Privacy and Data Security Risks in Cloud Computing

Posted on February 5, 2010 by Hunton & Williams LLP

Cloud computing raises complex legal issues related to privacy and information security.  As legislators and regulators around the world grapple with the privacy and data security implications of cloud computing, companies seeking to implement cloud-based solutions should closely monitor this rapidly evolving legal landscape for developments.  In an article published on February 3, 2010, Lisa Sotto, Bridget Treacy and Melinda McLellan explore U.S. and EU legal requirements applicable to data stored by cloud providers, and highlight some of the risks associated with the use of cloud computing.

Tags: , , , , , , , , , , , , , , ,

Agencies Issue Final Gramm-Leach-Bliley Act Model Privacy Notice

Posted on November 17, 2009 by Hunton & Williams LLP

Today, eight federal financial regulatory agencies issued a final Gramm-Leach-Bliley Act ("GLBA") model privacy notice.  The final model notice incorporates financial institutions' required disclosures pursuant to Section 503 of the GLBA.  The GLBA requires, in relevant part, that financial institutions provide consumers with information regarding their collection and sharing of nonpublic personal information.  Financial institutions that adopt the final model notice will be deemed in compliance with the GLBA notice requirements.  The final model notice is the result of the agencies' consumer research and testing.  It is touted as succinct, easy to use and consumer friendly. The final model notice will take effect 30 days after publication in the Federal Register. Publication is anticipated shortly.

Issuance of this model notice follows the enactment, in October 2006, of the Financial Services Regulatory Relief Act (“Relief Act”).  Section 728 of the Relief Act directs the federal financial services agencies to jointly develop a model privacy notice that incorporates all of GLBA-mandated disclosures to consumers.  Section 728 also provides a safe harbor.  Financial services institutions that elect to use the model form will be deemed in compliance with the GLBA notice requirements.  In response to the Relief Act requirements, on March 29, 2007, the financial services agencies published a proposed model privacy notice.  The final model privacy notice is substantially similar to the proposed model with certain revisions based on comments submitted to the agencies and consumer testing.

For further information regarding the final model privacy notice please refer to our earlier post.
Tags: , , , , , ,

Agencies Expected to Publish Final Gramm-Leach-Bliley Act Model Privacy Notice

Posted on October 21, 2009 by Hunton & Williams LLP

The federal financial services agencies are expected to shortly announce a proposed-final Gramm-Leach-Bliley Act (“GLBA”) model form privacy notice.  The model notice incorporates financial institutions' required disclosures pursuant to Section 503 of the GLBA.  Financial institutions that use the form to provide notice to consumers will be deemed in compliance with the privacy notice provisions of the GLBA.  Once adopted and published in the Federal Register, the financial services agencies' final model notice will take effect in 30 days.

The GLBA requires, in relevant part, that financial institutions provide consumers with notice of their privacy policies and practices.  The privacy notice must describe a financial institution's disclosure of nonpublic personal information to affiliated and nonaffiliated third parties.  In addition, the notice must also give consumers a reasonable opportunity to opt out of certain sharing with nonaffiliated third parties.

In October 2006, the Financial Services Regulatory Relief Act (“Relief Act”) was enacted.  Section 728 of the Relief Act directs the federal financial services agencies to jointly develop a model form privacy notice that incorporates all of GLBA mandated disclosures to consumers.  Section 728 also provides a safe harbor.  Financial services institutions that elect to use the model form will be deemed in compliance with the GLBA notice requirements.  In response to the Relief Act requirements, on March 29, 2007, the financial services agencies published a proposed model privacy form.  The final model privacy form is substantially similar to the proposed model form with certain revisions based on comments submitted to the agencies and consumer testing.

The final model form privacy notice addresses the legal requirements of GLBA and is designed to facilitate consumer comprehension.  In terms of content, it is two pages in length, but may be printed on a single sheet of paper.  The first page is organized in five parts: (i) the title, (ii) an introductory section, (iii) a disclosure table describing the types of sharing by financial institutions and, if appropriate, whether a consumer can limit or opt out of sharing, (iv) a mechanism to limit sharing for opt out purposes, and (v) the financial institution’s customer service contact information.  The second page contains supplemental explanatory information in frequently asked question format, as well as definitions of relevant terms.  The content set forth in the model form must remain unchanged for financial institutions to rely on the safe harbor.

The financial services agencies' announcement of the final model privacy notice is anticipated in the near future although a draft of the final rule has been circulated.
Tags: , , , , , ,

Obama Proposes New Agency to Regulate Consumer Financial Privacy

Posted on July 2, 2009 by Hunton & Williams LLP

On June 30, 2009, the Obama Administration sent legislation to Congress that would create a new Consumer Financial Protection Agency ("CFPA").  Working with state regulators, the new agency would assume authority for the privacy provisions of the Gramm-Leach-Bliley Act, and would have the power to write rules and impose penalties pursuant to a variety of existing statutes, including the Fair Credit Reporting Act and the Fair and Accurate Credit Transactions Act.  To date, these powers have been shared among all financial services regulators, including the Federal Trade Commission ("FTC").  Under the proposal, the FTC would retain primary responsibility for preventing fraud and encouraging security in the financial markets. 

While some regulatory authority for financial products and services protections would flow from the FTC to the CFPA, the FTC would have increased powers to issue rules related to unfair and deceptive practices, and an enhanced ability to issue civil monetary penalties.  The proposal also includes expanded FTC authority over the banking sector with respect to data security.  While the legislation proposes transferring staff from certain financial services regulators, there would be no transfer of staff from the FTC.  Accordingly, the FTC may have more resources to pursue other consumer protection issues, including privacy in non-financial markets.

The Administration's full report on its financial reform plan can be viewed here.

Tags: , , , , , , , ,