Privacy Rights Clearinghouse
- Companies that must safeguard your financial information.
- What companies must do to protect your financial information.
- Security only goes so far. Are you protected?
- What you can do to protect your information.
It takes more than money to open a bank account, buy a car, or even have someone prepare your tax return. In exchange for these and other financial services, you must hand over a great deal of personal information. To the identity thief, your information is more valuable than your money. When you do business with any company, you have good reason to ask what that company is doing to safeguard your information. Above all, you want to make sure you are not one of the millions who fall victim to identity theft each year.i1
In this guide we tell you how financial companies must safeguard your personal information, the types of companies that must follow security procedures, and what you can do to protect yourself.
The federal Gramm-Leach-Bliley Act, or GLB, (15 U.S.C.§§ 6801-6810) gives you some minimal rights to protect your financial privacy. (For more on GLB and your privacy see, PRC Fact Sheet 24, Protecting Financial Privacy in the New Millennium: The Burden Is on You, www.privacyrights.org/fs/fs24-finpriv.htm .)
GLB also requires financial institutions to adopt procedures to safeguard your personal information. This is called the Safeguards Rule. Another section of GLB creates civil as well as criminal penalties when someone uses false pretenses to get your personal financial information, called “pretexting”.
Privacy and security go hand in hand. You have probably heard these terms used frequently, but are still not clear what they mean. Think of it this way: Privacy is your right to control how your personal information is collected and used. Security is the obligation of the company that collects and uses your information to make sure the information is safe against unauthorized access and uses. As we point out in Fact Sheet 24 on the privacy provisions of GLB, your rights are limited. Unfortunately, the same is true of financial institutions’ security obligations under GLB.
Does GLB cover banks?
Yes, and much more. The GLB privacy and security provisions apply to “financial institutions,” a term defined in the Bank Holding Company Act of 1956 as an institution that is “significantly engaged in financial activities….” (12 U.S.C. 1843(k)).
Obviously, banks and other companies such as credit unions and thrifts that are engaged in activities like accepting deposits meet the definition of “financial institution.” Financial institutions involved in banking are regulated by one of five federal agencies. 2 These agencies are collectively called the “banking agencies”. (For more information on the banking agencies and the types of activities each agency regulates, see the References Section of this guide.)
In addition to the banking agencies, the GLB privacy and security requirements also apply to companies under the jurisdiction of the Securities and Exchange Commission (SEC) (www.sec.gov ) and the Commodity Futures Trading Commission (CFTC) (www.cftc.gov ). Still others fall under the jurisdiction of the Federal Trade Commission (FTC), www.ftc.gov .i 3
Some of the companies that qualify as “financial institutions” covered by the FTC are:
- Debt collectors.
- Retailers that extend credit by issuing credit cards to consumers.
- Personal property or real estate appraisers.
- Check cashing businesses.
- Mortgage brokers.
- Non-depository lenders.
- Consumer reporting agencies.
- Tax return preparers
For other companies that come under the jurisdiction of the FTC, see Financial Institutions and Customer Data: Complying with the Safeguards Rule, http://business.ftc.gov/documents/bus54-financial-institutions-and-customer-information-complying-safeguards-rule 
Because the term “financial institution” potentially includes a wide array of companies, it is not surprising that lawsuits quickly followed GLB’s effective date. Early on, the FTC took the view that attorneys sometimes might be subject to GLB. However, this interpretation was challenged in court by the American Bar Association, among others, and the issue was decided in favor of attorneys. http://www.wileyrein.com/publications.cfm?sp=articles&newsletter=4&id=2657 
In another important court battle over GLB, TransUnion, one of the three big national credit bureaus, sued the FTC and the banking agencies over the government’s interpretation of “financial institution.” TransUnion claimed it was not covered by GLB. However, the U.S. Court of Appeals for the District of Columbia ruled against the credit bureau. www.ftc.gov/opa/2002/07/tuglbappeal.htm 
Do insurance companies have to safeguard my information?
Yes. Insurance companies are considered “financial institutions” under GLB. Because the insurance industry is primarily regulated by states, GLB privacy regulations regarding notice and opt-out were published by states. Many states followed the model state privacy regulations adopted by the National Association of Insurance Commissioners (NAIC), www.naic.org . Other states adopted their own version of the GLB privacy rules.
