QUESTION
We used a lead generator. We belatedly found out the lead generation company used nonpublic personal information. Our regulator picked up on it in an examination and cited us for violations for every single one of the leads.
Our CEO fired the lead generator, even though they are big and highly recommended. But now we’re forced to deal with the regulator doing special monitoring as well as the penalties.
I am an associate in the compliance department. Our Compliance Manager asked me to write you for some advice on how we can go about distinguishing between a customer’s nonpublic personal information and public information. We are revising our policy for lead generators. Your feedback would be really helpful.
How do we distinguish between nonpublic personal information and public information?
ANSWER
Lead generation companies can be a regulatory minefield. Over the years, we have been approached by lead generation companies to offer guidance. Many of these companies do not operate with sufficient regulatory scrutiny. They fly under the radar, grabbing customer information from many obvious and not-so-obvious sources.
The Gramm-Leach-Bliley Act (GLBA) governs an institution’s distribution of nonpublic personal information (“NPI”) related to consumers. If the information is considered nonpublic personal information, distributing that information to third parties is subject to the GLBA. Information not deemed nonpublic personal information is not subject to GLBA and may be used without regard to the restriction.
I published an article on this topic a few years ago, entitled The Lead Generation Company: Managing the Risks. Go ahead and download it here. The article offers quite a lot of solid information, including my Four Rules for lead generation marketing. It also provides my Three Concerns about online lead generation companies. I give tips on an institution’s policy and procedures and how to plan for a regulator’s visit.
Also, request a presentation of our Privacy Tune-up, which evaluates GLBA compliance.
If you use a lead generation company, I suggest you contact a competent compliance professional. There are just too many pitfalls, regulatory traps, and exceedingly high compliance and legal risks to viewing lead generation as a mere marketing matter.
Let’s start with the concept of Nonpublic Personal Information.[i] There are essentially two interlocking definitions:
· Personally identifiable financial information, and
· Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information.
This definition does not include any publicly available information.
I will discuss consumer lists momentarily. First, however, let’s review essential terminology.
The term “personally identifiable financial information” is broadly interpreted.[ii] What is considered personally identifiable financial information includes information:
· Provided by a consumer to the institution to obtain a financial product or service from the institution when applying for a financial product or service;
· About a consumer resulting from transactions between the institution and the consumer involving a financial product or service; and
· Otherwise obtained about a consumer in connection with a financial product or service.
For instance, the following information about a consumer is personally identifiable financial information:
· Information that a consumer provides on an application to obtain a loan, credit card, insurance, or other financial product or service, including, among other things, medical information;
· Account balance information, payment history, overdraft history, and credit or debit card purchase information;
· The fact that an individual is or has been a customer or has obtained a financial product or service from the institution, unless that fact is derived using only publicly available information, such as government real estate records or bankruptcy records;
· Other information about a consumer if disclosed in a manner that indicates the individual is or has been a customer of the institution (such as a list of consumers who have loans or deposit accounts with the institution);
· Any information provided by a consumer or otherwise obtained by the institution or an agent of the institution in connection with collecting on a loan or servicing a loan;
· Any information the institution collects through an Internet cookie (an information-collecting device from a web server); and
· Information from a consumer report (i.e., a credit report or other report subject to the FCRA).
In other words, virtually all the information a financial institution has about consumers with whom it does business is personally identifiable financial information under the applicable rule, including the fact that the consumer even conducts business with the institution.
The only type of information that would not be considered personally identifiable financial information would be whatever information the institution would obtain outside the relationship involving a financial product or service. For instance, personally identifiable financial information does not include:
· A list of names and addresses of customers of an entity that is not a financial institution, such as a magazine subscription list, and
· Information that does not identify a consumer, such as aggregate information or blind data that does not contain personal identifiers like account numbers, names, or addresses. (An example of this would be something similar to the Home Mortgage Disclosure Act (HMDA) data available to the public. The HMDA list contains a substantial amount of specific information about individual consumer mortgage loans, but it identifies individual loans by random numbers rather than by name, loan number, social security number, and so forth.)
Now, let’s expand nonpublic personal information to consumer lists. As I have stated, nonpublic personal information can be either personally identifiable financial information or a consumer list compiled using that information.
Nonpublic personal information includes any list of individuals’ names and street addresses created in whole or part using personally identifiable financial information that is not publicly available, such as account numbers. Notice that the list does not have to actually contain account numbers, since a list generated using account numbers is enough to make it nonpublic personal information and, therefore, subject to the rule.
But, nonpublic personal information does not include any list of individuals’ names and addresses that
(1) contains only publicly available information,
(2) is not created in whole or in part using personally
identifiable financial information which is not publicly available, and
(3) is not disclosed in a manner that indicates that any of the individuals on the list is a consumer of a financial institution.
Therefore, under the rule, any list of consumer information (such as names, addresses, and telephone numbers) is nonpublic personal information if the list in any way identifies those consumers as customers of the institution or if the list is created using nonpublic personal information.
What customer information, then, is general public information?
This type of information is called Publicly Available Information.[iii]
Recall that the definition of nonpublic personal information excludes publicly available information. Thus, publicly available information is not subject to the requirements of the regulations.
Under the rule, publicly available information means any information that an institution has a reasonable basis to believe is lawfully made available to the general public from:
· Federal, state, or local government records;
· Widely distributed media; or
· Disclosures to the general public that are required to be made by Federal, state, or local law.
There are two components to understanding the implications of using publicly available information: (1) general public information and (2) lawfully obtained information. These two components are mutually inclusive.
Under the general public information rule, publicly available information consists of certain government records, such as information in government real estate records and security interest filings.
Also, the general public information rule includes publicly available information from widely distributed media, such as from a telephone book, a television or radio program, a newspaper, or a website that is available to the general public on an unrestricted basis. By the way, as long as access is available to the general public, a website is not restricted merely because an Internet service provider or a site operator requires a fee or a password.
Under the rule for lawfully obtained information, an institution must have a reasonable basis to believe that information is legally made available to the general public – if, and only if, the institution has taken at least the following two determinative steps:
· The information is of the type that is available to the general public (such as a telephone book); and
· Whether an individual can direct that the information not be made available to the general public (such as an unlisted telephone number) and, if so, that the institution’s consumer has not done so.
To understand how these various definitions apply, let’s assume that somebody provides their institution with information to obtain a mortgage loan and open a deposit account. Under the rule, all the information would be personally identifiable financial information. Once the customer obtains the loan and opens the deposit account, the fact that they are a mortgage loan customer and a deposit account holder at the institution also would be personally identifiable financial information.
It may be that certain information provided by the customer, such as their name and address, is publicly available. If the institution has a reasonable basis to believe that this information is publicly available, and if the information was included on a list of all the institution’s mortgage loan customers, then their name and address would fall outside the definition of nonpublic personal information in those jurisdictions where mortgages are a matter of public record. However, the customer’s name and address would be protected as nonpublic personal information if the institution wanted to include those items on a list of its deposit account holders.
This difference in treatment results from the distinction drawn between lists prepared using publicly available information (as in the case of the mortgage loan) and lists prepared using information that is not publicly available (as in the case of the deposit account).
Differentiating nonpublic personal information from publicly available information is a very complex issue. Regulatory agencies believe that the differentiation is required because of the way in which the applicable statute defines nonpublic personal information. It is also consistent with the fact that certain relationships between the institution and consumers are matters of public record.
[ii] Idem § 1016.3(q)
[iii] Idem § 1016.3(r)
