Protect Your Customers AND Consumers

The Interagency Guidelines Establishing Standards for Safeguarding Customer Information (Guidelines) set forth standards pursuant to section 39 of the Federal Deposit Insurance Act and sections 501 and 505(b) of the Gramm-Leach –Bliley Act. These guidelines address standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of “customer” information. On June 8, 2004, the OCC, Board, FDIC and OTS (the Agencies) published a proposal to amend the Guidelines to require financial institutions to implement controls designed to ensure the proper disposal of “consumer” information within the meaning of section 216. Section 216 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) is designed to protect a consumer against the risks associated with unauthorized access to information about the consumer contained in a consumer report. It requires each of the Agencies to adopt a regulation with respect to the entities that are subject to its enforcement authority, requiring any person that maintains or otherwise possesses consumer information to properly dispose of any such information.

To implement section 216 of the FACT Act, the Agencies are adopting amendments to the Guidelines that require each financial institution to develop and maintain, as part of its information security program, appropriate controls designed to ensure that the institution properly disposes of “consumer information.” The Agencies have incorporated this new requirement into the Guidelines by: (1) Adding a definition of “consumer information,” including illustrations of the information covered by the new term; (2) adding an objective regarding the proper disposal of customer information and consumer information; and (3) adding a provision that requires a financial institution to implement appropriate measures to properly dispose of customer information in accordance with each of the requirements. The final rule requires each financial institution to implement the appropriate measures to properly dispose of “consumer information” by July 1, 2005.

Under the final rule, financial institutions must make adjustments to their information security programs to properly dispose of “consumer information” that is not already protected as “customer information.” The “consumer information” protected by the Dispoasl Rule is defined as “any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report.” This would include information from credit reports about a financial institution’s employee or about a consumer whose application for a product or service is denied.

The Disposal Rule does overlap somewhat with the FTC’s “Safeguards Rule” that applies to financial institutions pursuant to the Gramm-Leach-Bliley Act (“GLBA”), but the two rules are largely intended to cover different sets of entities. It is sufficient to be aware that the definitions of “customer information” protected by the Safeguards Rule and “consumer information” protected by the Disposal Rule are not identical. Two examples of the differing scopes are offered by the FTC: (1) a consumer rejected for a loan from a financial institution because of information in her credit report is not considered a “customer” under the GLBA so the Safeguards Rule would not apply to disposal of her credit report, but her credit report would be “consumer information” covered by the Disposal Rule; and (2) credit reports obtained by employers about current or prospective employees are not “customer information” under the GLBA but are “consumer information” covered by the Disposal Rule.

• www.ffiec.gov/ffiecinfobase/resources/info_sec/con-15usc_6801_6805-gramm_leach_bliley_act.pdf
• www.ots.treas.gov/docs/r.cfm?73246.pdf

Contact Nichols, Cauley & Associates by Email, phone, or online form with your questions.

Site visitors should keep in mind that the content is generally designed to be of general applicability. Particular state laws, regulations and special contractual provisions can greatly impact rights, responsibilities and legal obligations. Only a competent attorney, accountant or other professional looking at all the pertinent facts and circumstances of a particular situation can provide definitive guidance for you. Please refer to our important legal discalimer which can be accessed from the bottom of any BankAudit.net webpage.