Current Privacy Issues That May Affect Your Credit Union

Slides:



Advertisements
Similar presentations
FERPA - Sharing Student Information
Advertisements

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
Privacy Laws & Higher Education. Agenda 1.Five Privacy Laws a.FERPA b.HIPAA c.GLB d.FACTA Disposal Rule e.CAN-SPAM 2.Overview of the Laws a.What does.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
© 2004 Property Casualty Insurers Association of America The Alphabet of Federal Legislation Kathleen Jensen Property and Casualty Insurers Association.
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,
Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Vendor Risk: Effective Management is Essential
Internal Auditing and Outsourcing
Notice of Privacy Practices Nebraska SNIP Privacy Subgroup July 18, 2002 Michael J. Brown, MHA, CPA Vice-President, Administrative & Regulatory Affairs,
LAW SEMINARS INTERNATIONAL New Developments in Internet Marketing & Selling November 13 & 14, 2006 San Francisco, California Moderator : Maureen A. Young.
Compliance and Regulation for Mobile Solutions Amanda J. Smith Messick & Lauer, P.C. May 16, 2013.
2015 ANNUAL TRAINING By: Denise Goff
Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011.
HIPAA PRIVACY AND SECURITY AWARENESS.
Confidentiality and Public Information Act LISD Special Education Department Training SY
Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
Sharing Information With Affiliates and Third Parties F. Jay Meyer Vice President & Senior Counsel TD Bank, N.A. Portland, Maine.
Data Protection Act AS Module Heathcote Ch. 12.
MAINTAINING PRIVACY & DATA SECURITY IN THE VIRTUAL PRACTICE OF LAW.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
HIPAA PRACTICAL APPLICATION WORKSHOP Orientation Module 1B Anderson Health Information Systems, Inc.
FAMIS CONFERENCE Mari M. Presley, Assistant General Counsel Florida Department of Education June 12, 2012.
Federal Agencies and Laws for Consumer Rights
When Can You Redact Information Without Requesting an Attorney General Decision? Karen Hattaway Assistant Attorney General Open Records Division Views.
DIRECTOR’S LEGAL LIABILITIES Doug Jackson Gungoll, Jackson, Collins & Box, P.C.
Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.
A NATIONAL HIPAA SUMMIT AUDIOCONFERENCE Davis Wright Tremaine LLP Legal Requirements For Vendor And Clearinghouse HIPAA Compliance; Business Associate.
Chapter 8 Auditing in an E-commerce Environment
An Overview THE AUDIT PROCESS. MAJOR PHASES IN AN AUDIT Client acceptance and retention Establish terms of the engagement Plan the audit Consider internal.
[insert your name] [insert your title and company] [insert presentation date] A focus on ERISA §408(b)(2) Regulatory developments affecting covered plans,
Data protection—training materials [Name and details of speaker]
The Law Offices of Sheila Deselich Cohen. Generally subject to the Employee Retirement Income Security Act of 1974 (“ERISA”). Two main types of plans:
Improving Compliance with ISAs Presenters: Al Johnson & Pat Hayle.
Wisconsin Department of Health Services Purchase of Services Contract Guide Julie Anstett and Lucinda Champion Friday, May 6, 2016 Wisconsin Department.
An Agent's Guide to Understanding and Complying with Privacy Requirements By Patricia A. Borowski Senior Vice President PIA National.
HIPAA Training Workshop #3 Individual Rights Kaye L. Rankin Rankin Healthcare Consultants, Inc.
Denise Chrysler, JD Director, Mid-States Region
Presented by: David Reid, DBA International
2013 LBA Bank Counsel Conference
Federal Agencies and Laws for Consumer Rights
Protection of CONSUMER information
HIPAA CONFIDENTIALITY
Privacy principles Individual written policies
Privacy & Confidentiality
Responding to a Data Breach 360° of IT Compliance
E&O Risk Management: Meeting the Challenge of Change
Data Protection The Current Regime
Data Protection Legislation
The European Union General Data Protection Regulation (GDPR)
Citi fraud/identity theft TRAINING
Disability Services Agencies Briefing On HIPAA
Welcome to the FERPA training for Faculty and Staff.
Health Care: Privacy in a Digital Age
UCA Gramm-Leach Bliley Act (GLBA) Safeguards Rule Compliance Training Effective June 12, 2018 Adapted from materials published by the Federal Trade Commission.
On the Cutting Edge – Update on Privacy Legislation
HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.
Government Data Practices & Open Meeting Law Overview
PRIVACY PRESENTATION TO THE SPRING 2013 CONFERENCE BY HANK MOORLAG
Government Data Practices & Open Meeting Law Overview
A JOINT PRESENTATION BY
HIPAA Do’s and Don'ts: What is Really Behind Protected Health Information (PHI) and Health Care Privacy Rules Paul Sisler, Director, Information Services;
Recent Developments in Consumer Privacy
Colorado “Protections For Consumer Data Privacy” Law
Presentation transcript:

Current Privacy Issues That May Affect Your Credit Union Presented By: Christopher J. Pippett, Esquire Ashley L. Beach, Esquire Pennsylvania Credit Union Association Webinar July 13, 2016

Privacy Basics 12 C.F.R. Part 716 adopted by the National Credit Union Administration (“NCUA”) in May 2000 to implement the Gramm-Leach-Bliley Act (the “GBLA”). Notice of privacy policies and “opt-out” of the disclosure of consumer’s nonpublic personal information (“NPI”). This requirement exists whether or not a credit union shares nonpublic personal information. Annual notice may now be online. Follow redisclosure limitations on NPI from nonaffiliated financial institution.

