Gramm-Leach-Bliley Act

Auto Dealer Monthly offers a brief look at one of the many compliance issues auto dealers must contend with, the Gramm-Leach-Bliley Act. Please note, this is not legal advice and dealers should always seek the assistance of qualified legal counsel.

Jennifer Murphy Bloodworth・Senior Assistant Editor

Read Jennifer's Posts

November 5, 2010

3 min to read

“The Financial Modernization Act of 1999, also known as the ‘Gramm-Leach-Bliley Act’ or GLB Act, includes provisions to protect consumers’ personal financial information held by financial institutions. There are three principal parts to the privacy requirements: the Financial Privacy Rule, Safeguards Rule and pretexting provisions.” [1]

Penalties for non-compliance: Civil penalties of up to $10,000 per violation for officers and directors personally liable, and for the financial institution liable, penalties of up to $100,000 per violation. Criminal penalties include imprisonment for up to five years and fines. [2]

Helpful link(s)/Source(s):
1. http://www.ftc.gov/privacy/privacyinitiatives/glbact.html
2. http://www.liveoffice.com/regulations/gramm-leach-bliley.asp

A. Financial Privacy Rule
As a principal part of the Gramm-Leach-Bliley (GLB) Act, the Financial Privacy Rule (or Privacy Rule) revolves around protecting the privacy of consumer information and sets the standards for privacy notices, opt-out notices, and how nonpublic personal information can be used or disclosed. [1]

“The Privacy Rule applies to car dealers who:

• Extend credit to someone (for example, through a retail installment contract) in connection with the purchase of a car for personal, family, or household use;
• Arrange for someone to finance or lease a car for personal, family, or household use; or
• Provide financial advice or counseling to individuals.” [2]

Helpful link(s)/Source(s):
1. http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus53.shtm
2. http://www.ftc.gov/bcp/edu/pubs/business/autos/bus64.shtm
3. http://www.liveoffice.com/regulations/gramm-leach-bliley.asp
http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus67.shtm
http://www.ftc.gov/privacy/privacyinitiatives/financial_rule_bus.html

B. Safeguards Rule
The Safeguards Rule requires dealers to have a written security plan to protect the confidentiality and integrity of customer and employee data, such as names, Social Security numbers, and credit card or bank account information. As part the written security plan, “each company must:

• designate one or more employees to coordinate its information security program;
• identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks;
• design and implement a safeguards program, and regularly monitor and test it;
• select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards, and oversee their handling of customer information; and
• evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.” [1]

Helpful link(s)/Source(s):
1. http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus54.shtm
2. http://www.liveoffice.com/regulations/gramm-leach-bliley.asp
http://www.ftc.gov/privacy/privacyinitiatives/safeguards.html

C. Pretexting Provisions
The GLB Act outlines pretexting (“the use of false pretenses, including fraudulent statements and impersonation, to obtain consumers' personal financial information” [1]) provisions and clarifies that it’s illegal to:

• “use false, fictitious or fraudulent statements or documents to get customer information from a financial institution or directly from a customer of a financial institution.
• use forged, counterfeit, lost, or stolen documents to get customer information from a financial institution or directly from a customer of a financial institution.
• ask another person to get someone else’s customer information using false, fictitious or fraudulent statements or using false, fictitious or fraudulent documents or forged, counterfeit, lost, or stolen documents.” [2]

Penalties for non-compliance: Civil penalties of up to $11,000 per violation, as well as criminal penalties. [3]

Helpful link(s)/Source(s):
1. http://www.ftc.gov/privacy/privacyinitiatives/pretexting.html
2. http://www.ftc.gov/bcp/edu/pubs/consumer/credit/cre10.shtm
3. http://www.ftc.gov/opa/2001/01/pretexting.shtm

Please note: This is not legal advice and dealers should always seek the assistance of qualified legal counsel.

From "19 Laws, Rules and Regulations That Can Cost You More Than Money" in the September 2010 issue of Auto Dealer Monthly.