Privacy Laws -- GLB
Are the Privacy Standards different for Commercial Transactions
This is one of those questions that is outside of our agency agreement, nor does it directly affect the risks underwritten by WFG. Your internal practices, procedures, and how your company should best comply with this law are ultimately a questions to be decided by your management in consultation with your own counsel. On the other hand, we want our agents be fully compliant with the law that apply to them.
We’re, of course, are not your lawyers, and this should NOT be interpretted as “my underwriter said I MUST” – because how best to comply with the duties imposed on your agency by law is something your management and your own lawyers should be deciding. But in the spirit of supporting our agents, we are willing to share some of the advice given internally at WFG and the analysis on which it is based. At WFG, we apply the same standards and protections to commercial transactions as are required of consumer transactions – even though it is arguable that a slightly different standard applies. That’s both the “safe” answer, the one that is easiest to implement and which avoids confusing discussions over whether a given transaction is a consumer transaction or not (think loan against the Family farm with the farm house) and frankly it most closely matches what our customers (commercial and consumer) expect of us – that we will protect their information.
Here’s the analysis of the law:
The overarching privacy obligations under the Gramm Leach Bliley Act 15 USC 6801 run to a “customer”, not the narrower definition of “consumer” (which is a defined term under GLB 15 USC 6809(9) as “primarily for personal, family, or household purposes.”) Here’s the basic duty to protect information in GLB.
(a) Privacy Obligation Policy.--It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information. (b) Financial Institutions Safeguards.--In furtherance of the policy in subsection (a), each agency or authority described in section 505(a) shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards-- (1) to insure the security and confidentiality of customer records and information; (2) to protect against any anticipated threats or hazards to the security or integrity of such records; and (3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.
It gets confused in that the very next section 15 USC 6802 starts to reference the duties to a “Consumer” and requires the delivery of the privacy notice and the opt out language to “consumers”. Then the broad exception for sharing information “as necessary to effect“ the requested transaction also speaks to a “consumer.”
(e) General Exceptions.--Subsections (a) and (b) shall not prohibit the disclosure of nonpublic personal information-- (1) as necessary to effect, administer, or enforce a transaction requested or authorized by the consumer, or in connection with-- (A) servicing or processing a financial product or service requested or authorized by the consumer;
You will find further clarification of this exception in the definitions at 15 USC 6809(7), which expressly permits sharing limited information with brokers
(i) providing the consumer or the consumer's agent or broker with a confirmation, statement, or other record of the transaction, or information on the status or value of the financial service or financial product;
This definition also gives express approval for sharing information with your insurers.
You will find that this distinction also appears as less than clear guidance on the FTC website
There are also a number of state privacy laws that can also come into play and which can add sometimes surprising definitions to what constitutes NPI and should be protected.
I know this is a rather long answer to a short question. But provides some background on our thoughts that you and your management should discuss with your own counsel.