GLBA Compliance Considerations in Technology Transactions

By Rob Scott
Scott & Scott

I am a technology attorney representing financial institutions in transactions with service providers. The Gramm-Leach-Bliley (GLB) Act is a federal law that requires financial institutions take steps to ensure the security and confidentiality of customer data. As part of its implementation of the GLB Act, the Federal Trade Commission (FTC) requires financial institutions under its jurisdiction to safeguard customer records and information. This requirement is known as the Safeguards Rule.

The Safeguards Rule applies to organizations that are significantly engaged in providing financial products or services to consumers, including check-cashing businesses, data processors, mortgage brokers, nonbank lenders, personal property or real estate appraisers, and retailers that issue credit cards to consumers.

According to the Safeguards Rule, financial institutions must develop a written information security plan that describes their program to protect customer information. All programs must be appropriate to the financial institution’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information at issue. Covered financial institutions must among other things, select appropriate service providers and require them (by contract) to implement the safeguards.

From a transactional perspective, the Safeguards rule requires due diligence to insure that all service providers are “appropriate.” Once a service provider has been selected, appropriate contract language must be added in order to be in compliance with the Act.

Pursuant to Section 501(b) of GLBA, financial regulators have published the Interagency Guidelines for Establishing Information Security Standards and have established audit protocols to gauge compliance during routine audits.

Service Provider Definition

Under the regulations, a service provider is any party that is permitted access to a financial institution’s customer information through the provision of services directly to the institution. Examples of service providers include a person or corporation that tests computer systems or processes customers’ transactions on the institution’s behalf, document-shredding firms, transactional Internet banking service providers, and computer network management firms.

Overseeing Service Providers

The Security Guidelines establish specific requirements that apply to a financial institution’s contracts with service providers. An institution must:

  • Exercise appropriate due diligence in selecting its service providers;
  • Require its service providers by contract to implement appropriate measures designed to meet the objectives of the Security Guidelines; and
  • Where indicated by its risk assessment, monitor its service providers to confirm that they have satisfied their obligations under the contract described above.

Sample Language for Monitoring and Oversight

Here is the language I like to use to make sure that the financial institution is in compliance with the requirement to oversee the service provider.

Use of Subcontractors. Vendor may use subcontractors in connection with this agreement provided that Vendor’s use of subcontractors is in compliance with the requirements set forth in 501(b) of GLBA. Upon request Vendor must certify that its vendors and subcontractors are in compliance with GLBA.

Oversight. Upon request, Vendor shall provide BANK with copies of audits, summaries of test results, or equivalent evaluations to confirm that Vendor is in compliance with its obligations under GLBA.

Requiring Service Providers to Implement Appropriate Security Measures

The contract provisions in the Security Guidelines apply to all of a financial institution’s service providers. After exercising due diligence in selecting a company, the institution must enter into and enforce a contract with the company that requires it to implement appropriate measures designed to implement the objectives of the Security Guidelines.

In particular, financial institutions must require their service providers by contract to:

  • Implement appropriate measures designed to protect against unauthorized access to or use of customer information maintained by the service provider that could result in substantial harm or inconvenience to any customer; and
  • Properly dispose of customer information.

Sample Language for Safeguards Rule

I use this language to make sure that that the service provider is contractually bound to implement appropriate measures.

Compliance With Laws. Vendor represents and warrants that the Services will be performed consistent with all applicable laws, rules and regulations, and that it will promptly re-perform at its expense any Services that fail to meet that standard. Vendor acknowledges that BANK is subject to the GLB Act, Title V, (“GLBA”) and that Vendor is considered a service provider under GLBA. During the term of this agreement, Vendor shall have, adequate administrative, technical, and physical safeguards designed to protect against unauthorized access to or use of customer information maintained by it or its subcontractors or vendors that could result in substantial harm or inconvenience to BANK or any customer, as set forth in GLBA to (i) ensure the security and confidentiality of such BANK Data; (ii) help protect against any anticipated or reasonably likely threats or hazards to the security or integrity of such BANK Data; (iii) help protect against unauthorized access to or use of such BANK Data; and (iv) ensure the proper disposal of BANK Data.

