Privacy Issue for New Year: Reopen GLB Provisions?

Article excerpt

WASHINGTON -- As Congress debates legislation to safeguard consumer data, the financial services industry is weighing whether it should seek to broaden the discussion to include financial privacy.

Bankers have long sought to establish a single federal standard governing how companies may share customer data, and they want to simplify notice requirements.

The data security debate gives bankers an opportunity to press lawmakers to do both those things, but it would involve reopening the Gramm-Leach-Bliley Act of 1999. That law expressly allows states to go further than current federal privacy requirements.

Lobbyists are unsure if reopening Gramm-Leach-Bliley is a smart strategy.

"Some thought is being given to whether this can be an opportunity to fix some of the problems with the privacy sections of Gramm-Leach-Bliley," said Wayne Abernathy, an executive director at the American Bankers Association. "It is certainly something we ought to think about."

But Mr. Abernathy and other officials warn that such a move carries risks, including the possibility of tougher privacy restrictions on banks and delaying the data security legislation, which the industry also supports.

"I would be surprised if the industry would try to tack on a Gramm-Leach-Bliley preemption on data sharing, if only because it would reopen the act," said Thomas M. Boyd, a partner in the Washington office of Alston & Bird LLP. "To the extent that you go into other areas of the act, that becomes a burdensome process, and it extends even further the time required to consider the legislation. We've already got less than a year left" in the current congressional session.

Though the two issues are related, data security and financial privacy are distinct. The data security bills now under consideration would establish a federal standard governing how companies must safeguard data from identity thieves and others. Financial privacy restrictions govern how companies may share consumer data internally and with third parties.

Congress last dealt with both issues in Gramm-Leach-Bliley, which mandated that financial services companies keep consumer data secure. But it also set privacy restrictions, by requiring financial institutions to notify customers annually about their corporate privacy policies and give them an opportunity to block -- or "opt out" of -- having their data shared with other companies for marketing purposes.

The law expressly allows states to set tougher standards on both data security and consumer privacy. More than 20 states have enacted data security laws, but only one state has put a stricter consumer privacy law on the books.

In 2002, California passed a law prohibiting financial services companies from sharing customer information with other firms unless the customer gave permission by "opting in." (Courts overturned another provision in the law that allowed people to block financial services companies from sharing their information with an affiliate.)

The financial services industry has long wanted to establish the Gramm-Leach-Bliley privacy rules as a national standard that states could not go beyond, as well as to simplify the wording that the law mandates for annual privacy notices. Both companies and consumers say the notices are confusing and complicated.

"If Gramm-Leach-Bliley is opened as part of the data security debate, you bet I'd go after section 507," which invites states to set tighter rules on both data security and consumer privacy, said L. Richard Fisher, a partner in the law firm Morrison & Foerster LLP.

"If Gramm-Leach-Bliley is opened, everything is on the table. …