The NAIC has also adopted a model rule to carrying out GLB’s data safeguarding requirements. www.securitymanagement.com/library/NAIC_standards0603.pdf . To find out whether your state has a GLB security rule for insurance companies, connect with your state insurance commissioner through the NAIC’s web site, www.naic.org .
Do I lose security protections when my information is shared?
It depends. The FTC’s Safeguards Rule requires financial institutions to take steps to ensure that affiliates and service providers also safeguard customer data. The rule also requires financial institutions that receive customer data from another financial institution to safeguard information. But, the Safeguards Rule does not apply if the recipient of your information is neither a financial institution nor an affiliate or service provider.
Even the security provisions that apply to service providers have their limitations. Your financial institution may, for example, employ another company to send out mail, print account statements, provide accounting services or any number of other functions. The company that provides these services has to comply with the established security procedures.
However, the service provider that works for your company may employ an independent contractor or yet another company to perform some service that involves access to your personal information. In that case, the security requirements do not apply except to the service provider that contracts directly with the company you’re doing business with.
Is my information safe when a financial institution sends data offshore?
Many people are asking this same question. The practice of outsourcing creates unique risks to data privacy and security. Since the GLB privacy and security provisions took effect, outsourcing has exploded as a public policy issue. This is particularly true of financial services and health care functions covered by the Health Insurance Portability and Accountability Act (HIPAA). (For more on health privacy and HIPAA, see PRC Fact Sheet 8a, HIPAA Basics, www.privacyrights.org/fs/fs8a-hipaa.htm .)
A June 2004 study conducted by the Federal Deposit Insurance Corporation (FDIC) www.fdic.gov  examines the history of outsourcing, also called offshoring, and makes a number of recommendations for improved protection for customer data. Significantly, the study recommends that financial institutions become more involved in third-party contracting arrangements. The study also suggests changes in the law. To learn more about the FDIC study or read the entire report, go to Offshore Outsourcing of Data Services by Insured Institutions and Associated Consumer Privacy Risks, www.fdic.gov/regulations/examinations/offshore/index.html .
In short, whether your data is covered by security protections at all depends on several different factors. The key to whether you have any data security protection is whether you meet the definition of “customer.” For more on what “customer” means, see section 4 below.
Is GLB the only federal law that covers personal data?
No. The federal Fair Credit Reporting Act (FCRA) governs personal information included in consumer reports. (15 U.S.C. §1681 et seq.) The main “security” feature of the FCRA is that the law limits access to certain “permissible purposes,” such as credit, employment, insurance underwriting, and rental history. Many companies covered by the FCRA may also be “financial institutions” under GLB.
Amendments were made to the FCRA by the Fair and Accurate Credit Transactions Act of 2003 (FACTA), (Pub. Law 108-159). The FCRA, as amended by FACTA, can be found at www.ftc.gov/os/statutes/031224fcra.pdf .
As a safeguard against identity theft, FACTA includes an important section that requires proper disposal of personal data, such as shredding. Consumer and privacy advocates have long argued that strict disposal standards are essential to combat the growing trend in identity theft. This FACTA provision is a formal acknowledgement by Congress that information security is a cooperative effort, and that consumers can only do so much to protect personal information.
Consumer reporting agencies and those who obtain consumer reports for credit, employment, insurance, rental history, or other “permissible purposes” must discard sensitive data in a structured way. The FACTA sections add to the existing requirement for proper data disposal included in the GLB Safeguards Rule and guidelines for financial institutions published by the banking agencies. Like the GLB security requirements, FACTA does not mandate specific disposal procedures.
Generally, companies are left on their own to develop security programs that are appropriate to their individual size and operations. The federal agencies determined flexibility was necessary because of the many different kinds and sizes of companies that would have to comply.
In the end, security under GLB translates to “guidelines” rather than strict rules for compliance. There are some things a financial institution must do. For example, financial institutions are required to:
- Develop a written security plan.
- Designate responsible employees.
- Assess risks to customer data.
- Test and monitor safeguards.
Other than these requirements, security procedures are generally left up to the financial institution. The FTC identified three areas as important to security: (1) employee management and training; (2) information systems; and (3) managing system failures. The FTC’s Safeguards Rule goes on to suggest steps a company might take to secure information.
For more on the FTC’s suggested security steps, see Financial Institutions and Customer Data: Complying with the Safeguards Rule, http://business.ftc.gov/documents/bus54-financial-institutions-and-customer-information-complying-safeguards-rule 
Does the Safeguard Rule apply only to computer data?
