The Gramm-leach-bliley Act: Five Years After Implementation, Does the Emperor Wear Clothes?

• Publication year: 2022

39 Creighton L. Rev. 915. THE GRAMM-LEACH-BLILEY ACT: FIVE YEARS AFTER IMPLEMENTATION, DOES THE EMPEROR WEAR CLOTHES?

Creighton Law Review

Vol. 39

KATHLEEN A. HARDEE(fn*)

INTRODUCTION

Five years ago, the Gramm-Leach-Bliley Act was fervently debated and unveiled to the public with more pomp and circumstance than most legislation in recent years. The Act was initially touted to be both an economic boon to financial institutions and a revolutionary step in the protection of consumer privacy in this generation of computers and technical data sharing. Now, five years after its implementation,(fn1) a review of the performance of the Gramm-Leach-Bliley Act is warranted to evaluate performance to date and expectations for the future.

I. PURPOSE AND CREATION

What was ultimately sold to the public as an effort by Congress to protect consumers' personal and confidential financial information, the Gramm-Leach-Bliley Act (the "GLBA" or the "Act") initially did not include or even consider the issue of privacy.(fn2) The business purpose of the GLBA, also known as the Financial Services Modernization Act of 1999, was "to enhance competition in the financial services industry" by allowing financial services industries to affiliate with one another and to allow those affiliated institutions to share confidential customer data.(fn3) Congress believed that this affiliating and sharing of information would allow financial institutions to better compete both against one another and also throughout the world. This competition would in turn benefit consumers both by increasing the availability of financial products and services and also by favorably impacting pricing.(fn4) Hypothetically, the net cost to consumers would decrease due to the ready access affiliated entities would have to customers' personal and financial information.(fn5) To implement this business purpose, the GLBA first had to repeal sections of the Glass-Stegall Act, a New Deal regulation that had previously restricted affiliations between commercial banks and securities firms.(fn6)

On May 6, 1999, the Senate gave approval to Senate Bill 900, which was the initial version of the Act, sans any consideration of privacy concerns. It was at that point that the mechanism created to benefit financial institutions became a lightening rod for consumers' fear of their increasing loss of privacy in an electronically integrated world. The House Commerce Committee was the first to question the absence of any safeguards in the bill to protect the shared information, which would now be flowing between affiliates. The Committee proposed to impose upon financial institutions an obligation to create "procedures to protect the confidentiality and security of nonpublic personal information collected in connection with any transaction of their customers."(fn7) The concept proved to be easier in the abstract than in the definition. Ultimately the House Committee defined "nonpublic personal information" in the negative as "personally identifiable information, other than publicly available directory information, pertaining to an individual's transactions with a financial institution."(fn8)

And thus the debate began. The financial industry petitioned to narrow their responsibilities by narrowing the definition of "nonpublic personal information." Each layer of safeguards was seen as an impediment to accomplishing the initial goal of the GLBA, to facilitate the free flow of information. What had begun as a measure to permit the sharing of more information among financial affiliates was now developing into a scheme the financial services industry feared would actually impede their ability to use that shared information.(fn9)

On the other side of the debate, privacy proponents sought a broader definition of "nonpublic personal information." In doing so, they sought protection of more than just a consumer's transactions with a financial institution. Some advocated, and ultimately pre-vailed in including within the bill, protection of social security numbers, account applications, and account histories.(fn10) Others' arguments for including personal medical information that is shared in the context of financial services transactions ultimately failed.(fn11)

Beyond the threshold definition of "nonpublic personal information," legislators debated what procedures ought to be used to appropriately protect the personal information that would now be shared between affiliates. While the GLBA presumes that nonpublic personal information will be freely shared between affiliated entities, the question arose as to what limitations should be imposed to protect that information from being disseminated to nonaffiliated entities.

After extensive debate, President Clinton signed into law the final version of the Gramm-Leach-Bliley Act on November 12, 1999. Tucked in at the end of the Act was the ultimate compromise arising from the debates regarding privacy considerations. That policy is best summarized in the opening provisions of Subtitle A of Title V of the Act:

§ 6801. Protection of nonpublic personal information(fn12)

(a) Privacy obligation policy

It is the policy of the congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information.

(b) Financial institutions safeguards

In furtherance of the policy in subsection (a) of this section, each agency or authority described in section 6805(a) of this title shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards -

(1) to insure the security and confidentiality of customer records and information;

(2) to protect against any anticipated threats or hazards to the security or integrity of such records; and

(3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

The threshold definitional issue of who is included within the scope of the term "financial institution" was addressed in §6805(a). In that section the following entities, and those subject to their jurisdiction, were intended to be subject to the privacy protections of the GLBA:

a. "[N]ational banks, Federal branches and Federal agencies of foreign banks, and any subsidiaries of such entities" subject to the jurisdiction of the Office of the Comptroller of the Currency pursuant to 12 U.S.C. § 1818;(fn13)

b. "[M]ember banks of the Federal Reserve System, branches and agencies of foreign banks, commercial lending companies owned or controlled by foreign banks, organizations operating under section 25 or 25A of the Federal Reserve Act, and bank holding companies and their nonbank subsidiaries or affiliates" subject to the jurisdiction of the Board of Governors of the Federal Reserve System pursuant to 12 U.S.C. § 1818;(fn14)

c. "[B]anks insured by the Federal Deposit Insurance Corporation, insured State branches of foreign banks, and any subsidiaries of such entities" subject to the jurisdiction of the Board of Directors of the Federal Deposit Insurance Corporation pursuant to 12 U.S.C. § 1818;(fn15)

d. "[S]avings associations the deposits of which are insured by the Federal Deposit Insurance Corporation, and any subsidiaries of such savings associations" subject to the jurisdiction of the Director of the Office of Thrift Supervision pursuant to 12 U.S.C. § 1818;(fn16)

e. Federally insured credit unions and any subsidiaries of such entities subject to the jurisdiction of the Board of the National Credit Union Administration pursuant to 12 U.S.C. § 1751, et seq.;(fn17)

f. Brokers and dealers subject to the jurisdiction of the Securities and Exchange Commission pursuant to 15 U.S.C. § 78a, et seq.;(fn18)

g. Investment companies subject to the jurisdiction of the Securities and Exchange Commission pursuant to 15 U.S.C. § 80a-1, et seq.;(fn19)

h. Registered investment advisors subject to the jurisdiction of the Securities and Exchange Commission pursuant to 15 U.S.C. § 80b-1, et seq.;(fn20)

i. "[A]ny person engaged in providing insurance" subject to "the applicable State insurance authority of the State in which the person is domiciled" pursuant to State insurance law;(fn21)

j. Any other financial institution not within the parameters of any other provision but subject to the jurisdiction of the Federal Trade Commission pursuant to 15 U.S.C. § 41, et seq.(fn22)

After describing policy and defining applicability, Congress went on to outline a procedure for protecting personal information. Such outline is found in 15 U.S.C.A. §6802. In that section the GLBA states that a financial institution may not disclose any nonpublic personal information to any nonaffiliated third party, unless an opt-out notice is provided to the consumer.(fn23) The opt-out notice must be given initially when the customer relationship is created, followed by annual privacy notices in each year in which the customer relationship continues. These notices must disclose the types of nonpublic personal information the financial institution collects, as well as the types of information that the financial institution discloses to third parties. If nonpublic personal information is to be...