Banks Face Unique Liability For Data Breaches Under The Gramm-Leach-Bliley Act

With the recently alleged data breach of Equifax, the data security of financial institutions’ customer information is once again in the news. And once again, as with every data breach, a flurry of lawsuits has followed. The purpose of this article is to highlight one area of legal exposure with data breaches that applies only to financial institutions.

Section 6285 of the Gramm-Leach-Bliley Act (“GLBA”) provides that the various agencies charged with the regulation of financial institutions “shall prescribe such revisions to such regulations and guidelines as may be necessary to ensure that such financial institutions have policies, procedures, and controls in place to prevent the unauthorized disclosure of customer financial information.” 15 U.S.C. § 6821. The enforcement authority of this section is granted to the Federal Trade Commission (“FTC”) for non-banking financial institutions, and the regular host of agencies for banks and credit unions. 15 U.S.C. § 6822.

The FTC requires institutions it regulates to “develop, implement, and maintain a comprehensive information security program,” the goal of which is to “(1) Ensure the security and confidentiality of customer information; (2) Protect against any anticipated threats or hazards to the security or integrity of such information; and (3) Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.” See 16 C.F.R. § 314.3.

In order to effect these steps, covered institutions are required to (1) designate an employee to coordinate the implementation of the security program; (2) perform risk assessment in the areas of employee training, information technology, and detecting and responding to attacks; (3) design and implement safeguards to protect against these identified risks; (4) oversee and monitor vendors to ensure they also take steps to protect customer information, and include contractor requirements that they do so; and (5) continue to test these programs to identify risks as they emerge. See 16 C.F.R. § 314.3.

Similarly, for banking institutions, the Federal Reserve, Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision have issued their Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. This guidance implements, in greater detail, the same priorities as the FTC program. In addition, this guidance requires that a covered bank have a response program in place in the event of a data breach that includes notifying appropriate regulators, taking steps to control the breach, and notifying consumers of the breach. 12 C.F.R. § Pt. 225, App. F.

These rules, which were implemented in the early 2000’s, have never had a greater effect than today. While beforehand, government agencies were generally content to only prosecute the perpetrators of data breaches, that is no longer the case. Regulators now have put emphasis on investigating and penalizing the victims of data breaches with multi-million dollar fines for “allowing” data breaches to happen due to allegedly insufficient data security policies. The FTC, for example, has a webpage for the sole purpose of trumpeting the fines it has imposed on companies where private customer information has been stolen. See https://www.ftc.gov/news-events/media-resources/protecting-consumer-privacy/enforcing-privacy-promises.

Similarly, plaintiff’s lawyers have also taken note of these regulations. The prevalent view is that “[n]o private right of action exists for an alleged violation of the GLBA.” Dunmire v. Morgan Stanley DW, Inc., 475 F.3d 956, 960 (8th Cir. 2007); 15 U.S.C. § 6822. Accordingly, the class action bar has recently sought to tie alleged failures to comply with data breach regulations to violations of state laws regulating “unfair or deceptive” acts by businesses. Similarly, plaintiffs also have alleged that a breach of these regulations constitutes negligence per se. While no reported case has yet upheld these allegations as viable claims, the claims themselves, coupled with the alleged breach of a detailed scheme by the government, has no doubt raised the cost of settlement of these lawsuits.

Unfortunately, the risk of theft of private customer information is only going to increase as time goes on. Accordingly, now is the time for any lender, big or small, to review its policies and procedures regarding information security to ensure it is complying with the Gramm-Leach-Bliley Act. A failure to do so may compound the damage caused by the data breach with the cost of defending a costly investigation or lawsuit.

For more information regarding the Gramm-Leach-Bliley Act’s data security rules, please contact Bernard J. Kornberg at bjk@severson.com or 415-677-5548.

© 2018, Severson & Werson. All rights reserved.