Pub. 14 2019-2020 Issue 6

WWW.NEBANKERS.ORG 30 T HE GRAMM-LEACH BLILEY ACT (GLBA) CONTAINS A SET OF requirements for the data breach of a financial institu- tion. Part the regulations include 1 : A. Standard for Providing Notice When a financial institution becomes aware of an incident of unauthorized access to sensitive customer information, the institution should conduct a reason- able investigation to promptly determine the likelihood that the information has been or will be misused. If the institution determines that misuse of its information about a customer has occurred or is reasonably pos- sible, it should notify the affected customer as soon as possible. Thus, the bank is under an obligation to conduct an investiga- tion to determine the likelihood of harm due to the breach. If there is a likelihood of harm, notification is required; if there is no likelihood of harm, no notification is required under GLBA. The question arises, however, where the state statutes may create an obligation of notification to a customer regardless of the likelihood of harm. In such a case, does GLBA supersede state notification requirements? The answer is in this statute 2 : (a)In general This subchapter and the amendments made by this subchapter shall not be construed as superseding, altering, or affecting any statute, regulation, order, or interpretation in effect in any State, except to the extent that such statute, regulation, order, or interpretation is inconsistent with the provisions of this subchapter, and then only to the extent of the inconsistency. (b) Greater protection under State law For purposes of this section, a State statute, regula- tion, order, or interpretation is not inconsistent with the provisions of this subchapter if the protection such statute, regulation, order, or interpretation affords any person is greater than the protection provided under this subchapter and the amendments made by this subchapter, as determined by the Bureau of Consumer Financial Protection, after consultationwith the agency or authority with jurisdiction under section 6805(a) of this title of either the person that initiated the com- plaint or that is the subject of the complaint, on its own motion or upon the petition of any interested party. GLBA and the State Notification Statutes A bank who suffers a breach must conduct an investigation and form an opinion on the risk related to the possible harm, but, the bank must also undertake an analysis as to the whether the state breach notification statutes afford more rights. State breach notification statutes may fall under one of four types – statutes which provide a blanket exemption to financial institu- tions, those which allow for the same or similar "risk of harm" analysis, those which provide for more stringent notification requirements, and those whose definitions of "sensitive" or "personal information" may differ from GLBA. First, some state statutes completely exempt financial in- stitutions from their notification provisions. States such as Tennessee provide 3 : (i) The provisions of this section shall not apply to any person who is subject to the provisions of Title V of the Gramm-Leach-Bliley Act. Such language can completely remove the need to review state notification requirements for a financial institution. Second, some states allow for a risk of harm analysis similar to GLBA. For instance, Iowa provides 4 : 6. Notwithstanding subsection 1, notification is not re- quired if, after an appropriate investigation or after con- sultation with the relevant federal, state, or local agencies responsible for law enforcement, the person determined that no reasonable likelihood of financial harm to the consumers whose personal information has been acquired has resulted or will result from the breach. This language allows the financial institution to provide the same risk of harm analysis for both the state statue and GLBA. Bob Kardell, Attorney at Baird Holm LLP