[author: Jimmy Nguyen]
On Tuesday, March 25, members of BakerHostetler’s Digital Assets and Data Management (DADM) Practice Group served up a flavorful presentation, “Cooking Up Compliance: Navigating the Alphabet Soup of Financial Privacy,” as part of DADM’s ongoing webinar series, The Privacy Strategist. Presenters Jonno Forman (New York), Justin Yedor (Los Angeles) and Whitney Schneider-White (Washington, D.C.) gave attendees a peek inside the kitchen to see what goes into a financial privacy compliance program under the Gramm-Leach-Bliley Act (GLBA) and the patchwork of state and federal financial privacy regulations.
Much of the discussion focused on the GLBA, covering both the Privacy Rule and the Safeguards Rule. Like a health inspection sticker in a restaurant’s front window, a GLBA privacy notice must provide clear and conspicuous disclosures about a financial institution’s practices relating to nonpublic personal information (NPI). While chefs can certainly create their own privacy notices, it is important to follow the recipe set by the federal functional regulators (e.g., the Office of the Comptroller of Currency (OCC), the Federal Trade Commission (FTC), the Securities and Exchange Commission (SEC)), which all provide model template notices that provide a safe harbor for compliance with the Privacy Rule’s notice requirements. The Safeguards Rule, meanwhile, outlines requirements for proper information security hygiene. Although the various safeguards regulations implemented by the various federal functional regulators differ on the margins, common components include, among other things, regular risk assessments; a written information security program (WISP) that tailors safeguards to the financial institution’s size and complexity; security controls that implement administrative, technical and physical protections to ensure the security, confidentiality and integrity of NPI; a robust incident response program; and the training of employees.
Financial institutions should also be sure to address local flavors under laws like the California Financial Privacy Act (CalFIPA) and Vermont Regulation S-2001-01, which provide consumers in certain states with additional notice and consent rights. The menu may also include state comprehensive consumer privacy laws — such as the California Consumer Privacy Act (CCPA), the Oregon Consumer Privacy Act (OCPA) and the Minnesota Consumer Data Privacy Act (MNCDPA) — that exempt NPI but do not wholly exempt financial institutions.
In sum, the webinar was a gourmet discussion that provided a taste of many aspects of financial privacy compliance. Adhering to these rules continues to be a secret ingredient to help your compliance kitchen avoid ending up on the regulatory chopping block.
[View source.]