Incident Response Rule

In addition, the Incident Response Guidance requires a service provider to take appropriate actions to address incidents of unauthorized access to the financial institution’s customer information, including notification to the institution as soon as possible following any such incident.

Sample Language for Incident Response

Here is the sample language I like to use to use for the incident response rule.

Incident Response. Vendor will take appropriate actions to address incidents of unauthorized access to BANK’s customer information, including notifying BANK as soon as possible following any such incident.

When representing financial institutions in transactions with service providers, it is critically important to understand the regulatory framework and how it impacts the transaction. I rarely see vendor contracts that comply with these regulations. Failure to comply with the GLBA safeguards rules and contracting requirements with services providers can result in adverse audit findings by regulators and potentially increase liability for privacy and security claims for damages.

 




Greater Emphasis on Corporate Compliance Programs

magnifyer-investigate-search-puzzleThe announcement by the Department of Justice Fraud Section that it hired Hui Chen, a lawyer with previous experience as a federal prosecutor and international corporate compliance, as a full-time Foreign Corrupt Practices Act compliance expert shows that compliance should be high on corporate agendas for 2016., writes Sarah C. Baskin in the Corporate Compliance and White Collar Advisor, published by Jackson Lewis.

“The DOJ’s move will likely lead to even greater and closer scrutiny of compliance programs. The first step employers should take in responding to this change is to conduct a prompt and thorough review of their compliance programs, starting with their Code of Conduct, their internal controls, monitoring, hotline, management of investigations and reporting protocols to law enforcement,” Baskin writes.

The article lists the key elements of a good compliance program.

Read the article.

 

 




Akerman Adds CFPB Regulatory and Enforcement Lawyers

Akerman LLP has announced the expansion of the firm’s Consumer Financial Services Practice Group  with two senior lawyers joining from the Consumer Financial Protection Bureau, partners Thomas Kearney and Mary (Molly) Calkins. They join the firm’s Washington, D.C., office, working in federal and state compliance as well as operational support capabilities.

“Tom and Molly bring a tremendous combination of experience in financial rulemaking and enforcement, with a thorough understanding of the compliance challenges resulting from CFPB actions,” said William Heller, chair of Akerman’s Consumer Financial Services Practice Group. “They build upon our team’s extensive experience in the home loan space, adding a deep understanding of evolving federal and state laws governing bank and non-bank consumer debt originators and servicers.”

Kearney joins Akerman from the CFPB’s Office of Regulations where he played a key role in the development and drafting of multiple mortgage originations related rulemakings. He most recently led the team responsible for the final Home Mortgage Disclosure Act rule. Kearney also drafted substantial portions of the CFPB’s Truth in Lending Act — Real Estate Settlement Procedures Act Integrated Disclosure or Know Before You Owe rule and the Ability-to-Repay and Qualified Mortgage rules. He handled outreach, guidance and training on various CFPB efforts under Dodd-Frank, in addition to providing guidance to Congress, federal agencies, and other CFPB offices on legal and regulatory issues arising under HMDA, RESPA and TILA. Prior to the CFPB, Kearney worked for several years as in-house counsel for a provider of mortgage compliance services to national banks, securitizers, non-depository mortgage lenders and other financial services companies.

Calkins joins Akerman from the CFPB’s Division of Supervision, Enforcement & Fair Lending, where she led investigations into a broad array of potential consumer protection violations. Her enforcement matters involved fair lending, auto finance, mortgage lending and servicing, credit cards and bank deposit products, credit reporting, student loans, and debt collection. As a founding member of the Bureau, Calkins also coordinated the CFPB investigations with state attorney generals and other federal regulators such as the Federal Deposit Insurance Corporation, Federal Trade Commission, and Office of the Comptroller of the Currency.

