting restored as more people begin to trust the brand again. YouGov’s Buzz Metric shows that Equifax public opinion is hovering around negative two now; almost the same spot it was in before the hacking.”).

118. See Equifax to Pay $575 Million, supra note 49 (discussing how the Equifax breach reached 147 million people, and that Equifax had to pay settlements amounts to all fifty states, the District of Columbia, and Puerto Rico following the breach); see also Wack, supra note 479 (saying that Capital One has to pay out $80 million after compromising the personally identifiable information of 100 million Americans and six million Canadians).

119. See Jolly, supra note 63 (discussing the “patchwork” system of laws regulating data protection in the United States).

120. Jolly, supra note 63.

121 Gramm-Leach-Bliley Act (“GLBA”) of 1999, Pub. L. No. 106-102, 113 Stat. 1338, 15 U.S.C. § 6801 et seq. (1999); see also Jolly, supra note 63 (referring to the GLBA as one of the “most prominent federal privacy laws”).

122. Id.; see also Neal R. Pandozzi, Beware of Banks Bearing Gifts: Gramm-Leach-Bliley and the Constitutionality of Federal Financial Privacy Legislation, 55 U. MIAMI L. REV. 163, 164 (2001) (examining the shortfalls of Title V of the GLBA).

123. GLBA, 15 U.S.C. § 6801(a).

124. Id. § 6801(b).

information will be used.125 Congress outlined a procedure in this provision of the GLBA to safeguard consumer information.126 This procedure gives consumers the option to opt-out of information sharing with nonaffiliated third parties.127 In addition, each financial institution is mandated to create a written privacy policy if the institution transfers consumer information to unaffiliated bank entities.128

Administrative agencies, such as the federal banking regulators and FTC, are tasked with ensuring compliance.129 These agencies were left to their own discretion on what rules to promulgate to enforce Title V.130 The Federal Deposit Insurance Corporation (“FDIC”), OCC, and the Federal Reserve Board among other agencies jointly adopted a federal privacy model.131 The FTC, on the other hand, had the “catch-all” responsibility of enforcing the Title V provisions for “[a]ny other financial institution” not covered by the other regulators.132 Thus, the FTC implemented two sweeping regulations: a “Financial Privacy Rule,”133 requiring financial institutions to provide an annual notice to all consumers of the institution’s privacy policies,134 as well as a “Safeguards Rule,” which forbids financial institutions from obtaining financial information through fraudulent means.135

Despite the additional efforts of these federal agencies and regulators, the GLBA still has pitfalls and criticisms—namely that it does

125. See Pandozzi, supra note 122, at 164–65 (examining the origins and scope of Title V of the GLBA).

126. GLBA, 15 U.S.C. § 6802.

127. Id. § 6802(b)(1); see generally William Francis Galvin, Gramm-Leach-Bliley Act (GLBA), SEC’Y OF THE COMMONWEALTH OF MASS., https://www.sec.state.ma.us/sct/sctgbla/gblaidx.htm [https://perma.cc/P5QV-KNL2] (last visited Feb. 6, 2021) (defining the terms “affiliate,” which is a company that controls or is under common control as the organization, and “non-affiliate,” which is any entity other than the organization or an affiliate).

128. GLBA, 15 U.S.C. § 6802(b)(1); David W. Roderer, Tentative Steps Toward Financial Privacy, 4 N.C. BANKING INST. 209, 212 (2000).

129. GLBA, 15 U.S.C. § 6802(a).

130. Id. § 6804(a)(1)(A).

131. Stephen F.J. Ornstein et al., Final Model Privacy Form Under the Gramm-LeachBliley Act, 65 CONSUMER FIN. L.Q. REP. 171, 171 (2011).

132 See Kathleen A. Hardee, The Gramm-Leach-Bliley Act: Five Years After Implementation, Does the Emperor Wear Clothes?, 39 CREIGHTON L. REV. 915, 924 (2006) (examining the Federal Trade Commission’s broad responsibilities in implementing the GLBA in comparison to other federal agencies).

133 16 C.F.R. §§ 313.1–313.18 (2020).

