South Carolina Lawyer
Vol. 13, No. 2, Pg. 32.
GLBA privacy rules catch some lawyers off guard-do the new privacy rules apply to your practice?
32GLBA privacy rules catch some lawyers off guard--do the new privacy rules apply to your practice?By Gwendolyn L. FullerOn June 20, 2001, the ABA passed a resolution objecting to the imposition upon the legal community of the privacy provisions of the Gramm-Leach Bliley Act (GLBA) upon the legal community. The resolution requested that the Federal Trade Commission (FTC) exempt the practice of law from the statute's implementing regulations. This action was prompted by the realization, albeit late, that the privacy protections of the GLBA may apply to some legal practices.
34Most lawyers involved in the representation of the financial services industry were aware of the passage of the GLBA and the changes it brought to the financial services industry. Many were even aware of the privacy provisions and their impact upon their clients, but did not consider that their practices would fall within the broad definition of "financial institution" contained within the regulations. Generally, lawyers who provide tax planning, estate planning and other financial services are subject to the requirements of the regulations. Law firms significantly engaged in these types of activities fall within the definition of "financial institution" under GLBA.
This article provides a general overview of the privacy requirements of GLBA and its potential impact upon some members of the legal community. The federal privacy rules may be found in the Code of Federal Regulations at 12 C.F.R. Parts 40, 216, 332 and 573. This article is also based upon the summary of Article V presented in Jedziniak, Maybank, et al., The Law of Automobile Insurance, 3d4th, South Carolina Bar (2000).
Application of privacy provisions to attorneys
The privacy protections of the GLBA may apply to attorneys and law firms in two ways: 1) directly as "financial institutions" and 2) indirectly as service providers for "financial institutions." The privacy provisions of GLBA apply to financial institutions, which are defined as entities that engage in activities that are "financial in nature," "incidental to a financial activity" or "complementary to a financial activity" as determined by federal regulators. Section 509(3) provides that "financial" institution refers to any institution engaging in financial activities under §4(k) of the Bank Holding Company Act of 1956. The Federal Reserve Board and the Secretary of Treasury are also charged with the responsibility of defining the additional activities that may be financial in nature. See Pub. Law No. 106-102 § 103, 113 Stat. 1338; also Pub. Law No. 106-102, § 509(3). The financial activities of attorneys may include activities such as real estate transactions, debt collection, financialadvisory activities, tax planning and consulting. Law firms significantly engaged in such activities or other activities that are financial in nature may be deemed to be "financial institutions" under the GLBA.
The GLBA requires a financial institution to disclose its privacy policies and practices to a customer. Under the GLBA, there is a distinction between "customer" and "consumer." A "customer" is a consumer who has a continuing relationship with the financial institution. A "consumer" is an individual who obtains or has obtained a financial product or services from a financial institution that is used for personal, family or household purposes, and that individual's legal representation. Pub. Law No. 106-102, § 501, et seq. The financial institution must also provide the customer with the ability to opt-out of the financial institution's ability to share that information with nonaffiliated third persons. The privacy disclosures and restrictions on sharing personal information apply to "financial institutions" except those subject to the CFTC regulation, Farmer Mac and other farm credit institutions, and other secondary market institutions (e.g., FNMA, FHLMC, and Sallie Mae), provided such institutions do not sell or transfer nonpublic personal information to a nonaffiliated third party. Pub. Law No. 106102, § 501, et seq.
The disclosure must include the institution's policies and practices with respect to disclosing non-public personal information to non-affiliated third parties; the categories of information collected; the institution's security; and confidentiality policies and disclosures required under the Fair Credit Reporting Act. Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.