THE PRIVACY AGENDA
The GLB Provisions: Attorney-Client Privilege or Privacy Protection?
By Alan Charles Raul and Joshua P. Galper
Law firms are experiencing an increased demand to handle compliance work associated with privacy regulations in the financial sector. At the same time, many in private practice wonder whether the Federal Trade Commission will truly force firms to practice what they preach to clients.
Currently, the FTC is authorized to interpret and enforce certain privacy protection provisions of the Gramm-Leach-Bliley Act of 1999 (GLB), also known as the Financial Industries Modernization Act. Relevant GLB sections applicable to law firms are requirements to post policies and practices (1) regarding the disclosure of private financial and personally identifiable information and (2) prohibiting the disclosure of such information to unaffiliated third parties, unless consumers are provided the right to opt out of such disclosure.
Violations could garner fines to the tune of $11,000 per act. By July 1, 2001, law firms were required to send privacy notices to individual clients who receive covered financial services.
Law Firms as Financial Institutions?
The FTC views law firms as providing financial services because of the broad definition of "financial institution" in the GLB. Thus far, the commission has deemed such financial services to include practices related to tax planning and preparation, certain real estate settlement services, financial counseling and debt collection.
The FTC has faced criticism for this interpretation from several quarters, including state and local bar associations and the U.S. Congress. Although the rules are now in effect, the agency has been considering whether to issue a clarification on whether law firms must abide by GLB requirements, and it could do so in the near future.
Essentially, lawyers in private practice and the bar associations have argued that they are not financial institutions, and in any event, they are already required to preserve the confidentiality of clients’ personal information through the strict professional responsibility rules that apply to the attorney-client privilege.
For their part, members of Congress, led by Representatives Michael Oxley (R-OH), Carolyn Maloney (D-NY), Robert Ehrlich, Jr. (R-MD), Shelley Moore Capito (R-WV) and Barney Frank (D-MA), have also objected to the agency’s interpretation. The members contend that they never intended for the GLB to apply to law firms. Meanwhile, the FTC has justified its interpretation because of the language in the GLB. It believes the statute’s text simply requires it to cover law firms providing "financial" services to individual clients.
Before July 1, many law firms dutifully sent out privacy notices to clients. The similarities between their letters and those of traditional financial institutions were striking. For example, one Detroit law firm sent a policy disclosing the type of private information collected, the parties to whom information may be disclosed, opt-out directions and a statement regarding the firm’s commitment to protecting confidential client information. These notices somehow seem incongruous, since the GLB is partly meant to prevent the use of such information for marketing purposes, while law firms would not normally use client information in this way.
Whether the FTC will do the reasonable thing and exempt law firms from these supererogatory rules remains an open question. Until then, however, it seems a certainty that firms that fail to issue privacy notices could eventually find themselves facing FTC prosecution for noncompliance—a risk lawyers usually advise their clients to avoid.
Alan Charles Raul (firstname.lastname@example.org) and Joshua P. Galper (email@example.com) are members of the Sidley Austin Brown & Wood LLP CyberLaw Group in Washington, DC.