Prior to her work at the CFPB, Calkins was counsel at the FDIC’s Professional Liability & Financial Crimes Section, where she investigated and litigated claims arising from bank failures, reviewed mortgage loan files, analyzed claims for loan putbacks, and ascertained potential liability of bankers as well as third party vendors and service providers. Calkins is an experienced financial services litigator, covering the Equal Credit Opportunity Act, Fair Credit Reporting Act, Fair Debt Collection Practices Act, Real Estate Settlement Procedures Act, Truth in Lending Act, Truth in Savings Act, Unfair, Deceptive or Abusive Acts or Practices and Dodd Frank Act issues.

 




Insurance Partially Covers Merck’s $830 Million Vioxx Settlement

U.S. drugmaker Merck & Co. on Friday said it would pay $830 million to settle a federal class action lawsuit involving allegations the company failed to adequately inform investors about heart risks from its now-recalled Vioxx pain medication, according to a report on the Business Insurance website.

“The drug was approved by U.S. regulators in 1999 as a new type of treatment for pain and quickly became a blockbuster product, ultimately used by an estimated 20 million Americans,” according to a Reuters report. “But the company in 2004 recalled Vioxx from the market after a colon-polyp prevention study showed it more than doubled the risk of heart attacks or stroke after 18 months of use.”

The company’s cash payment for the settlement and fees will be about $680 million after reimbursement from insurance policies, Merck said.

Read the article.




The Disturbing Legal Consequences Of Ted Cruz Birtherism

There is good evidence that the founding fathers would have understood the words “natural born citizen” to mean only people born within a nation’s borders, but there’s also strong evidence on the other side of the debate, according to an article published by ThinkProgress.

Harvard University Law Professor Laurence Tribe, for example, wrote in a newspaper op-ed piece that “the constitutional definition of a ‘natural born citizen’ is completely unsettled,” and then he claims that, under the method of constitutional interpretation Cruz preferred when he was Tribe’s student, Cruz “wouldn’t be eligible, because the legal principles that prevailed in the 1780s and ’90s required that someone actually be born on US soil to be a ‘natural born” citizen.’”

But two former United States Solicitors cite the Naturalization Act of 1790, which states that children born outside of the country, but with parents who are U.S. citizens, are natural born citizens themselves.

Read the article.

 




Hillary Clinton’s Coming Legal Crisis

The latest release of Hillary Clinton emails entails real risks for her, according to a report published by RealClear Politics.

“True, Democratic voters have shown little interest, and the mainstream media only a bit more,” the article says. “Their focus, when they do look, is on the number of documents now considered classified, their foreign-policy revelations, and the political damage they might cause. These are vital issues, but Clinton faces a far bigger problem. She and her closest aides could be indicted criminally.”

RealClear Politics says the FBI reportedly has assigned 100 agents full time to the investigation and another 50 temporarily.

Read the article.

 




10 U.S. Sailors Detained By Iran Freed

Secretary of State John Kerry credited diplomatic strength and newly developed ties with Iran in helping secure the quick and safe release of 10 American sailors Wednesday, reports CNN.

“These are always situations as everybody here knows which have an ability, if not properly guided, to get out of control,” Kerry said in a speech at the National Defense University. “I’m appreciative for the quick and appropriate response of the Iranian authorities.”

The sailors were released Wednesday to the American naval fleet in the Persian Gulf after being captured by the Iranian Revolutionary Guard Tuesday, the network reports.

Read the article.




Is Ted Cruz, Born in Canada, Eligible for the Presidency?

U.S. Sen. Ted Cruz’s foreign birth is raising questions — most notably from Republican rival Donald Trump — about whether Cruz is eligible for the presidency under the Constitution.

“Two prominent lawyers who served as U.S. solicitor general, one under President Obama and the other under President George W. Bush, said the history of the Constitution and the first naturalization law resolved any doubts,” reports The Los Angeles Times.