NPI Any information not publically available that: A consumer provides to a credit union to obtain a financial product or service; Results from a transaction between the consumer and the credit union; A credit union otherwise obtains about a consumer in connection with providing a financial product or service.

NPI Phone numbers, addresses, social security numbers, income, credit score, cookies collected by internet collection devices, email addresses New technology means new NPI Lists Even information that is publically available might be NPI if it is part of a list that associates that information with NPI – ex. The fact that a consumer is a member of a credit union. Be aware of lists compiled and maintained electronically.

Non-Affiliated Third Party Any person except a credit union’s affiliate or a person employed jointly by a credit union and a non-affiliate. “Affiliate” – a company that controls, is controlled by, or is under common control with the credit union. Example: credit union service organization that is 67 percent owned by the credit union.

Opt Out Right Reasonable opportunity Reasonable means Circumstantial NCUA example is 30 days Reasonable means Check-off boxes Reply form Toll free telephone number Writing a letter is not reasonable

Exceptions to Opt Out Requirement Credit unions do not need to comply with the opt out if they limit disclosure of NPI: To nonaffiliated third parties who are performing services for the credit union including marketing. Must provide notice to consumers Contract must specify joint service Additional exceptions may apply As necessary to effect, administer, or enforce a transaction requested by a consumer. Specified disclosures to protect against fraud, to attorneys, auditors, or other legal requirements.

Notice Basics Member v. consumer Initial notices Annual notices (covered by recent update) Clear and conspicuous Delivery rules

Consumer v. Member Consumer – individual who obtained a financial product from the credit union for personal, family, or household purposes. Member – has a continuing relationship with a credit union under which the credit union provides one or more financial products for personal, family, or household purposes.

Notice Content Categories of information collected Categories of information disclosed Categories of affiliates and non-affiliates Policies on former member NPI Information disclosed to service providers Explanation and opt out method Opt out notices under Fair Credit Reporting Act Policies for protecting information and the security of information Statement of disclosures to non-affiliated parties

Annual Notice “FAST” Act amends GLBA NCUA issues new guidelines limiting annual notice requirements No new privacy notice if: No change to policies and practices since last notice NPI only shared in accordance with existing GLBA exceptions

Applicable Exceptions Performing services for, or functions on behalf of, the credit union, pursuant to a joint marketing agreement; Administering, servicing, or processing a transaction a consumer requests or authorizes; maintaining or servicing certain consumer accounts; or performing securitizations, secondary market sales, or similar transactions; or Other specified operational and legal purposes, including disclosure with the consumer’s consent or at the consumer’s direction and disclosure to protect the confidentiality and security of records related to the consumer, service, product, or transaction.

Internal Controls Identify and continue to update information sharing practices. Review and update information sharing agreements. Ensure complaint logs and telemarketing scripts. Categorize types of NPI collected by the credit union. Review consumer complaints relating to NPI.

Responding to Inquiries Preparation Considerations Other Requests(proper and improper) Internal Controls - Employee Handling of Information

Responding to Inquiries (Cont’d.) Location of documents Key personnel Litigation hold letter Policies for document retention and maintenance

Responding to Inquires (Cont’d.) Identify the source Proper v. Improper Contact counsel Consider the target Potential conflicts Consider whether NPI is implicated Not all inquiries are exceptions under GLBA

Vendor Issues - Due Diligence Background check experience Business model Consider new technologies

Vendor Issues – Due Diligence Con’t Contract Review: Scope – is NPI implicated? Compliance with regulatory requirements Testing of data security programs Audits of data security programs

Vendor Issues - Insurance Does the arrangement create additional liabilities? Does the vendor carry insurance that will cover the credit union? Does the credit union have sufficient coverage? Does the vendor have sufficient coverage?

Vendor Issues – Policies Establishing requirements for all vendors with respect to privacy issues. Monitoring vendors throughout the relationship. Reviewing internal technology – is it sufficiently advanced to monitor vendor technology? Designating key employees.

Christopher J. Pippett, Esquire 610-458-6703 cpippett@foxrothschild Christopher J. Pippett, Esquire 610-458-6703 cpippett@foxrothschild.com Ashley L. Beach, Esquire 610-458-6703 abeach@foxrothschild.com