134. Id. § 313.5(a)(1).

135. Id. § 314.

not go far enough to protect consumers.136 For example, the GLBA offers no private right of action for affected consumers.137 This problem is compounded by the fact that banks often collect consumer information outside the scope of protections granted by the GLBA, such as when a bank gathers information unrelated to financial services or to the opening of a checking account.138 Additionally, the GLBA’s consumer opt-out route is subject to exceptions, effectively creating an “informationsharing loophole.”139 Consequently, a current issue with the GLBA is how to protect consumer data amidst a work-from-home environment, which is a policy matter that will need to be addressed if remote work persists post-pandemic.140

While the GLBA is the legal backbone for data protection domestically, legislation here may have fallen behind as compared to international data protection laws.141 There have been calls for the United States to enact a law similar to the General Data Protection Regulation (“GDPR”) that took effect in the European Union (“E.U.”) on May 25,

136. See Pandozzi, supra note 122, at 166 (“Several congressman and consumer groups believe that Title V does not go far enough to protect financial information. . . . [F]inancial services companies remain free to share a customer’s financial information with their affiliates [despite the opportunity for consumers to opt out of information sharing with unaffiliated third parties]. Additionally, the opt-out mechanism [for consumers] is subject to certain exceptions that may create an information-sharing loophole for financial services companies.”).

137. See Dunmire v. Morgan Stanley DW, Inc., 475 F.3d 956, 960 (8th Cir. 2007) (discussing the lack of relief for plaintiffs bringing forth GLBA lawsuits).

138. See Fara Soubouti, Note, Data Privacy and the Financial Services Industry: A Federal Approach to Consumer Protection, 24 N.C. BANKING INST. 527, 534 (2020) (“[F]inancial institutions gather information about visitors to their websites or mobile applications for visits unrelated to financial services or opening of an account. Banks may then use that consumer data internally for marketing purposes and externally by selling that information to third parties.”).

139. See Pandozzi, supra note 122, at 166 (discussing the shortcomings of Title V of the GLBA, namely how a financial services institution may still end up sharing personal consumer information).

140. See David T. Rich, GLBA in a Work From Home Environment, WIPFLI (Apr. 21, 2020), https://www.wipfli.com/insights/articles/fi-covid-19-glba-security-for-work-forhome-employees [https://perma.cc/7V9K-RY2M] (discussing how it is more challenging for financial institutions to reinforce the data protection provisions of the GLBA given the shift to a remote workforce in 2020).

141. See Katarina Rebello, Does the U.S. Need an American Alternative to the GDPR? TRANSATLANTIC PUZZLE (Sept. 19, 2019), https://transatlanticpuzzle.com/2019/09/19/doesthe-u-s-need-an-american-alternative-to-the-gdpr/ [https://perma.cc/LJ6M-U7WP] (analyzing how American legislators are contemplating stronger data protection laws in light of the European Union’s passage of the GDPR).

2018.142 The GDPR is a data-sharing law intended to give individuals living in the E.U. rights to their personal data and how it is used and collected.143 Failure to follow the GDPR’s regulations can result in fines as high as $22.6 million or even as much as 4% of the company’s annual revenue.144

The reach of the GDPR is not exclusive to Europe.145 In fact, it has sweeping effects on U.S. companies.146 According to the U.S. Secretary of Commerce, the GDPR has resulted in U.S. companies investing billions of dollars in cybersecurity in order for their privacy policies to be GDPR-compliant.147 However, these expenditures may not be isolated occurrences.148 Other countries are following the E.U.’s lead and are revising their own data protection laws.149 For example, Canada amended its Personal Information Protection and Electronic Documents

142. Lauren Davis, Note, The Impact of the California Consumer Privacy Act on Financial Institutions Across the Nation, 24 N.C. BANKING INST. 499, 507–08 (2020).

143. See Richie Koch, What Does GDPR Stand For? (And Other Simple Questions Answered), GDPR EU, https://gdpr.eu/what-does-it-stand-for/ [https://perma.cc/F57RW6D7] (last visited Feb. 6, 2021) (providing background on the implementation of the GDPR); see also Ben Wolford, Data Sharing and GDPR Compliance: Bounty UK Shows What Not to Do, GDPR EU, https://gdpr.eu/data-sharing-bounty-fine/ [https://perma.cc/5V97-3S7J] (last visited Nov. 2, 2020) (discussing the requirements an organization must abide by if they want to collect consumer financial data).

144 See Sarah Hospelhorn, Analyzing Company Reputation After a Data Breach, VARONIS: INSIDE OUT SEC. BLOG (last updated Mar. 29, 2020), https://www.varonis.com/blog/company-reputation-after-a-data-breach/ [https://perma.cc/A65W-CGJW] (discussing how the GDPR’s strict requirement that disclosure of a data breach must occur within seventy-two hours, or else noncompliance will result in steep fines).

