United States: Building A Successful Privacy Program - Ten Steps Every Financial Service Provider Should Take

Title V of the Gramm-Leach-Bliley Act and the regulations that implement it (collectively, "Title V") will affect virtually every aspect of your company's operations. In fact, the federal regulators made compliance with Title V voluntary until July 1, 2001 because they recognized that "six months may be insufficient . . . for a financial institution to have ensured that its forms, systems, and procedures comply with" Title V. Insurance companies and agencies must be certain that they also are in compliance with any applicable state privacy laws and regulations. Prudent executives will not squander the additional time, but rather will begin building a comprehensive Privacy Program now. We recommend the following ten steps to get your company started:

Step One: Obtain the Strong Support of Your Company's Senior Management. Privacy compliance is a high stakes game. The risks of non-compliance include not only regulatory penalties, but also the possibility of consumer litigation and reputational damage. Conversely, a carefully conceived privacy policy and a solid compliance program may not only produce regulatory rewards, but also may enhance your company's image in the community as an institution that treats its customers and their personal information with respect. With so much at stake, obtaining the strong support of Board of Directors is vital.

Step Two: Establish a Privacy Team. Because state and federal privacy requirements involve virtually every aspect of your operations, we recommend a "Privacy Team" approach. In addition to your company's chief compliance officer, the Privacy Team should consist of one or more members of senior management, as well as representatives from your company’s legal, information services, underwriting, claims, marketing and communications departments.

Step Three: Develop a Realistic Budget. Developing a Privacy Program will require the investment of significant monetary and human resources. How much will depend upon a number of factors, such as the size of your company, the structure of your existing privacy program, if any, your company's goals with respect to privacy compliance, and whether your Privacy Team has the time and expertise to develop the Privacy Program alone or will hire outside consultants to help.

Step Four: Conduct a Privacy Audit. Understanding your company's existing information sharing practices is critical to the development of a workable Privacy Program. Conducting an initial assessment is an essential step in gaining this understanding. Among the issues that should be addressed in the privacy audit are: (1) the types of information that your company collects from consumers; (2) the persons within your company who have access to consumer information; (3) the types of consumer information that your company shares with affiliates and nonaffiliates; (4) the types of nonaffiliates with which your company shares consumer information; and (5) the purpose(s) for which your company shares or receives consumer information.

When conducting a privacy audit, you should assume nothing; there may be departments or branches within your company with information sharing practices that are inconsistent with what other departments and branches are doing. Companies which recently have merged with or acquired other institutions should be especially alert for inconsistent information sharing practices.

Step Five: Develop a Formal Privacy Policy. Once you understand your company’s current information sharing practices, you must decide whether and how to modify them. This step involves not only an analysis of applicable legal requirements, but also an analysis of your company’s marketing goals and corporate culture. Among the questions that you should ask and answer before committing to a formal privacy policy are: What privacy protections do your existing and target customer base want your company to provide? What policy "fits" with your company’s corporate culture? Is the proposed policy feasible from a technological, marketing, and compliance standpoint? How much will it cost to implement the new policy?

Step Six: Document Your Company's Privacy Policy. Once you have decided what your company's privacy policy will be, you must develop forms, pursuant to which that policy and any required opt-out notices, will be communicated to the public. These forms should not only satisfy applicable legal requirements, but also should be consistent with your company's marketing strategy.

Step Seven: Train Your Employees and Affiliates: Your company's Privacy Program will work only if it is understood and followed by your company's employees and affiliates. Accordingly, before communicating the privacy policy to the public, you should conduct comprehensive employee and affiliate privacy training.

Step Eight: Develop and Test Systems and Procedures to Deliver Notices and Honor Consumer Elections. You must develop processes and systems to deliver required notices and to receive, process and honor consumer opt-outs and authorizations. For example, if a consumer exercises his or her right to "opt out" of your company's information sharing practices, you must have procedures in place to prevent future disclosure of that information by not only your company, but also by its affiliates and nonaffiliates to whom that consumer's information may have been disclosed. These procedures must include the ability to "track" a particular consumer, and past, present and prospective disclosures of that consumer's information, throughout all physical and electronic databases held by your company and its affiliates. Your information technology department should be permitted sufficient time to develop and to test the necessary procedures and systems prior to the public roll-out of the Privacy Program.

Step Nine: Review and Amend Third Party Contracts. Title V places certain restrictions on the re-use and re-disclosure of consumer information which is provided pursuant to certain types of service or joint marketing agreements. Each contract that your company has with a third party which involves the disclosure of consumer information should be reviewed and, if appropriate, amended to include applicable limitations on the re-use and re-disclosure of that information by the recipient.

Step Ten: Monitor Compliance on an Ongoing Basis. Because privacy compliance is not a "one time" event, your Privacy Team should not disband after completing its initial tasks. After your company's Privacy Program is in place, the Privacy Team should be responsible for periodic self-audits, continuing employee and affiliate training, and for reviewing new contracts or other relationships that may involve the sharing of consumer information for compliance. The Privacy Team also should keep abreast of new and amended laws that may impact upon your company's Privacy Program.