Gramm-Leach-Bliy Act (FCA): A Case Study
Issue: The issue covering this memo is whether Fast Funds, the company, is considered a covered entity under Fair Credit Reporting Act (FCRA) or not, if so under what scenarios is the company considered covered entity, and what steps the company should take to protect the personally identifiable information (PII) of the consumers.
Rules: Fair Credit Reporting Act (FCRA) relates to protection of consumer credit information by credit reporting agencies (CRA) and other businesses that handle credit information. FCRA outlines significant responsibilities for CRAs and other covered business entities. A company becomes a covered entity under FCRA when it “procures and uses information when granting credit, furnishes and transmits information by reporting information to CRA or other third parties, or markets credit or insurance product.”[1] FCRA also mentions that, “Given the preponderance of electronically available information and the growth of identity theft, financial institutions should manage the risks associated with obtaining and using consumer reports.” [1]
Gramm-Leach-Bliley Act (GLBA) was introduced in 1999 to protect consumer privacy when data is shared …show more content…
between financial institutions and their affiliates. Under GLBA, financial institutions can share nonpublic personal information with affiliates but it must first provide a notice to the customers without an option to opt out, but financial institutions have to provide an option to opt out for disclosing nonpublic personal information to a third party. (15 USC § 6802)
Federal Trade Commission has issued the Safeguards Rule that will apply to financial institutions that fall under FTC’s jurisdiction, and ask these institutions to develop a comprehensive written information security program, and one that responds to the company’s size and complexity the nature and scope of its activities and the sensitivity of the consumer data it handles. The Safeguards Rule also requires designation of an employee or employees to coordinate the company’s information security program, which can encourage introduction of a chief privacy officer position at organization that do not have one. (16 C.F.R § 314)
Analysis: Fast Funds is providing consumer information to sales people in financial service industry for suggestion on whether it is most beneficial to take a loan against their stock account, a personal loan or a home equity line of credit for a consumer. In order to gather generate the suggestion the company has to access the consumer credit report. When the company furnishes the consumer credit report to transmit it to its clients, the company becomes a covered entity under FCRA.
The company has to save the data that is acquired from credit reporting agencies.
The company is obligated to assess the risks associated with obtaining consumer reports and manage the data to the best of its abilities. Consumer credit reports consist of personally identifiable information (PII). PII for the company includes social security number, name, date of birth, address, driver license number, etc. The company should have adequate cybersecurity infrastructure to deal with the data storage and transmission of the data through the app. As required by FTC in the Safeguards Rule, the company should develop a written information security program outlining what the information security plan of the company is and how we handle sensitive consumer data like social security, other PII and financial
information.
The information we gather for the client consist of consumer information on their stock holdings, personal loans, mortgages, home equity, and other personal information. Apart from its intended use for the app, having a rich source of information like this can be of monetary value to the company. Following proper legal requirements, we can sell the information to a third party or utilize the data to create another application that can be leveraged as a revenue source.
Rules: Fair Credit Reporting Act (FCRA) relates to protection of consumer credit information by credit reporting agencies (CRA) and other businesses that handle credit information. FCRA outlines significant responsibilities for CRAs and other covered business entities. A company becomes a covered entity under FCRA when it “procures and uses information when granting credit, furnishes and transmits information by reporting information to CRA or other third parties, or markets credit or insurance product.”[1] FCRA also mentions that, “Given the preponderance of electronically available information and the growth of identity theft, financial institutions should manage the risks associated with obtaining and using consumer reports.” [1]
Gramm-Leach-Bliley Act (GLBA) was introduced in 1999 to protect consumer privacy when data is shared …show more content…
between financial institutions and their affiliates. Under GLBA, financial institutions can share nonpublic personal information with affiliates but it must first provide a notice to the customers without an option to opt out, but financial institutions have to provide an option to opt out for disclosing nonpublic personal information to a third party. (15 USC § 6802)
Federal Trade Commission has issued the Safeguards Rule that will apply to financial institutions that fall under FTC’s jurisdiction, and ask these institutions to develop a comprehensive written information security program, and one that responds to the company’s size and complexity the nature and scope of its activities and the sensitivity of the consumer data it handles. The Safeguards Rule also requires designation of an employee or employees to coordinate the company’s information security program, which can encourage introduction of a chief privacy officer position at organization that do not have one. (16 C.F.R § 314)
Analysis: Fast Funds is providing consumer information to sales people in financial service industry for suggestion on whether it is most beneficial to take a loan against their stock account, a personal loan or a home equity line of credit for a consumer. In order to gather generate the suggestion the company has to access the consumer credit report. When the company furnishes the consumer credit report to transmit it to its clients, the company becomes a covered entity under FCRA.
The company has to save the data that is acquired from credit reporting agencies.
The company is obligated to assess the risks associated with obtaining consumer reports and manage the data to the best of its abilities. Consumer credit reports consist of personally identifiable information (PII). PII for the company includes social security number, name, date of birth, address, driver license number, etc. The company should have adequate cybersecurity infrastructure to deal with the data storage and transmission of the data through the app. As required by FTC in the Safeguards Rule, the company should develop a written information security program outlining what the information security plan of the company is and how we handle sensitive consumer data like social security, other PII and financial
information.
The information we gather for the client consist of consumer information on their stock holdings, personal loans, mortgages, home equity, and other personal information. Apart from its intended use for the app, having a rich source of information like this can be of monetary value to the company. Following proper legal requirements, we can sell the information to a third party or utilize the data to create another application that can be leveraged as a revenue source.