USA: GLBA and Vendor Privacy Contracts
1. Governing Texts
The Gramm–Leach–Bliley Act ('GLBA') is enforced primarily by the Federal Trade Commission ('FTC'), federal banking agencies, and other federal regulatory authorities. In addition, state insurance oversight agencies have enforcement powers.
The privacy-related rules in the GLBA outline measures that govern the collection, disclosure, and protection of consumers' non-public personal information, or personally identifiable information ('PII'). These protections are detailed in the Financial Privacy Rule (Privacy of consumer financial information), 16 CFR Part 313 ('the Financial Privacy Rule'), the Standards for Safeguarding Customer Information ('the Safeguards Rule') (implementing § 501 and 505(b)(2) of the GLBA), and 15 U.S. Code SUBCHAPTER II—Fraudulent Access to Financial Information ('the Pretexting Provisions'). As part of compliance with the GLBA compliance, the federal financial regulatory agencies are obliged to issue standards governing the administrative, technical, and physical safeguards of customer records and information by financial institutions.
1.2. Regulatory authority guidance
The FTC has issued the following guidance:
- Financial Institutions and Customer Information: Complying with the Safeguards Rule; and
- Vendor Security.
The Federal Deposit Insurance Corporation has issued the following guidance:
Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice ('the Response Guidance'); and
Interagency Guidelines Establishing Information Security Standards ('the Security Guidelines).
The Board of Governors of the Federal Reserve has issued the following guidance:
Small-Entity Compliance Guide ('the Guide').
In addition, the FTC has proposed amendments to the Safeguards Rule ('the Proposed Changes'). The Proposed Changes include more detailed requirements for what should be included in the comprehensive information security program. For example, the proposal generally would require financial institutions to encrypt all customer data, implement access controls to prevent unauthorised users from accessing customer information, and use multifactor authentication to access customer data. The FTC has also proposed improving compliance with these programmes by requiring companies to submit periodic reports to their Board of Directors. The FTC announced a virtual workshop where they sought input on the Proposed Changes and subsequently extended the comment period to August 2020. The FTC has not issued any further updates regarding the Proposed Updates; however, they are expected to later this year.
1.3. Regulatory authority templates
Data controller: There is no definition of 'data controller' in the GLBA. However, a 'financial institution' means any institution the business of which is engaging in financial activities as described in Section 4(k) of the Bank Holding Company Act of 1956 (§ 509(3)(A) of the GLBA).
Data processor: There is no definition of 'data processor' in the GLBA. However, a 'service provider' means any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a financial institution that is subject to the Safeguards Rule (§314.2(d) of the Safeguards Rule).
3.1. Are there requirements for a contract to be in place between a controller and processor?
Yes, in accordance with § 314.4(d)(2) of the Safeguards Rule, financial institutions must oversee service providers, by requiring a contract to implement and maintain such safeguards.
Financial institutions under their obligations in relation to the Safeguards Rule must develop, implement, and maintain an information security program, a financial institution must (§314.4 of the Safeguards Rule):
- designate an employee or employees to coordinate its information security program;
- identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorised disclosure, misuse, alteration, destruction, or another compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in each relevant area of the financial institution's operations, including:
- employee training and management;
- information systems, including network and software design, as well as information processing, storage, transmission, and disposal; and
- detecting, preventing, and responding to attacks, intrusions, or other systems failures; and
- design and implement information safeguards to control the risks identified by the financial institution through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures.
3.2. What content should be included?
Furthermore, under the Security Guidelines, financial institutions must require, by contract, service providers that have access to its customer information to take appropriate measures designed to protect against unauthorised access to or use of customer information that could result in substantial harm or inconvenience to any customer (Section A(I)(C) of Supplement A of the Security Guidelines).
Financial institutions must also require by contract that their service providers implement appropriate measures designed to meet the objectives of the Security Guidelines (Section III(D)(2) of the Security Guidelines).