145. See Paul M. Schwartz, Global Data Privacy: The E.U. Way, 94 N.Y.U. L. REV. 771, 772–73 (2019) (Proof of the influence of the GDPR and EU data protection law, however, goes beyond the hefty sums spent by U.S. companies to comply with them. The EU has taken an essential role in shaping how the world thinks about data privacy. Even corporate America draws on EU-centric language in discussing data privacy.”).

146 See id. (stating that companies in the United States have had to invest hefty sums in order to comply with the GDPR).

147. Wilbur Ross, EU Data Privacy Laws Are Likely to Create Barriers to Trade, FIN. TIMES (May 30, 2018), https://www.ft.com/content/9d261f44-6255-11e8-bdd1- cc0534df682c [https://perma.cc/FW8C-YLHV].

148. See Todd Ehret, Data Privacy and GDPR at One Year, a U.S. Perspective. Part Two - U.S. Challenges Ahead, REUTERS (May 29, 2019, 11:24 AM), https://www.reuters.com/article/us-bc-finreg-gdpr-report-card-2/data-privacy-and-gdpr-atone-year-a-u-s-perspective-part-two-u-s-challenges-ahead-idUSKCN1SZ1US [https://perma.cc/XQK5-JZUW] (examining how other countries have updated their own data privacy practices to ensure compliance with the GDPR).

149. See id. (examining how the rest of the world has taken notice of the European Union’s adoption of the GDPR).

Act, which now significantly overlaps with the GDPR.150 Similarly, Australia published additional guidance on its Privacy Act of 1988 to address updates triggered by the GDPR.151 A key difference between the E.U. approach and the U.S. approach is that the latter is macro-focused.152 Specifically, the U.S. targets its legislation towards cybersecurity and breaches, while the E.U. places its emphases on personal privacy.153 Regardless, the GLBA merely sets a floor which permits states to enact more stringent privacy laws.154

B. State Law

Unless a more comprehensive federal law for data privacy is enacted, data protection in the United States is dependent on a “patchwork system” of state laws.155 While all fifty states have data breach laws, these laws require little more than just notification that a breach has occurred.156 However, some states like New York and California have taken steps forward to improve data security and the personal privacy of its residents.157 New York’s Department of Financial Services (“NYDFS”) has enacted a set of cybersecurity regulations targeted specifically at financial institutions known as “Reg 500.”158 These regulations were created to guard against the threat posed by cybercriminals and to protect consumers from intrusion upon their private

150. *Id. *

151. Id.

152. *See id. *(“Public and political emphasis on privacy so far in the United States has been focused on breaches and cybersecurity, as opposed to the European approach which has centered on personal privacy.”).

153. Id.

154. See Soubouti, supra note 138, at 530 (discussing the interplay between federal and state privacy laws).

155. Jolly, supra note 63.

156. Id.

157 See Davis, supra note 142 (discussing the adoption and implementation of the California Consumer Privacy Act); see also How to Meet DF 23 NYCRR 500 Cyber Security Regulation, MAUREEN DATA SYS., https://www.mdsny.com/how-to-meet-dfs-23nycrr-500- in-five-steps/ [https://perma.cc/L93M-JHUR] (last visited Nov. 3, 2020, 9:17 PM) (discussing a set of cybersecurity regulations applicable to financial institutions in New York).

158. 23 N.Y. COMP. CODES R. & REGS. tit. § 500 et seq. (2017); Damon W. Silver & Catherine R. Tucciarello, NYDFS Files First Enforcement Action Under Reg 500, NAT. L. REV. (Aug. 17, 2020), https://www.natlawreview.com/article/nydfs-files-first-enforcementaction-under-reg-500 [https://perma.cc/G5E8-QM7M].

financial data.159 Reg 500 sets a regulatory minimum standard for cybersecurity that allows companies to build upon in assessing their own specific risk profiles.160 This law requires financial service companies to maintain a cybersecurity policy addressing, but not limited to, the following areas: data governance, customer data privacy, systems and network security, risk assessment, and incident responses.161 Reg 500 took effect in 2007 and the NYDFS just filed its first enforcement action in July 2020. 162Meanwhile, only California has enacted a broader data protection and privacy law.163

California has passed the most comprehensive state data protection law: the California Consumer Privacy Act (“CCPA”).164 In fact, the CCPA has been dubbed with the nickname “GDPR-lite” and the “California GDPR.”165 The CCPA provides consumers with four key rights: (1) the right to know, (2) the right to be forgotten, (3) the right to opt out, and (4) the right to equal service and price.166 Any business that collects personal information of California residents is subject to its provisions, including financial institutions.167 While it is still too early to gauge the CCPA’s long-term impact, companies both in the United States and across the world are asking for more time to comply in putting their new privacy practices in place.168 Despite pleas from both U.S.-based

159. How to Meet DF 23 NYCRR 500 Cyber Security Regulation, MAUREEN DATA SYS., https://www.mdsny.com/how-to-meet-dfs-23nycrr-500-in-five-steps/ [https://perma.cc/L93M-JHUR] (last visited Nov. 3, 2020, 9:17 PM).

