CONSUMER ALERT

MIKE COX
 ATTORNEY GENERAL

The Attorney General provides Consumer Alerts to inform the public of unfair, misleading or deceptive business practices, and to provide information and guidance on other issues of concern.

The Attorney General’s office advises consumers to learn about their right to say "no" to the sharing of their personal information by financial institutions. Beginning July 1, 2001, financial institutions are allowed to sell your personal information to unaffiliated companies -- but before they do, they must notify you of their information-sharing practices and give you the opportunity to limit some of the trafficking in your personal information. Do not throw out mail from banks, insurance companies, investment brokers, and other financial institutions until you have reviewed it for financial privacy information. If you do not exercise your right to say "no," these companies may begin selling your personal information to outside companies.

Many financial institutions have voluntarily adopted stricter information sharing policies than the law now requires, but many have not. Only by reading the information you receive, and by asking questions of financial institutions, will you know how your institution uses your personal information and be able to decide whether to take your business elsewhere.

As collecting, slicing, dicing, mixing and manipulating your personal information has become easier and cheaper -- particularly since the use of the Internet has become widespread -- there has been a corresponding increase in the reported cases of identity theft, which occurs when a person uses someone else’s personal information -- for example, your social security number, your credit card, or your driver’s license -- to fraudulently make purchases or obtain credit in your name. Some identity thieves have even generated criminal convictions under an innocent consumer’s name. Identity theft can be a nightmare, but consumers can take steps to reduce their risk of becoming victims by limiting others’ access to their personal information.

In passing the Gramm-Leach-Bliley Act of 1999, Congress repealed long-standing restrictions separating different sectors of the financial services industry. Now, banks, insurance companies and brokerage companies are allowed to merge or become corporate affiliates and to share consumers' personal information. (For example, a brokerage house or bank can now share information about a consumer's transactions with an affiliated insurance company.)

First, the good news: The new federal financial privacy rules require financial institutions to:

Consumers have an opportunity to inform and protect themselves. By being vigilant -- and active -- consumers can stop the flow of some personal information between corporate databases and nonaffiliated, outside companies, such as information brokers, telemarketers, and junk mailers.

Now, the bad news: While Congress and other federal agencies have given consumers limited ability to protect the privacy of their financial information, the sad fact is that much of the information that financial institutions gather about their customers is not covered by these rules.

Financial institutions generally don’t have to offer consumers the right to prevent "publicly available" information about them from being sold to other parties, or to prevent the sharing of even nonpublic personal information with "affiliates" of the financial institution. (An exception, however, is the sharing of non-transactional information, such as "creditworthiness" information, among affiliates under the federal Fair Credit Reporting Act -- this information should be included in the notices you receive.)

The cost of preventing the sale or other transfer of nonpublic personal financial information to outside companies rests squarely on the consumers’ shoulders -- consumers must spend the time and effort to learn what rights they have, to determine how to exercise those rights, and then to invest the additional time and effort completing the opt-out process.

Attorney General Granholm, along with other state attorneys general, strongly recommended tougher privacy regulations than the ones now in place. The future may yet bring better privacy protections for consumers.

Under the Gramm-Leach-Bliley Act and rules established by the Federal Trade Commission and other federal agencies, financial institutions have an obligation to give their customers notice about the use of their personal information and a limited opportunity to block some information sharing.

1. Which "financial institutions" are covered by these laws?

According to the Federal Trade Commission, a "financial institution" includes banks, insurance companies, and investment businesses, as well as any other business "significantly engaged" in financial activities. "Financial institutions" may include:

2. What Notice is Required?

Institutions must supply consumers with an initial privacy statement. Consumers who have a continuing relationship with a financial institution are entitled to additional statements on a yearly basis. The notice should include:

• An explanation of the consumers’ right to opt out of disclosures to nonaffiliated third parties and how consumers may exercise their right;
• Categories of personal information the financial institution collects;
• Categories of personal information the financial institution discloses;
• Categories of affiliates and nonaffiliated third parties to whom the financial institution discloses the information;
• An explanation regarding disclosures of nonpublic personal information about former customers by the financial institution;
• A description of the financial institution’s disclosures to nonaffiliated parties that fall within certain exceptions to the consumers’ right to opt out;
• An explanation of consumers’ ability to opt out of disclosures of certain types of information among affiliates under the federal Fair Credit Reporting Act (FCRA);
• A statement of the financial institution’s confidentiality and security policies and practices regarding nonpublic personal information.

3. How does the opt-out notice work?

The opt-out notice is separate from the privacy statement. It must contain certain information and must be clear. Specifically, the opt-out notice must:

• State that the institution will disclose, or reserves the right to disclose, nonpublic personal information about you to outside companies, if this is the institution’s policy;
• Tell consumers that they have a right to opt out of such information sharing;
• Provide consumers with a reasonable means for opting out

4. What is "nonpublic personal information?"

The new rules give consumers only a limited right to block sharing of certain information. Consumers have no right to block sharing of information that is "publicly available" which means:

5. What is an "affiliated company?"

Generally, affiliated companies are individual companies that belong to the same corporate family.  For example, an insurance company and a bank that are under the control of a third (parent) company would be affiliates, as would the parent company. Thus, neither the bank nor the insurance company would be required to permit you to opt-out of data sharing with the other company under the FTC’s rules.

Under the Fair Credit Reporting Act, however, consumers have a limited ability to opt out of some information sharing between affiliates involving non-transactional information, including information about:

• Your alleged creditworthiness, credit capacity, and credit standing
• Your alleged character
• Your alleged general reputation
• Your alleged personal information
• Your alleged "mode of living"

Unfortunately, at this time, the Fair Credit Reporting Act does not give consumers the right to prevent affiliates from sharing "transaction and experience" information about a consumer. Such transactional information can include a wide variety of data many consumers would consider very personal, such as credit card charges a consumer makes and checks a consumer writes.