No. The rule applies to all “customer information” “whether in paper, electronic, or other form that is handled or maintained by” a financial institution or its affiliates. (16 CFR 314.2)
Can I get a copy of my financial institution’s written security plan?
Very unlikely. Most companies would consider this proprietary or confidential commercial data. Public disclosure of a company's security plan could actually jeopardize data security. Many companies include general statements about security in the annual privacy notice you receive under the privacy provisions of GLB. However, these notices will not give you a detailed description of a company’s data security plan.
Does the Safeguards Rule always apply when I supply personal information?
No. The rule only applies to “customers” of a financial institution. You are a “customer” if you have an “ongoing” relationship with the company. Supplying personal information alone is not enough to make you a customer.
For example, you may cash a check or make an ATM withdrawal from a bank where you do not have an account. To complete the transaction, you will probably have to supply your account number, your personal identification number (PIN), and possibly even your drivers’ license number or other identifying information.
It makes no difference whether these transactions are a one-time event or you cash your checks at the same place every week. If you do not have an ongoing relationship with the company that cashes your checks – meaning you don’t have an established account – you are what GLB calls a “consumer. ” But you are not a “customer” whose data is covered by the security requirements.
Am I a “customer” or “consumer” of my former financial institution?
“Once a customer, always a customer” does not apply when it comes to data security. If your account is closed, you no longer have an “ongoing” relationship. This makes you a consumer.
I am a small business owner. Does the security rule apply to my account?
No. GLB applies only to financial products or services obtained for “personal, family, or household use.” Commercial uses are not covered, even if you are a sole proprietor where the lines between personal and business data are often blurred.
For more on the distinction between “consumer” and “customer,” see the FTC publication, How to Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act, http://business.ftc.gov/documents/bus67-how-comply-privacy-consumer-financial-information-rule-gramm-leach-bliley-act 
Pretexting is when someone gains access to your personal information through false pretenses. Another person may want your personal financial information for any number of reasons. Another term for pretexting is “social engineering.” Here are just some of the ways your information could be used against you:
- Your bank account could be depleted.
- Your information could be sold to a shady data broker.
- The information could be used by an identity thief.
- The information could be used against you in court or for an investigation.
GLB includes a specific section that prohibits fraudulent access to your financial information. www.ftc.gov/privacy/glbact/glbsub2.htm  The pretexting section applies if someone calls you and tricks you into giving personal information, or calls someone else such as your bank. It also applies if someone uses a forged or stolen document to get your information. (15 USC, Subchapter II, Sec. 6821-6827)
The law includes civil as well as criminal penalties for one who uses false pretenses to get your personal financial information.
Am I at risk for pretexting?
No one is immune. However, there are certain life situations in which you could be more vulnerable than others to pretexting. Here are just a few questions you can ask to assess your risk level:
- Am I a public figure such as a politician or entertainer?
- Am I a spokesperson for a highly controversial public policy issue?
- Do I have considerable personal wealth?
- Am I engaged in a high-stakes court battle or a nasty divorce where significant sums of money and/or child custody are involved?
- Have I taken a public stand against the government?
- Am I an executive or researcher of a company in a highly competitive environment, one that is involved in developing cutting-edge products or services?
If you’ve answered “yes” to any of these scenarios, you could be vulnerable to pretexting, where your financial account information is unwittingly made available to a clever imposter.
What can I do to protect myself against pretexting?
The FTC publication, Pretexting: Your Personal Information Revealed, http://www.consumer.ftc.gov/articles/0272-how-keep-your-personal-information-secure , describes pretexting and offers some tips on how to protect yourself. These pointers apply not just to preventing pretexting, but are good practices for your own personal privacy and security efforts as well. See also Part 6 of this guide for additional tips to protect your information.
Following is the FTC’s advice:
- Don't give out personal information on the phone, through the mail, or over the Internet unless you've initiated the contact or know whom you're dealing with. Pretexters may pose as representatives of survey firms, banks, Internet service providers, and even government agencies to get you to reveal your SSN, mother's maiden name, financial account numbers, and other identifying information. Legitimate organizations with which you do business already have the information they need and will not ask you for it.
- Be informed. Ask your financial institutions for their policies about sharing your information. Ask them specifically about their policies to prevent pretexting.
- Pay attention to your statement cycles. Follow up with your financial institutions if your statements don't arrive on time.
- Review your statements carefully and promptly. Report any discrepancies to your institution immediately in writing.
