This content was published prior to the combination of Dentons Sirote. Learn more about Dentons Sirote.
Last week I wrote about the duty that creditors have to safeguard consumers’ nonpublic personal information. See here. The CFPB has issued regulatory standards that are binding on creditors to help ensure the confidentiality of nonpublic personal information that is obtained as part of the credit extension process.
States, including now Alabama, have joined in the effort to preserve confidentiality by passing data breach notification laws. These laws require consumer finance companies and others to implement and maintain reasonable security measures to protect against breaches of sensitive information and to adopt procedures to address what-to-do when security breaches occur. Fortunately for those lenders doing business in multiple states, the data breach notification laws are based on a “uniform” law.
Typically under these laws, when a breach occurs the creditor must first assess the nature and scope of the breach; then identify any nonpublic personal information that may have been involved in the breach and the identity of any individuals as to whom that information relates; and, then determine whether the nonpublic personal information has been acquired or is reasonably believed to have been acquired by an unauthorized person.
Once this assessment is made, individuals whose information has been or may have been so acquired and who are likely to suffer substantial harm thereby are to be notified; and, depending upon the number of such individuals, the creditor may also be required to notify all nationwide consumer reporting agencies of the breach.
It is exceedingly important that consumer finance companies have in place a safeguards policy that addresses, among other things, a step-by-step process for protecting the security of consumer information; and, the appropriate response to any breach of security. Training of CSRs is a critical element of such a policy.
Practice Pointer: Many early safeguards policies only addressed the FTC or CFPB requirements, but not the data breach notification law requirements. Better take a look at yours.
Please note: This is the one hundred sixteenth blog in a series of Back to Basics blogs, in which relevant and resourceful information can be easily accessed by clicking here.