Current Privacy Issues That May Affect Your Credit Union Presented By: Christopher J. Pippett, Esquire Ashley L. Beach, Esquire Pennsylvania Credit Union Association Webinar July 13, 2016
Privacy Basics 12 C.F.R. Part 716 adopted by the National Credit Union Administration (“NCUA”) in May 2000 to implement the Gramm-Leach-Bliley Act (the “GBLA”). Notice of privacy policies and “opt-out” of the disclosure of consumer’s nonpublic personal information (“NPI”). This requirement exists whether or not a credit union shares nonpublic personal information. Annual notice may now be online. Follow redisclosure limitations on NPI from nonaffiliated financial institution.
NPI Any information not publically available that: A consumer provides to a credit union to obtain a financial product or service; Results from a transaction between the consumer and the credit union; A credit union otherwise obtains about a consumer in connection with providing a financial product or service.
NPI Phone numbers, addresses, social security numbers, income, credit score, cookies collected by internet collection devices, email addresses New technology means new NPI Lists Even information that is publically available might be NPI if it is part of a list that associates that information with NPI – ex. The fact that a consumer is a member of a credit union. Be aware of lists compiled and maintained electronically.
Non-Affiliated Third Party Any person except a credit union’s affiliate or a person employed jointly by a credit union and a non-affiliate. “Affiliate” – a company that controls, is controlled by, or is under common control with the credit union. Example: credit union service organization that is 67 percent owned by the credit union.
Opt Out Right Reasonable opportunity Reasonable means Circumstantial NCUA example is 30 days Reasonable means Check-off boxes Reply form Toll free telephone number Writing a letter is not reasonable
Exceptions to Opt Out Requirement Credit unions do not need to comply with the opt out if they limit disclosure of NPI: To nonaffiliated third parties who are performing services for the credit union including marketing. Must provide notice to consumers Contract must specify joint service Additional exceptions may apply As necessary to effect, administer, or enforce a transaction requested by a consumer. Specified disclosures to protect against fraud, to attorneys, auditors, or other legal requirements.
Notice Basics Member v. consumer Initial notices Annual notices (covered by recent update) Clear and conspicuous Delivery rules
Consumer v. Member Consumer – individual who obtained a financial product from the credit union for personal, family, or household purposes. Member – has a continuing relationship with a credit union under which the credit union provides one or more financial products for personal, family, or household purposes.
Notice Content Categories of information collected Categories of information disclosed Categories of affiliates and non-affiliates Policies on former member NPI Information disclosed to service providers Explanation and opt out method Opt out notices under Fair Credit Reporting Act Policies for protecting information and the security of information Statement of disclosures to non-affiliated parties
Annual Notice “FAST” Act amends GLBA NCUA issues new guidelines limiting annual notice requirements No new privacy notice if: No change to policies and practices since last notice NPI only shared in accordance with existing GLBA exceptions
Applicable Exceptions Performing services for, or functions on behalf of, the credit union, pursuant to a joint marketing agreement; Administering, servicing, or processing a transaction a consumer requests or authorizes; maintaining or servicing certain consumer accounts; or performing securitizations, secondary market sales, or similar transactions; or Other specified operational and legal purposes, including disclosure with the consumer’s consent or at the consumer’s direction and disclosure to protect the confidentiality and security of records related to the consumer, service, product, or transaction.
Internal Controls Identify and continue to update information sharing practices. Review and update information sharing agreements. Ensure complaint logs and telemarketing scripts. Categorize types of NPI collected by the credit union. Review consumer complaints relating to NPI.
Responding to Inquiries Preparation Considerations Other Requests(proper and improper) Internal Controls - Employee Handling of Information
Responding to Inquiries (Cont’d.) Location of documents Key personnel Litigation hold letter Policies for document retention and maintenance
Responding to Inquires (Cont’d.) Identify the source Proper v. Improper Contact counsel Consider the target Potential conflicts Consider whether NPI is implicated Not all inquiries are exceptions under GLBA
Vendor Issues - Due Diligence Background check experience Business model Consider new technologies
Vendor Issues – Due Diligence Con’t Contract Review: Scope – is NPI implicated? Compliance with regulatory requirements Testing of data security programs Audits of data security programs
Vendor Issues - Insurance Does the arrangement create additional liabilities? Does the vendor carry insurance that will cover the credit union? Does the credit union have sufficient coverage? Does the vendor have sufficient coverage?
Vendor Issues – Policies Establishing requirements for all vendors with respect to privacy issues. Monitoring vendors throughout the relationship. Reviewing internal technology – is it sufficiently advanced to monitor vendor technology? Designating key employees.
Christopher J. Pippett, Esquire 610-458-6703 cpippett@foxrothschild Christopher J. Pippett, Esquire 610-458-6703 cpippett@foxrothschild.com Ashley L. Beach, Esquire 610-458-6703 abeach@foxrothschild.com