- Alert family members to the dangers of pretexting. Explain that only you, or someone you authorize, should provide personal information to others.
- Keep items with personal information in a safe place. Tear or shred your charge receipts, copies of credit applications, insurance forms, bank checks and other financial statements that you're discarding, expired charge cards and credit offers you get in the mail.
- Add passwords to your credit card, bank, and phone accounts. Avoid using easily available information like your mother's maiden name, your birth date, the last four digits of your SSN or your phone number, or a series of consecutive numbers.
- Be mindful about where you leave personal information in your home, especially if you have roommates or are having work done in your home by others.
- Find out who has access to your personal information at work and verify that the records are kept in a secure location.
- Order a copy of your credit report from each of the three major credit reporting agencies every year and check it for accuracy. (See PRC Fact Sheet 6 for information on ordering your credit report, www.privacyrights.org/fs/fs6-crdt.htm .)
Do any other laws protect me against pretexting?
Yes, the FCRA includes a section that covers pretexting when someone uses false pretenses to get information about you from a consumer reporting agency. FCRA §619 makes pretexting a crime and calls for up to two years in prison for anyone convicted.
Another FCRA provision, §620, allows up to two years in prison for any officer or employee of a consumer reporting agency who “knowingly and willfully” provides information from your consumer files to anyone who is not authorized to receive it.
Privacy and security of personal data are often beyond your ability to control. You must nearly always give up some bit of personal information to conduct even the most routine financial transaction. Once you provide your data, its security is outside your control. But, there are some steps you can take to optimize the chances your data will be safe.
- Tip 1. Educate yourself. Know what data is required for a certain transaction and set limits accordingly. For example, a check cashing company may ask for your phone number, but you should question the need to supply your Social Security number.
- Tip 2.Recognize your “status” with the financial institution. Are you a “customer” with a continuing relationship, or a “consumer” with no data security protections?
- Tip 3. If you want to optimize your security protections, cash checks or use ATMs with institutions where you are a customer and have an ongoing relationship.
- Tip 5. Keep up with the news. Just because a financial institution has a single publicized instance of a security breach does not mean it’s a bad company. An important indicator is what that company does to help its customers after a reported breach. For example, does the company offer to provide free credit monitoring services to limit the threat of identity theft?
- Tip 6. Read privacy notices carefully, and exercise any opportunity to opt-out. This is not only important to protect your privacy, but opting out also gives you a measure of control over the security of your information. As we said before, the Safeguards Rule does not cover recipients of customer information that are not also financial institutions or affiliates or service providers of your financial institution.
- Tip 7. Always keep in mind, there is no blanket protection for either privacy or data security. Guard your personal data like you would your money. Remember, your personal information may be more valuable than your money, especially to an identity thief.
- Tip 8. Never provide personal data in response to an unsolicited e-mail. Many identify thieves are now sending e-mails that appear to be from a financial institution, such as a bank. This is a fairly recent ruse identity thieves use to obtain your information. The scam is called “phishing.” The return e-mail address or linked web site may look like it came from a legitimate company. But keep in mind, legitimate businesses do not ask for personal information via e-mail -- unless you make the first contact. For more on phishing, see PRC Scam Alert: Watch Out for "Phishing" Emails Attempting to Capture Your Personal Information, www.privacyrights.org/ar/phishing.htm .
- Tip 9. If you think a financial institution has violated GLB privacy or security requirements, complain to the appropriate federal agency or your state insurance commissioner. (The contact information for federal agencies is under Part 7, References, below.) GLB does not give you the right to sue, although there may be a state law that allows you to personally file a lawsuit. However, the federal agencies are charged with enforcing the GLB provisions, and a main source of the agencies’ knowledge about abuses comes from public complaints. If you believe your information has been obtained through false pretenses, you should contact the FTC. That agency has tips on protecting yourself against pretexting, http://www.consumer.ftc.gov/articles/0272-how-keep-your-personal-information-secure .
For additional advice on ways to protect your sensitive personal information, read PRC Fact Sheet 17, Coping with Identity Theft: Reducing the Risk of Fraud, www.privacyrights.org/fs/fs17-it.htm .