160. N.Y.C. BAR ASS’N, NEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES 23 NYCRR 500 CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES, 20190613a NYCBAR 131 (2019).

161. 23 N.Y. COMP. CODES R. & REGS. tit. § 500.03.

162.* See* Silver & Tucciarello, supra note 153 (scrutinizing the New York Department of Financial Services’s first enforcement action against First American Title Action Company, who inadvertently exposed personally identifiable information of its consumers by failing to mitigate a security vulnerability on its website).

163. See California Consumer Privacy Act of 2018, CAL. CIV. CODE § 1798.100 (West 2020); Jolly, supra note 63 (“In July 2018, California passed the most comprehensive data protection law in the US[.]”).

164. See generally Davis, supra note 142 (discussing the adoption and implementation of the California Consumer Privacy Act).

165. Ehret, supra note 137.

166. Davis, supra note 142, at 506.

167. CAL. CIV. CODE § 1798.100.

168. See Robert B. Milligan et al., The Impact of COVID-19 on the California Consumer Privacy Act, SEYFARTH (Apr. 7, 2020), https://www.seyfarth.com/print/content/43301/theimpact-of-covid-19-on-the-california-consumer-privacy-act-2.pdf [https://perma.cc/9M4U52QZ] (examining the impact COVID-19 will have on the enforcement of the California

and international companies for more time to absorb the shock of compliance, the California Attorney General is resolute—no one gets extra time.169 However, the CCPA’s collection and storage policies may have been complicated by novel situations arising out of the pandemic.170 Businesses are now collecting physiological data of consumers, such as body temperature, prior testing results, and contact tracing via cell phones.171 The nature of how to collect, store, and maintain that personal data is unaddressed in the CCPA, proving that privacy laws need to be continuously updated to reflect the changing times.172

Since California took a strong stance to ensure personal privacy protection, sixteen other states have introduced comprehensive state privacy bills—a sign that the “patchwork system” may be improved.173 Moreover, Congress has proposed the COVID-19 Consumer Data Protection Act, which would (1) provide Americans more transparency over their personal data like health records and location data, and (2) hold businesses accountable if they use such personal data to fight the pandemic.174 This bill takes GDPR-esque steps by zeroing in on personal privacy protections.175 One of the sponsors of the bill, Senator Jerry

Consumer Privacy Act, with the pandemic having created novel data protection situations that companies will have to confront).

169 See id. (discussing the uncertainty surrounding how companies will enforce the CCPA, which is made even more troublesome with the regulations pertaining to the CCPA having not been finalized yet).

170. See id. (stating that novel situations include the increased need for companies to collect physiological information of consumers, such as body temperature, prior COVID-19 testing results, and contact tracing).

171. Id.

172. See id. (“At least some light should be shed on these [referring to the collection of physiological data during the pandemic] and other CCPA-related questions once the regulations finalized and provided to the public, though the litigation ensuing from the CCPA will only increase with time, and with pandemic-related new realities.”).

173. See Soubouti, supra note 138, at 531 (“The California Consumer Privacy Act (“CCPA”) is currently the most protective comprehensive state data privacy law in the country. As of October 2019, sixteen other states have introduced comprehensive state privacy bills to enhance consumer data protections of their residents.”).

174. See Press Release, Wicker, Thune, Moran, Blackburn Announce Plans to Introduce Data Privacy Bill, U.S. S. Comm. on Commerce, Sci., & Transp. (Apr. 30, 2020) (examining how the proposed bill is meant to specifically address data protection issues arising as a result of the COVID-19 pandemic).

175. See id. (“It is paramount that as tech companies utilize data to track the spread of COVID-19, Americans’ privacy and security are not put at risk. Health and location data can reveal sensitive and personal information, and these companies must be transparent with their users.”) (examining the proposed data privacy bill, the COVID-19 Consumer Data Protection

Moran, states that Congress still needs to enact a uniform data privacy law.176

Table of Contents

Table of contents