The report adds that Cruz could expect legal challenges, but those lawsuits probably would gain little traction in the courts.

Read the report.

 




Obama’s Gun Control Actions Open Legal Can of Worms

President Obama’s executive action to expand gun sale background checks has opened up a legal can of worms, specifically the president’s bid to broaden the definition of who’s a dealer — and therefore must get a license and conduct background checks, reports Fox News.

“Under current federal law passed by Congress, only federally licensed dealers must conduct background checks on buyers. The law does not specify whether this applies to online sales and other areas — so those selling or trading guns on websites or in informal settings such as flea markets often don’t register,” the report says.

It adds that questions of interpretation of the executive action may have to be settled by the courts.

Read the report.

 




Caution by Company Officers Can Create Problems for Boards

ComplianceThe pursuit of legitimate corporate strategic goals is increasingly running into the concerns of corporate officers who see themselves at greater personal legal risk if there are ever allegations of corporate misconduct, writes Michael W. Peregrine, a partner at the law firm McDermott Will & Emery in an article in The New York Times.

He writes that new enforcement policies from the Justice Department and Securities and Exchange Commission regarding individual culpability of corporate officials contributed to this tendency.

He outlines some that proposals that “should help reduce the anxiety of gatekeepers and other management team members concerning their personal liability exposure. In so doing, these steps may remove unnecessary barriers to the use of corporate strategies.”

Read the article.




Bankler Report: Congressional Tax Bill

Calculator with red pencil and graphWill you or your law firm practice be affected by this week’s compromise by Congressional leaders regarding taxes and deductions if it becomes law (which is currently anticipated)?

Accountant Steven Bankler has outlined which “Extenders,” both for business and individuals, are being made permanent, and also which “Extenders” are being extended through 2016 and which are extended through 2019.

In an analysis published on his website, he has outlined how those extenders apply to businesses and to individuals.

Read the report.

 




Whitewater, Two Decades Later: Lessons Learned as the Sole Investigative Accountant

Certified Forensic Accountant Steven Bankler takes a look back at his tenure as an expert witness for a congressional committee investigating President Bill Clinton’s investment in Whitewater Development Corporation.

In a report published on his website, he explains that he was U.S. Senate’s investigative accountant for the Special Committee to Investigate Whitewater Development Corporation and Related Matters, administered by the Committee on Banking, Housing, and Urban Affairs.

“One could say that the Whitewater investigation presented a “trial by fire” test of my Daubert prowess, since the standard was still in its infancy,” he wrote. “These days, 20 years after the standard was first introduced, there is no excuse not to be prepared.”

Read the report.

 




LifeLock Pays Big to Settle FTC Suit Over Weak Data Security

Identity theft protection firm LifeLock will pay the Federal Trade Commission $100 million to settle charges that it failed to comply with a 2010 federal court order, the FTC said on Thursday.

Fortune reports the FTC claimed that LifeLock violated a judge’s order requiring that it properly safeguard sensitive personal data like Social Security, credit card, and bank account numbers. Additionally, the regulators alleged that LifeLock lied to consumers that it kept consumer data secure in a similar way to how financial institutions lock up data, the magazine reports.

Read the article.

 




House Reaches Accord on Spending and Tax Cuts

U.S. House of Representatives Republican and Democratic negotiators reached a deal late Tuesday on a $1.1 trillion spending bill and a huge package of tax breaks, reports The New York Times.

“Legislative drafters, racing a midnight deadline, met the time limit for issuing the tax package but apparently missed it for the spending bill. That could push back a vote on the House floor by one day, until Friday,” according to the report.

“Since the Republicans took back control of the House in 2011, a majority in the party has routinely opposed compromise budget and spending measures, forcing party leaders to rely on Democrats for votes to clear the bills. All signs indicate that the same dynamic is playing out now.”

Read the report.