- GLB (Disclosure of Nonpublic Personal Information – Privacy and Security), 15 USC, Subchapter I, Sec. 6801-6809,
- GLB (Fraudulent Access to Financial Information – Pretexting) 15 USC, Subchapter II, Sec. 6821-6827,
- The Fair Credit Reporting Act, as amended by FACTA,
Federal Agencies’ Security Rules and Guidelines
- Interagency Guidelines Establishing Standards for Safeguarding Customer Information issued February 1, 2001, jointly by the Office of Comptroller of Currency (OCC), Federal Reserve Board (Board), Office of Thrift Supervision (OTS), and Federal Deposit Insurance Corporation (FDIC), (66 Federal Register 8615),
- National Credit Union Administration (NCUA), Guidelines for Safeguarding Member Information, issued January 30, 2001 (66 Federal Register 8152).
- Securities and Exchange Commission (SEC), Procedures to Safeguard Customer Records and Information, 17 CFR 248.30,
- Commodity Futures Trading Commission (CFTC), Procedures to Safeguard Customer Records and Information, 17 CFR 160.30,
NOTE: For information about GLB security regulations for insurance companies, link to state insurance commissioners through the web site for the National Association of Insurance Commissioners, www.naic.org .
Federal Agency Contact and Consumer Complaints Information
- Federal Trade Commission
600 Pennsylvania Avenue, NW
Washington, DC 20580
Telephone: (202) 326-2222
Complaint form is available via the FTC home page.
- Office of the Comptroller of Currency
U.S. Department of Treasury
Customer Assistance Group
1301 McKinney Street
Houston, TX 77010
Telephone: (800) 613-6743
Web: www.occ.treas.gov 
- Federal Deposit Insurance Corporation
550 17th Street NW
Washington, DC 20429-9990
Telephone: (202) 736-0000
Web: www.fdic.gov 
- Board of Governors of the Federal Reserve
Division of Consumer and Community Affairs
20th and C Streets, NW, Stop 801
Washington, DC 20551
Telephone: (202) 452-3693
Web: www.federalreserve.gov/pubs/complaints 
- National Credit Union Administration
1775 Duke Street
Alexandria, VA 22314-3428
Telephone: (703) 518-6300
Web: www.ncua.gov 
- Securities and Exchange Commission Complaint Center
450 Fifth Street, NW
Washington, D.C. 20549-0213
Fax complaint to (202) 942-9634.
Web: www.sec.gov/complaint.shtml 
- Commodity Futures Trading Commission
Three Lafayette Centre
1155 21st Street, NW
Washington, DC 20581
Telephone: (202) 418-5000
Fax: (202) 418-5521
Web: www.cftc.gov 
FTC and Other Government Publications
- Financial Institutions and Customer Data: Complying with the Safeguards Rule,
- Pretexting: Your Personal Information Revealed,
- Information Compromise and the Risk of Identity Theft: Guidance for Your Business,
- FDIC Study, Offshore Outsourcing of Data Services by Insured Institutions and Associated Consumer Privacy Risks,
- Federal Financial Institutions Examination Council (FFIEC) Information Security Handbook,
- Fact Sheet 24: Protecting Financial Privacy in the New Millennium: The Burden Is on You,
- Fact Sheet 24a: Financial Privacy: How to Read Your "Opt-Out" Notices,
- Fact Sheet 24d: Frequently Asked Questions about Financial Privacy,
- Fact Sheet 17: Coping with Identity Theft: Reducing the Risk of Fraud,
- Fact Sheet 6a: FACTA, the Fair and Accurate Credit Transactions Act: Consumers Win Some, Lose Some,
1 Javelin Strategy & Research estimates that 13.1 million Americans were victims of identity fraud in 2013. http://money.cnn.com/2014/02/06/pf/identity-fraud/ 
2 The banking agencies are: Office of Comptroller of Currency (www.occ.treas.gov ); Federal Reserve Board (www.federalreserve.gov ); Federal Deposit Insurance Corporation (www.fdic.gov ); and National Credit Union Administration (www.ncua.gov ).
3 All federal agencies involved have adopted similar versions of the GLB data security rules, usually referred to as “safeguards rule” or guidelines. For a link to these agency regulations, see the References section.
4 To read the comments submitted to the FTC and the banking agencies by the PRC and other consumer organizations about the FACTA disposal rule, see: www.privacyrights.org/ar/FTC-DocDisposal.htm 
www.privacyrights.org/ar/NCUADocDisposal.htm , www.privacyrights.org/ar/FDIC-DocDisposal.htm. 
The Privacy Rights Clearinghouse developed this guide with funding from
the Rose Foundation Consumer Privacy Rights Fund.