4.1. Are processors required to assist controllers with handling of data subject requests?
The GLBA does not contain specific references to service provider obligations around data subject rights handling and assistance.
5.1. Are processors required to keep records of their processing activities?
The GLBA does not contain specific references to service provider recordkeeping requirements
6.1. Are processors required to implement specific security measures? If so, what measures must be implemented?
Under § 314.4(d)(1) of the Safeguards Rule, financial institutions must oversee service providers, by taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue.
In addition, financial institutions must require their service providers by contract to (Section III(4)(D) of the Security Guidelines):
- implement appropriate measures designed to protect against unauthorised access to or use of customer information maintained by the service provider that could result in substantial harm or inconvenience to any customer; and
- properly dispose of customer information.
7.1. Are processors under an obligation to notify controllers in the event of a data breach? If so, are there timeframe and content requirements?
According, to the Security Guidelines, each financial institution should be able to address incidents of unauthorised access to customer information in customer information systems maintained by its domestic and foreign service providers. Therefore, an institution's contract with its service provider should require the service provider to take appropriate actions to address incidents of unauthorised access to the financial institution's customer information, including notification to the institution as soon as possible of any such incident, to enable the institution to expeditiously implement its response program (Section II of Supplement A of the Security Guidelines).
According to the Response Guidance, when an incident of unauthorised access to sensitive customer information involves customer information systems maintained by an institution's service provider, it is the financial institution's responsibility to notify its customers and regulator. However, an institution may authorise or contract with its service provider to notify the institution's customers or regulator on its behalf.
8.1. Are subprocessors regulated? If so, what obligations are imposed?
Yes, the GLBA imposes obligations with respect to disclosures of non-public personal information to non-affiliated third parties unless a financial institution has provided the consumer a notice that complies with § 503 of the GLBA (§502(a) of the GLBA).
For more information see our USA - GLBA Guidance Note.
9.1. Do transfer restrictions apply to processors? If so, what restrictions and what exemptions apply?
The GLBA does not contain specific references to cross-border data transfer and localisation.
10.1. Are processors required to assist controllers with regulatory investigations?
The GLBA does not expressly provide for requirements around assisting financial institutions with regulatory investigations.
11.1. Are processors required to appoint a DPO / representative?
The GLBA does not expressly provide for requirements around the appointment of a data protection officer or representative.
12.1. Are controllers obliged to supervise or monitor processors' compliance with the law and contract?
Yes, under § 314.4(c), financial institutions must design and implement information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures.
Furthermore, under § 314.4(e) of the Safeguards Rule, in line with a financial intuitions obligations to develop implement, and maintain its information security program they are obliged to evaluate and adjust their information security program in light of the results of the testing and monitoring required by § 314.4(c) of the GLBA; any material changes to their operations or business arrangements; or any other circumstances that they know or have reason to know may have a material impact on their information security program.
In addition, under the Security Guidelines and were indicated by the institution's risk assessment, monitor its service providers to confirm that they have satisfied their obligations as required by paragraph D.2. As part of this monitoring, an institution should review audits, summaries of test results, or other equivalent evaluations of its service providers (Section III(D.3) of the Security Guidelines).
Finally, according to the Guide, the reports of test results may contain proprietary information about the service provider's systems or they may include non-public personal information about customers of another financial institution. Under certain circumstances it may be appropriate for service providers to redact confidential and sensitive information from audit reports or test results before giving the institution a copy. Where this is the case, an institution should make sure that the information is sufficient for it to conduct an accurate review, that all material deficiencies have been or are being corrected, and that the reports or test results are timely and relevant.
The institution should include reviews of its service providers in its written information security program.
Authored by OneTrust DataGuidance
DataGuidance's Privacy Analysts carry out research regarding global privacy developments, and liaise with a network of lawyers, authorities and professionals to gain insight into current trends. The Analyst Team work closely with clients to direct their research for the production of topic-specific Charts.