HIPAA Compliance Quiz for Lawyers

HIPAALegal Workspace has produced  free online test to help corporate executives and counsel determine whether their firms are in compliance with the Health Insurance Portability and Accountability Act.

The click-through quiz includes topics such as encryption for all email, two-factor authentication for access to computer systems housing healthcare data, business associate agreements with all vendors, intrusion detection systems, electronic protected health information, HIPAA guidelines for off-site data backup providers, and more.

Take the quiz.

 




The Problem: Renewables’ Intermittent Power Generation

Renewable energy sources are intermittent in nature, depending on when the sun shines and the wind blows. Because of this, suppliers face “ramp up” and “ramp down” issues, writes Thomas R. Burton III of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. in an article published in The National Law Review.

“Energy storage offers a way to harness renewables at their peak supply and deploy them at their peak demand,” he writes.

He cites programs in Massachusetts  and California as examples of how government policy can help accelerate adoption.

Read the article.

 




Brian D. Miller Joins Rogers Joseph O’Donnell

Brian D. Miller has joined the Washington, D.C., office of Rogers Joseph O’Donnell, P.C. (RJO) as a shareholder.

“Brian has a distinguished record of public service,” the firm says in a release. “As Inspector General of the GSA from 2005 until May 2014, Brian was highly regarded for his vigilance in prevention of public waste and corruption. Earlier, Brian held several notable positions at the Department of Justice, including a senior management role at the U.S. Attorney’s Office for the Eastern District of Virginia, Special Counsel on Health Care Fraud/Senior Counsel to the Deputy Attorney General, and as an Assistant U.S. Attorney in the Eastern District. Most recently, Brian was a Managing Director of Navigant Consulting.”

In the last year, the firm says on its website, Miller designed and supervised an internal audit for potential False Claims Act liability, conducted an internal investigation/review, and advised clients regarding government contracts issues and potential disclosures to federal agencies.

Read the announcement.

 




Obamacare’s Impact on Employment: An Early Look

Dire predictions that the Affordable Care Act would lead to job losses and cuts in employee hours have so far proved to be unfounded, according to a new research paper from Federal Reserve Bank of New York economist Maxim Pinkovskiy and reported on the website of CBS Moneywatch.

According to the CBS report, “The fear was that employers who were newly required to provide health insurance to their workers would opt instead to cut hours or fire employees. But early numbers show that locations with a high percentage of uninsured Americans, such as Texas, ended up experiencing a rise in employment, salaries and output in comparison to areas with less exposure to the health care law, Pinkovskiy noted.”

Part-time work in states where Obamacare had major impact saw “a statistically insignificant decline in their part-time to full-time ratio,” Pinkovskiy wrote.

Read the report.

 

 




Site Describes ‘Security Farce’ at Company That Held Clinton’s Emails

A Pennsylvania data backup site that has been revealed to store copies of emails from former Secretary of State Hillary Clinton appears to lack some standard security measures that could protect potentially sensitive communications from Clinton’s time in the U.S. State Department, according to a report in the Daily Mail Online.

The site said the facility is owned by Datto Inc. and was part of the network that stored classified messages from the private email server the Democratic presidential candidate used.

The report described doors without visible security, a lack of security patrols, open dumpsters, and no security fence.

Read the report.

 




Railroad Legal Issues and Resources

The Transportation Research Board’s National Cooperative Rail Research Program (NCRRP) has published a legal research digest that presents legal issues that attorneys may encounter when representing both freight and passenger railroad owners, and operators involved in railroad-related transactions.

Issues explored in the report range from abandonment and discontinuance to constitutional law, construction, contracts, interaction with regulatory agencies, safety, retirement, and numerous other subjects.

The electronic version of the digest includes more than 700 pages of case law presenting detailed summaries of statutes, regulations, cases, and relevant articles as a fundamental resource for use in understanding the background and broad ramifications of railroad-related law reflected in each category.

Download the digest.