Gramm-Leach-Bliley Act

Effective:  Deadline for complying is July 1, 2001
Contact : Jeff Flora, CAE

• June 22, 2001 letter to Members regarding the Gramm-Leach-Bliley Act (see below)

• Notice of Privacy described in the June 22, 2001 letter

June 22, 2001

To: SouthWestern Association Members 

Subject: Compliance with Gramm-Leach-Bliley Act 

As you may know, the Gramm-Leach-Bliley Act (“GLBA”) requires privacy notices to be delivered to customers of certain businesses.  We have been asked by a number of our members as to the applicability of GLBA to SouthWestern’s dealer/members and if so, could we provide a sample notice complying with GLBA. 

GLBA limits the disclosure of “nonpublic personal information” (please see the enclosed notice for a good description of this type of information) that has been gathered by “financial institutions” from their customers.   Unfortunately, the term “financial institution” is very broad and includes any company engaged in the business of lending money or providing financial services.  Since many dealers extend credit to their customers and/or assist their customers in obtaining financing from a manufacturer or other lender, it is likely that GLBA applies to the dealers. 

The good news is that notices do not need to be sent to all customers.  The customers to whom GLBA applies are individuals (not corporations or other companies) who provide a dealer with non-public personal information in connection with a transaction being made for personal, family or household purposes.  This is a significant limitation and means that notices do not need to be sent to business customers or customers from whom dealers do not collect non-public personal information.   For example, if an individual purchases supplies, materials, parts, etc. and pays by cash or credit card and no non-public personal information is collected from the customer, this customer does not need to receive a notice. 

GLBA notices must be sent annually to all applicable customers.  In addition, an initial notice should be given to each new customer prior to the customer providing a dealer with nonpublic personal information if such customer would otherwise be entitled to an annual notice. 

The deadline for complying with GLBA is July 1, 2001.  Thus, it is important to get compliance information to your customers soon.  The penalties for non-compliance can be steep – up to $11,000/per day and $10,000 per violation.   However, the general view is that this law will be hard to enforce and that it is unlikely that these severe penalties will be assessed on small businesses, especially if their practice is not to disclose any non-public personal information.  Nevertheless, in light of the potentially significant penalties, our advice is that you should comply with GLBA. 

To assist you with your compliance efforts, our legal counsel has prepared a form notice that should apply to most members/dealers.  GLBA permits the disclosure of non-public personal information if the customer is given notice of the situations in which the information will be described and allows the customer to “opt out” of such disclosure. 

The enclosed form (NOTICE OF PRIVACY POLICIES) assumes that you will not be disclosing non-public personal information except when (a) the customer gives permission for the disclosure, (b) the disclosure is made as part of the transaction or service requested by the customer or (c) otherwise permitted or required by law.  If disclosures are only made in the instances described above, you, the dealer will be able to disclose non-public personal information even if the customer attempts to opt out.  If you disclose applicable information in any other situations, the sample notice will be insufficient and we advise you to consult legal counsel as to any necessary modifications. 

There are two other components to the form notice, which you should review to ensure the form is appropriate for your actual business practices.  First, in the “What NPI does the Company Collect?” section, please review the list of sources from which you typically collect non-public personal information and determine if any additional sources should be added.  Second, the Security Procedures section contains the following statement:  “The Company also maintains physical, electronic and procedural safeguards to prevent the release of your non-public personal information.”  If you do not have in place safeguards in these general categories, this sentence will need to be modified to reflect safeguards that are actually in place.  If no safeguards are in place, you will need to implement at least basic safeguards.  Examples of typical safeguards include keeping records in a locked file cabinet or locked room and maintaining a firewall or other security device on a computer system to protect against outside computers accessing the information via the Internet. 

Finally, all blanks in the form should be completed before it is mailed to your customers. 

I hope this brief summary answers your questions regarding GLBA.   If you have any further questions or suggested revisions to the notice, please contact me at your association offices. 

Sincerely, 

Jeff Flora, CAE
Chief Executive Officer