Summary of Gramm-Leach-Bliley Act
Also known as the Financial Services Modernization Act of 1999.
Following the Apple Pay announcement, Visa and MasterCard announced that they were developing a “token” payment security framework to support Apple’s payment system. Financial companies that receive personal data in connection with processing transactions, including through online and mobile payment systems, are subject to the provisions of the Gramm-Leach-Bliley Act of 1999 (the “GLBA”) (15 U.S.C. §§ 6801, et seq.) which imposes numerous obligations on financial institutions with respect to their use of such data. The act also applies to companies that provide personal financial services, including banks, insurance companies, mortgage brokers and financial advisors. The GLBA requires that these institutions “protect the security and confidentiality of those customers’ nonpublic personal information,” including any personally identifiable information “(i) provided by a consumer to a financial institution; (ii) resulting from any transaction with the consumer or any service performed for the consumer; or (iii) otherwise obtained by the financial institution.” The GLBA requires financial institutions to “insure the security and confidentiality of customer records and information … protect against any anticipated threats or hazards to the security or integrity of such records; and … protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.”
The GLBA places restrictions on the use of such information, permitting their use for administrative purposes in connection with their provision of services, or for law enforcement purposes. The GLBA also imposes notice requirements on a financial institution’s use of nonpublic personal information, including informing consumers of how their information may be used and allowing customers to “opt out” of having such information shared with unaffiliated third parties. Similarly, financial institutions are required to notify customers of their policies regarding the protection and disclosure of nonpublic personal information.